Personal data means all data about you or your personal situation. This includes information that enables you to be identified, even if the information itself is not directly about you.
CZ also processes data about businesses, such as healthcare providers. Data about businesses are not personal data. However, data about their employees, individual healthcare providers or customers are personal data.
- For what purposes are your personal data processed?
- How long are your personal data kept?
- What are your rights?
- How can you exercise your rights?
- How are your personal data protected?
- How do we handle your personal data when using WhatsApp?
- How can you get in touch with your health insurer?
1. For what purposes are your personal data processed?
CZ needs to record and process personal data in order to implement the provisions of the Healthcare Insurance Act and administer the policies and claims of people who are insured with CZ. To be able to identify people specifically, CZ keeps a record of the Dutch personal identification number (BSN) of every person with CZ insurance; this is required by law.
CZ also uses your personal data for various other purposes, but only to the extent necessary for the specific purpose.
CZ uses personal data for:
I. Assessment and acceptance
II. Concluding the contract and administering the policy
III. Commercial and direct marketing purposes
CZ may decide to outsource certain activities, though CZ remains responsible at all times for the processing of your personal data. CZ outsources activities to service providers like VECOZO and Vektis, among others. For example, healthcare providers can use VECOZO’s Insurance Details Check service (‘Controle op Verzekeringsgegevens’, COV) to look up the current insurance details of insured persons, i.e. their general and/or additional health insurance package. They can also use VECOZO to submit claims digitally to the right health insurer. Vektis helps healthcare professionals, patients’ organisations and public bodies to improve healthcare and to keep good healthcare accessible and affordable in the Netherlands. Vektis performs analyses of claims data for health insurers. In some cases, Vektis may provide data to third parties on health insurers’ behalf, for instance for scientific research or to fulfil a legal obligation.
Below, we explain in full what each of these 3 purposes entails.
I. Assessment and acceptance
CZ uses your personal data to check whether you are required by law to take out the general insurance. Under the Healthcare Insurance Act, a health insurer must, in principle, accept any person for the general insurance if that person is required by law to have this insurance.
CZ has been designated ‘institution of the place of residence’ (in Dutch: ‘orgaan van de woonplaats’) by the government for the purposes of Regulation (EC) No. 883/2004 on the coordination of social security systems. CZ processes your personal details when you register for a ‘Verdragspolis’, i.e. the insurance policy for Dutch residents who are not required by law to have health insurance.
For our most comprehensive additional dental insurance, CZ requests personal data concerning a person’s health in the framework of the acceptance policy, to assess whether the person qualifies for the insurance he or she is applying for. Such personal data concerning health are assessed under the responsibility of, respectively, the dental adviser or the medical adviser. As a result of the assessment, the person applying for insurance may be offered a policy other than the one requested.
Automated processing of the insurance application
When you apply for general insurance, additional medical expenses insurance or a ‘Verdragspolis’, your personal data are processed in an automated system. This system uses the information you entered on your application form, whether this was in print or in electronic form.
Data concerning health may also be processed when you apply for our most comprehensive additional dental insurance package. This will result in either your application being approved and you being able to take out the insurance, or in your application being rejected. You can always contact CZ to ask a question or submit a complaint about the automated processing of your application. Your question or complaint will be examined by a CZ employee.
II. Concluding the contract and administering the policy
CZ needs to have your personal data to conclude a contract with you for general insurance, additional medical expenses insurance or a ‘Verdragspolis’. Data concerning health are also needed to administer your policy and claims.
By ‘administer your policy and claims’ we mean: determine whether you are entitled to healthcare and/or the reimbursement of this care; pay the healthcare provider; settle your claims; collect premiums; provide services to you; determine how much you need to pay for the personal contribution and the compulsory and voluntary deductible; perform checks; combat fraud (including through an internal registration system); recover damages from third parties, including other insurers (such as the insurer of your travel insurance policy, the person who is liable for the loss or their liability insurer); survey insured persons on the quality of the healthcare; improve services (including technical support); provide groups of policyholders with information that is relevant to them; limit any payment arrears the policyholder may have with the health insurer; ensure that the policyholder no longer owes an administrative premium; handle complaints and disputes; and analyse data (including personal data) for risk management purposes (including keeping healthcare expenses in check) and for the purpose of purchasing healthcare.
To protect the interests of CZ, its employees and customers, and other financial institutions, we also process your personal data (which may include criminal date) for risk management and fraud prevention purposes. In this regard, CZ maintains a log of events (‘Gebeurtenissenadministratie’). CZ’s ‘Bureau Bijzonder Onderzoek’ (Special Investigations Bureau) department may decide to enter personal data from the log of events in an Internal Reference Index (IVR). If an event meets the criteria in the Protocol on the Incident Warning System for Financial Institutions, CZ records the relevant personal data in an Incident Register (IR), and in some cases in the External Reference Index (‘EVR’ – referred to below under ‘Exchanging data with third parties’). These registers do not only contain personal data. They also record data about healthcare providers. Entering your data in these registers enables us, among other things, to check whether you have ever committed fraud or attempted fraud. You or, in case you are a healthcare provider, your organisation will be informed if an entry is made in one of the registers. This usually happens before your data are entered in the registers, unless disclosure would compromise the investigation. In the latter case, you will be informed after the investigation is completed – provided that your entry in the IVR, IR or EVR is maintained.
Exchanging data with third parties
Your personal data are sometimes shared with or received from third parties. We will never sell your personal data to anyone. Examples of third parties with whom we share personal data are:
- CAK: CZ provides your Dutch personal identification number (BSN) and bank account details to the Dutch Central Administration Office (CAK) if you are eligible for reimbursement of your (compulsory) deductible. This is required by law;
- Municipal Executive: CZ exchanges personal data with the Municipal Executive in the municipality in which you live to prevent and reduce debts. This is required by law;
- Employers and member organisations: if you receive a discount on your premium because you are part of a group, CZ uses your personal data to periodically check with your employer or member organisation whether you are still entitled to this discount;
- Intermediary: if you take out insurance through an intermediary, exchange of personal data with the intermediary can also take place to the extent this is necessary for the intermediary to perform its duties, and to pay the commission. This only concerns policy details, never personal data concerning health;
- ‘Zorgkantoren’ care administration offices: to prevent healthcare being paid for both through the Dutch Long-Term Care Act and the general insurance, and to coordinate the healthcare insured on the basis of the health insurance and the Dutch Long-Term Care Act;
- ‘Sociale Verzekeringsbank’ (SVB): the SVB (the body that implements the Dutch national insurance schemes) receives personal data from ‘Zorgkantoren’ for the insured persons administration referred to in Section 35 of the Work and Income (Implementation Structure) Act, for payments charged to the personal care budget and for the related budget management;
- Supervisory bodies: CZ exchanges personal data with supervisory bodies (like the Dutch Healthcare Authority or the Dutch Data Protection Authority) if this is needed by the supervisory body to carry out its official duties. This is required by law;
- Other health-related bodies: CZ regularly receives requests from institutions such as university hospitals to use personal data (concerning health) for scientific research or for statistical purposes. This personal data is only provided if and to the extent that anonymous data will not suffice, the research is in the public interest, and requesting consent is not possible;
- Incident register: CZ maintains an incident register in which data, including personal data, are recorded. This register contains incidents that have, or may have the effect that the interests, integrity or safety of insured persons, CZ, CZ staff and/or the financial sector as a whole are or could be put at stake. This can be an incident like submitting false claims, identity fraud, skimming, embezzlement at work, phishing, or deliberate deception;
- External Reference Index (EVR): this contains data, including personal data, about persons for whom it has been sufficiently established that their conduct poses or could pose a threat to the financial interests of CZ, CZ staff and/or persons insured by CZ. The data in the EVR can be viewed by participants of the Protocol on the Incident Warning System for Financial Institutions.
- The BRP register: health insurers receive personal details from the ‘Basis Registratie Personen’ or ‘BRP’, the register maintained by the Dutch government that records key personal data of persons living in the Netherlands;
- The Dutch government’s National Terrorism Sanction List: health insurers must check whether you appear on this list. If you do, this will be reported to ‘De Nederlandsche Bank’.
- Other insurers: we sometimes share data in order to reclaim losses or costs, for instance from your travel insurer in the event that it also provides cover that supplements your general insurance policy or additional insurance package, or from the liability insurer of a third party who caused the losses or costs.
- Healthcare providers who have a contract with CZ: these providers claim the costs for the healthcare provided directly from CZ.
Please notify us if there are compelling reasons why healthcare providers should not have access to your address details; we will then hide these details accordingly. This also applies with regard to any person you are being protected from: here, too, you can have your details hidden, even if the person concerned is the policyholder.
Whenever CZ uses the services of third parties for its activities, we endeavour to ensure that data is processed only within the European Union or countries/organisations that the European Commission considers to guarantee an adequate level of security. However, this is not always possible. Your personal data - including data concerning your health - may be processed in a country other than those referred to above. If so, we will contractually ensure that these processors provide appropriate safeguards.
Personal data concerning health
CZ takes particular care when it comes to personal data concerning health. CZ uses these data to determine whether you are entitled to healthcare and/or to the reimbursement of healthcare services. To the extent necessary, personal data concerning health are also used for verification purposes, conducting fraud investigations, claiming damages from third parties, and for analyses for healthcare procurement and risk management purposes.
CZ’s medical adviser will always belong to a profession listed in the ‘BIG register’ (the Dutch register of Individual Healthcare Professions), which includes doctor, dentist, physiotherapist, obstetrician, nurse, health care psychologist, psychotherapist and pharmacist.
The medical adviser has a statutory duty of confidentiality. The use of personal data concerning health falls under the responsibility of the medical adviser(s), and the relevant medical adviser is responsible for every employee who uses personal data concerning health, except where this use concerns activities of a purely administrative nature, such as processing claims from healthcare providers or forwarding and digitising post. The group of employees under the responsibility of the medical adviser is called the ‘functional unit’. Employees in the functional unit have the same duty of confidentiality as the medical adviser.
Automatic processing of pre-authorisation requests and claims
Your pre-authorisation request (‘machtigingsaanvraag’) is handled with due care, in a process that uses criteria drawn from the terms and conditions of insurance to assess your request; these criteria may be applied in an automated system. You will always be informed whether the request has been accepted or rejected; this notification will also explain how you can submit a complaint should you wish to do so.
Claims are generally handled using an automated system, in a process that uses criteria drawn from the terms and conditions of insurance to assess your claim.
You are entitled at all times to ask a question or submit a complaint about the automated processing of your claim. Your question or complaint will be examined by a CZ employee.
III. Commercial and direct marketing purposes
CZ uses your personal data to keep you informed on other products and services we provide that may be of interest to you. Data about your health (e.g. claims data) are not used for commercial purposes, unless you have given your explicit consent. CZ sometimes selects groups of individuals from its customer base, to recommend a product to a certain target group for example. In making selections for commercial purposes, CZ does not use personal data concerning health or financial data as selection criteria.
CZ uses your personal data to make analyses for the purpose of marketing activities. Data about your health will not be used for this purpose, unless you have given your explicit consent.
Selecting customer groups
CZ uses personal data to select customer groups for the purposes of marketing activities and service improvements. A customer group may (also) be based wholly or partly on data obtained from sources outside CZ. Your data will not be used for any decision-making based solely on automated processing that produces legal effects concerning you or otherwise significantly affects you.
If you receive emails from CZ to inform you about our offerings, CZ can use email tracking to save click behaviour in emails, for example to see when an email has been opened or when you have clicked on certain articles in the newsletter. This information can be used to improve our email campaigns so that the content is better suited to your preferences. The tracking mechanisms we use do not store any information on your computer the way cookies do.
2. How long are your personal data kept?
CZ stores your personal data only for as long as is considered necessary for the purpose for which CZ originally received the personal data. In most cases, this means we must retain your data for 7 years (starting from 1 January of the year following the year to which the data relate), but there are a few exceptions.
The exceptions are:
- Insurance is not taken out
You may have applied for insurance with CZ but ultimately did not take this out, perhaps because you changed your mind, or maybe because CZ declined your application. In such a situation, CZ saves your information for one year so that we can refer to this information should you decide to apply again the following year. This also allows CZ the option of drawing your attention to other products that may be of interest to you, assuming you have not specified that you do not want us to do this.
- After cancellation of your insurance
If you had insurance with CZ and this has been cancelled, we will retain your personal data for a maximum of 7 years after your policy has ended, or for a maximum of 7 years after the last bills are received. One of the reasons we do this is to comply with our obligations under the Healthcare Insurance Act. We may use your personal data for direct marketing purposes for a maximum of 2 years, unless you have specified that you do not want us to do this.
If you are insured with CZ under a ‘Verdragspolis’, we are legally obliged to retain your data for up to 20 years.
- Personal data concerning health in an investigation
If we have carried out an investigation in which your medical data were used, or if your medical data are needed for future research, we store these data for as long as necessary to complete the investigation and secure our rights, such as to recover funds wrongly paid where a claim has been submitted for healthcare that was not provided.
If we use your personal data in the course of a fraud investigation, we will retain your data for a maximum of 8 years after the investigation has been closed.
- Recording phone calls for training purposes
We may record telephone conversations we have with you for the purpose of training our staff so that we can improve our service. We will only retain your data for as long as is necessary, and for no longer than 6 months.
- Cancellation of insurance due to non-payment or late payment
If your insurance is cancelled because of non-payment or late payment, your personal data will be stored for a maximum of 5 years.
- Complaints and disputes
If we use your personal data in the context of complaints or disputes, we will retain such data for 2 years after the procedure has concluded.
3. What are your rights?
In terms of your personal data, you have the right of access, rectification, erasure, restriction, portability, objection, and withdrawal of your consent. You can read about what each of these rights entails below.
You have the right to request access to the personal data CZ holds about you and to the information regarding the purposes for which it uses your personal data.
Through your personal ‘Mijn CZ’ page, we provide you with secure access to much of the personal data we process about you (name and address details, insurance details, information on the deductible and premiums you have paid to date, and the costs of the healthcare provided).
You may wish to see other specific information however, in which case you can submit a request. In your request, please specify the personal data you would like to see.
If you have provided CZ with personal data or these have been provided on your behalf, and if CZ processes these personal data by an automatic means, you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format.
CZ can also send these personal data to another health insurer directly if the personal data in question are needed for you to be able to switch to the other health insurer, or if they are needed for authorisations provided by CZ for reimbursing healthcare costs.
If you would like CZ to send the personal data to the other health insurer directly, please state this in your request.
If you believe that CZ holds incorrect or inaccurate personal data about you, you may ask us to correct the data. This is known as rectification. You also have the right to request that incomplete personal data be supplemented, which you can do by submitting an additional statement.
In your request, please specify the personal data you wish to have corrected and why.
You have the right to ask CZ to delete the personal data we hold on you if you believe one of the following situations applies:
- CZ no longer needs your personal data;
- your personal data are used with your consent, but you are now withdrawing that consent;
- CZ is not entitled to use your personal data;
- CZ was already required by law to delete your personal data;
- CZ is using your personal data for social media.
In your request, please specify the personal data you would like CZ to erase and why you believe CZ should do this. If your request concerns data relating to your insurance, in many cases CZ will not be permitted to erase these personal data. This could be, for example, because CZ still needs the personal data as part of its obligation to retain data for a particular period of time (see section 2).
You have the right to request that the processing of your personal data be restricted:
- during the time CZ needs to determine whether your personal data do indeed need to be corrected;
- if CZ was not entitled to use your personal data but you do not want to erase your data either;
- while you are awaiting a response to your objection with CZ to the use of your personal data.
Restriction of the use of your personal data means that CZ requires your consent to use the data if and when required. There are several exceptions to the above. Your personal data can still be used:
- to administer your health insurance and additional medical expenses insurance policy and claims, so that you can remain insured and your health insurer can pay your claims;
- to establish, exercise, or defend a legal claim;
- to protect the rights of another natural or legal person; or
- for reasons of overriding public interest in the European Union or a Member State, when public health is at risk for example.
In your request, please specify why CZ may not use your personal data. You can also include the request to restrict the use of your personal data with a request to rectify your personal data or with an objection, in which case the processing of your personal data will be restricted until your data have been corrected or the objection process has been completed.
You have the right to object to the use of your personal data for direct marketing purposes. If your personal data is being used for a purpose other than direct marketing or administration of your insurance policy and claims, you may object to this use on grounds relating to your particular situation. In your objection, please specify which personal data this concerns and the reason for your objection.
If CZ processes your personal data strictly with your consent, you may withdraw this consent at any time. Consent cannot be withdrawn with retroactive effect however, meaning that the withdrawal of consent will not affect any processing operations already completed.
In your request, please specify which consent you would like to withdraw.
4. How can you exercise your rights?
If you would like to make active use of one of the rights described above, you can send your request to CZ's Data Protection Officer, for example by letter or electronically. In principle, we will respond to your request or objection within one month. If your request or objection is complex, however, this period can be extended by an additional two months, in which case CZ will inform you of this extension within one month of receiving your request.
If you are not satisfied with the way in which your request or objection has been handled, you may lodge a complaint with the Dutch Data Protection Authority (or with a supervisory authority in any other EU Member State). You also have the right to apply to the court.
If you are a policyholder and have taken out a general insurance policy for a child, you may also exercise the rights set out above (in paragraph 3) on behalf of the child. Note, however, that special rules apply if the child is aged 16 or over. For children over 16, you as the policyholder only have a right to request access to data that are needed in order to conclude the general insurance policy and to obtain sufficient insight into bills you must pay. If you request access to the personal data of a child aged 16 or over for whom you are the policyholder, we cannot give you any data other than that referred to above. However, we can disclose all data to you if you provide us with an authorisation from the child aged 16 or over permitting us to do so.
5. How are your personal data protected?
To protect personal data, CZ has implemented and maintains security measures throughout the organisation. These measures, which involve the organisation, staff, processes, technology, and physical security, are set out in CZ’s security policy.
Developments in the world of information security are moving fast. The measures used by CZ have been derived from internationally applicable standards like ISO/IEC 27002. Using risk analyses, internal control plans and independent audits, CZ checks periodically to ensure that these measures are still fit for purpose. CZ is also under the direct supervision of various supervisory bodies and the external auditor. These parties verify, among other things, that our information security management system functions properly. If CZ makes use of third parties for the processing of personal data, CZ ensures that the third party has implemented appropriate data security that is adequate for the type of personal data being processed.
6. How do we handle your personal data when using WhatsApp?
If you have questions about your health insurance, you can also message us on WhatsApp. We will not share any sensitive personal information with you by WhatsApp, such as medical data, or any other personal data. This is because WhatsApp is less reliable and secure than, for example, email or chat. For this reason, we will never ask you for confidential information on WhatsApp. We also kindly request that you do not share any sensitive personal data using WhatsApp.
Under WhatsApp terms and conditions for business users, we have 24 hours to respond to any messages you send us on WhatsApp. This 24-hour term starts every time you send us a message. After expiry of the 24-hour term, we can only send a standard message in response to your message. In such a standard message, we will ask you for consent to continue the chat. We can only continue the chat if you respond ‘YES’. If you do not respond, we will send you one reminder and one message advising you that we are closing the chat.
7. How can you get in touch with CZ?
Please address your letter to:
CZ Customer Services
Postbus 90152, 5000 LD Tilburg, Netherlands
Changes and date
The main changes since the last version
- As ‘institution of the place of residence’ (in Dutch: ‘orgaan van de woonplaats’) CZ processes your personal data when you register for a ‘Verdragspolis’.
- The examples of activities outsourced to Vektis and VECOZO are described in more detail.
- A passage has been added in relation to the log of events (‘Gebeurtenissenadministratie’).
- Health insurers check whether you appear on the Dutch government’s National Terrorism Sanction List. If you do, this will be reported to ‘De Nederlandsche Bank’.
- It is clarified that data about your health is not used for commercial purposes or analyses in relation to marketing activities unless you have given your explicit consent.
- A passage has been added on how CZ uses personal data to select customer groups for marketing purposes and for service improvements.
- If we use your personal data in the context of complaints or disputes, we will retain such data for 2 years after the procedure has concluded.
- A passage has been added on how to exercise the rights of a child.