Privacy statement for vaccination against Mpox

Vaccination against mpox and protecting your data
It is important that your data is kept secure. We are careful with it, and we comply with laws such as the General Data Protection Regulation (GDPR).

Who works with your personal data?
We at GGD GHOR Nederland ask you to share your personal data with us for vaccinations. We use and store the data. We must do this the way the law says we should. This means that we handle your personal data properly and safely. We tell you what data we have about you, what we do with it, and who works with it.

We share your data with the following organisations:

The GGD: Local GGD departments and GGD doctors (called ‘the GGD’ in this document)
GGD GHOR Nederland
The IT provider of the iMPeX system (Topicus) and its sub-processors
SOS International (GGD Vaccination Medical Information Line)
Family doctors, if you have given permission for this
The National Institute for Public Health and the Environment (RIVM), if you have given permission for this
The ION foundation (national register for family doctors), if you have given permission for this

When you make an appointment for a vaccination, your personal data is recorded in iMPeX. iMPeX is the system the GGD uses for the vaccination process and for communication about the vaccination process. The GGD can see your vaccination information in iMPeX. Normally, we cannot see this at GGD GHOR Nederland unless there is a problem with iMPeX that we need to fix.

What personal data do we use?
We need your personal data to carry out the vaccination properly.
This is the personal data we need from you:

Your first name and last name
Your address
Your date of birth
Whether you are male, female, unspecified or unknown
Your Citizen Service Number (BSN)
Your phone number
Your email address
The reason why you are getting an invitation for a vaccination
Information about your health, to decide if you can receive a vaccination. And to know what side-effects the vaccination may give you.
Information about the vaccine that you receive: the name and number of the vaccine
The date and location of the appointment
The name of your family doctor

What happens to your personal data?
We use your personal data so that we can give you a vaccination. You can see below what we use your personal data for.

Sending invitations and making appointments
Carrying out the vaccination
Sending information to the RIVM/family doctor
Making the vaccination certificate

STEP 1: You make an appointment for a vaccination

You receive an invitation. If you decide to get vaccinated, you make an appointment. In this step the regional GGD uses your personal data to decide if you should get an invitation. And they use your contact details to invite you to make an appointment.

The GGDs send invitations and make appointments in different ways:

The regional GGDs decide for themselves how to invite people and make appointments. For example, by letter, email, text message or by phone. Do you want to know how to make a vaccination appointment? Then visit the website of the GGD in your area.

STEP 2: The vaccination

You come on the agreed date and at the agreed time to the place where you are going to get the vaccination. In this step, the GGD staff check your identity and your appointment details. They also check the health screening form that you fill in before coming. Depending on the information in the form, a doctor may want to examine you first. This happens at the vaccination location.

If the GGD staff approve your health screening form, you get the vaccination.

STEP 3: Sending information to the RIVM and your family doctor

The GGD will only contact your family doctor if you have given permission for this. We ask for the name of your family doctor now in case the GGD and your family doctor need to contact each other later.

Sending information to the RIVM

In this step, the GGD sends information about your vaccination to the RIVM. The RIVM uses your information for the following things:

for your safety
for research to see if the vaccine works well
to be able to warn people quickly if there are any side-effects

We do not use your personal data for anything else. Only for the things we have explained above.

What laws apply to the way we use your personal data?
The General Data Protection Regulation (GDPR) says that we can only use your personal data if we have a valid reason. The GDPR says that valid reasons can be: consent, agreement, legal obligation, vital interest, public task / public interest and legitimate interest.

We use your data to fight an infectious disease epidemic. This is a public task or a public interest task. The law also says that the GGD must record and check personal data for these types of diseases. And to carry out further research on this. This is stated in the Wet publieke gezondheid (translated here as Public Health Act).

The laws that apply here are:

Wet publieke gezondheid (translated here as Public Health Act), Article 6b paragraph 3.
Besluit publieke gezondheid (translated here as Public Health Decree), Article 11 paragraph 1.
Wet aanvullende bepalingen verwerking persoonsgegevens in de zorg (Wabvpz) (translated here as Processing of Personal Data in Healthcare (Supplementary Provisions) Act), Articles 5 and 6.
General Data Protection Regulation, Article 6 paragraph 1 (a) and (b), Article 9 paragraph 2 (a) and (h) and Article 22 paragraph 4.
Wet op de geneeskundige behandelingsovereenkomst (translated here as Medical Treatment Agreement Act), Article 457 of Book 7 of the Dutch Civil Code.

When you receive a vaccination the GGD must ask you for your citizen service number and record it. This is because the GGD is a healthcare provider. And because a vaccination is a medical treatment. The law that applies to this is Article 6 paragraph 1 (c) of the GDPR in combination with Articles 5 and 6 of the Processing of Personal Data in Healthcare (Supplementary Provisions) Act.

How long do we keep your personal data?
We keep your personal data for twenty years. This is allowed by the Medical Treatment Agreement Act. After that, we destroy the data or make it anonymous. We will ask for your permission if we want to keep your personal data longer except if another law says that we are obliged to keep it.

How do we protect your personal data?
We think it is important to keep your personal data safe. To do that, we make agreements with the people and organisations that process the data for us. The agreements say what they can do with your data for us.

What else do we do?

We make sure that we work with secure systems. We test this or have it tested for us.
We make sure employees who work with your personal data know what they may and may not do with the data. They must keep personal data confidential.
We make sure that we work according to fixed procedures. We also follow the laws and regulations about personal data.

What are your rights?
These are your rights according to the law:

You have the right to receive correct information about what happens to your personal data.
You have the right to view your personal data. You can get a copy of this data.
If your data is incorrect then you can ask us to correct it.
In some cases, you can tell us to delete your personal data. In some cases, you can object to the use of your personal data. For example, if you do not want your data to be used for scientific research.

In all these situations, you can contact the GGD that gave you your vaccination.
Have you given permission for your data to be passed on to the RIVM? Then you can ask for your data to be removed from the RIVM’s records at any time. You can do this on mijn.rivm.nl/vaccinaties. You will need your DigiD to do this.

Do you have questions or complaints about what happens to your personal data?
Do you have questions or complaints about what happens to your personal data? Please contact the Data Protection Officer at the GGD that gave you your vaccination. Every GGD has a privacy statement. This tells you who the Data Protection Officer is.

Appendix 1 lists the website addresses of all the GGDs.

You can also report a complaint to GGD GHOR Nederland. You can do this by sending your complaint to the GGD GHOR Nederland’s Data Protection Officer. The email address is fg@ggdghor.nl.

What if we handled your complaint and you do not agree with the outcome or the way we handled it? Then you can send a complaint to the Dutch Data Protection Authority via this website: https://autoriteitpersoonsgegevens.nl/nl/voordat-u-een-klacht-indient (in Dutch).

Changes
We will change this privacy statement if necessary. For example, if we have to change who processes personal data, or which personal data we use.

We changed this statement last on July 29, 2022.