Privacy statement for HPV 18+

Vaccinations against the HPV virus


Protection of your data when you receive the HPV vaccine
It is important that your personal data are properly protected. We handle your data carefully and comply with legislation such as the General Data Protection Regulation (GDPR).

Who processes your personal data?
When you get a vaccination, we ask you to share your personal data with us – the Netherlands Municipal Public Health Services and Medical Assistance in Accidents and Disasters (GGD GHOR) – on behalf of the various Municipal Public Health Services (GGDs). We use and retain your personal data. We are required to do so as set out in the law. This means we handle your personal data carefully and securely. We let you know what information we have about you, what we do with it and who processes it.

We share your data with the following organisations:

  • Municipal Public Health Services (GGD): Local GGD branches, including GGD physicians;
  • IT provider of the iHPV application (Topicus) and its subprocessors;
  • GGD Customer Contact Centre;
  • The National Institute for Public Health and the Environment (RIVM).

When you make an appointment for a vaccination, your personal data are entered in the iHPV system, which is the system the GGD uses to schedule appointments and register your vaccination. The GGD can view your vaccination details in iHPV. Under normal circumstances, we at the GGD GHOR cannot see this information unless there is a problem we have to solve.

What personal data do we use?
We need your data to properly administer the vaccination.
These are the personal data we need from you:

  1. Your first name and last name;
  2. Your postal code;
  3. Your street name and house number
  4. Your date of birth;
  5. Whether you are male, female, unspecified or unknown;
  6. Your Citizen Service Number (BSN);
  7. Central Agency for the Reception of Asylum Seekers (COA) healthcare number or V-number;
  8. Your phone number;
  9. Your email address;
  10. medical information to determine whether you can get a vaccination (contraindications and medical triage);
  11. details about the vaccine you’ll be receiving: vaccine name and vaccin number;
  12. appointment date and appointment location;
  13. GGD region;
  14. The name of your doctor.

What is done with your personal data?
We use your personal data to register your vaccination. To find out more, go to ‘What else do we use your personal data for?’ You can read about what is done with your personal data below.

  1. Making an appointment
  2. Getting the vaccination
  3. Administration/aftercare
  4. Providing data to RIVM

STEP 1: Making an appointment for a vaccination
RIVM will send you an invitation letter to make an appointment. This letter explains that you can schedule an appointment for a vaccination yourself.

There are two ways to make, reschedule or cancel an appointment:

  • Via the website

Go to the website and log in with your DigiD. You will then be asked to answer a number of questions to determine whether you can get the vaccination. Once you have answered all the questions, you can choose a date, time and location. We will also ask for your telephone number and email address so we can send you a message to confirm your appointment. You will receive confirmation of your appointment via email.

  • Via the Customer Contact Centre for your GGD

When you call the national telephone number, you will be put through to a regional GGD. No personal data are processed to connect you to the GGD. The Customer Contact Centre employee will ask you for the details required to make, reschedule or cancel your appointment. The employee will ask you a number of questions to determine whether you can get the vaccination. The employee will make, reschedule or cancel the appointment for your vaccination. You will receive confirmation of your appointment by email.

STEP 2: The vaccination
Go to the place where you will get the vaccination on the scheduled date and time. The GGD staff will first verify your identity and appointment. Your data will be checked and you will receive the vaccination.

If the GGD staff approve your health screening form, you get the vaccination.

STEP 3: Administration and aftercare
After you get the vaccination, it will be recorded in your file.

STEP 4: Providing personal data to RIVM
If you are making an appointment or getting your vaccination, we will ask you for permission to share your data with RIVM. If you have given the GGD permission to share your data with RIVM, then the GGD will send your data to RIVM. We will send the following information:

  • vaccination details (product name, lot number, vaccination code);
  • date of birth;
  • vaccination date and location;
  • BSN;
  • vaccination site;
  • GGD organisation;
  • GGD location.

What else do we use your personal data for?
It is important for us to know how many people in the Netherlands have been vaccinated. We use your data for these kinds of overviews, but the overviews themselves are anonymous. This means they contain no personal data. Your data may also be used for statistical purposes and scientific research. In these cases, we encrypt your data (using pseudonymisation) to ensure that no one can find out that they are yours. We use your data according to the applicable rules for statistical and scientific research. If you do not want your data to be used for scientific research, you can lodge an objection with the GGD of the location where you will get the vaccination.

When you make your appointment, the call centre employee will ask you for permission to send your vaccination details to RIVM. If you consent to this, the GGD will send your vaccination details to RIVM the same day. These details contain personally identifiable information. If you do not consent, you can still get your vaccination. Click here for more information.

RIVM uses your information for the following purposes:

  • for your safety;
  • for research to determine whether the vaccine is effective;
  • to decide whether enough people have been vaccinated, for example to ease lockdown restrictions;
  • to quickly issue warnings about potential side effects;
  • to invite you for a follow-up vaccination.

We do not use your personal data for any purposes other than those listed above.

Text messages
In addition to the confirmation you receive after you make a vaccination appointment, sometimes GGD GHOR will send you other text messages when necessary. These messages may be sent to you for various reasons, such as to notify you that your appointment has been cancelled or the time and location have changed. We will also send you a text reminder 48 hours before your appointment.

Which legislation allows us to use your personal data?
The GDPR states that we can only process your personal data if we have a valid reason to do so. These valid reasons are set out in the GDPR: consent, agreement, statutory obligation, vital interest, public task/public interest or legitimate interest.

We will use your data to conduct a catch-up campaign for the National Immunisation Programme. This is considered a public task or a task carried out in the public interest.

The applicable legislation is as follows:

  • Public Health Act, Section 6
  • Personal Data Processing in Healthcare (Additional Provisions) Act, Sections 5 and 6
  • General Data Protection Regulation, Section 6(1)(a) and (b), Section 9(2)(a) and (h), and Section 22(4)
  • Medical Treatment Contracts Act, Section 7:457 of the Dutch Civil Code

The GGD is required to request and register your BSN when you get a vaccination. This is because the GGD is a healthcare provider and because vaccination is a medical treatment. The applicable legislation is Article 6(1)(c) of the GDPR in conjunction with Sections 5 and 6 of the Personal Data Processing in Healthcare (Additional Provisions) Act.

For how long will we retain your personal data?
We will retain your personal data for 20 years. This is required by the Dutch Medical Treatment Contracts Act. After that period, we will destroy your data or make them anonymous. If we would like to retain your data for longer, we will ask for permission unless we are required to retain your data in accordance with other legislation.

How do we protect your personal data?
It is important to us that your data are secure. That is why we make agreements with the people and organisations that process data for us. These agreements state what they can do with your data on our behalf.

What else do we do?

  • We ensure that the systems we work with are secure by testing them or having them tested.
  • Staff who process your personal data know what they can and cannot do with these data. They must keep all personal data confidential.
  • We make sure that we follow a fixed procedure and we comply with the laws and regulations regarding personal data.

What are your rights?
These are your rights according to the law:

  • You have the right to receive accurate information about what is done with your personal data;
  • You have the right to view your personal data; you can obtain a copy of your data;
  • If any of your data are incorrect, then we are required to fix them;
  • In some cases, you can demand that we delete your personal data. In some cases, you can lodge an objection against the use of your personal data. This is an option when you do not want your data to be used for scientific research, for example.

In all these situations, you should contact the GDD where you received your last vaccination.
If you gave permission for your data to be shared with RIVM, you can request to have these data deleted from RIVM’s records at any time. To do so, please contact RIVM.

Do you have any questions or complaints about what is done with your personal data?
If you have any questions or complaints about how your personal data are used, please contact the Data Protection Officer of the GGD that administered your vaccination. Each GGD has a privacy statement. This document specifies who the Data Protection Officer is.

The websites of all GGDs are listed at the bottom of this page.

You can also submit a confidential report, question or complaint regarding the processing of your personal data to the Netherlands Municipal Public Health Services and Medical Assistance in Accidents and Disasters (GGD GHOR). To do so, please contact our Data Protection Officer via email at

If we have processed your complaint and you disagree with the outcome or the way your complaint was handled, you can submit a complaint about that to the Dutch Data Protection Authority via the website: (in Dutch).

We will amend this privacy statement if necessary. For example, we will do so if there are changes in who processes personal data for us or in what personal data we use.

We most recently amended this privacy statement on 21 February 2023.


Appendix 1: List of GGD websites

To find out which GGD covers your municipality, visit (in Dutch).

  • GGD Rotterdam-Rijnmond

  • GGD Noord- en Oost-Gelderland

  • GGD IJsselland

  • GGD Haaglanden

  • GGD Zuid Limburg

  • GGD Twente

  • GGD Drenthe

  • GGD Hart voor Brabant

  • GGD Zeeland

  • GGD Hollands Midden

  • GGD Fryslân

  • Dienst Gezondheid en Jeugd ZHZ

  • GGD Brabant-Zuidoost

  • GGD Limburg-Noord

  • GGD Amsterdam

  • GGD Hollands Noorden

  • GGD Gelderland-Midden

  • GGD Gelderland-Zuid

  • GGD Groningen

  • GGD regio Utrecht

  • GGD Zaanstreek-Waterland

  • GGD Gooi en Vechtstreek

  • GGD Kennemerland

  • GGD Flevoland

  • GGD West-Brabant