Privacy statement coronavirus vaccination

Privacy statement coronavirus vaccination

Privacy statement coronavirus vaccination

Navigatie

Downloads bij dit thema

Privacy statement coronavirus vaccination

About this privacy statement

The Netherlands has 25 GGDs. GGD means: Gemeentelijke Gezondheidsdienst, or Municipal Public Health Service. The GGD helps keep people in the Netherlands healthy. Sometimes, we need to use personal data to do this. For example, if you are receiving a coronavirus vaccination. This statement explains:

  • what data we use about you;
  • why we are allowed to use these data;
  • how we handle your data;
  • your rights.

This statement only concerns the use of your data for the coronavirus vaccination. The GGD uses data from people who have or make an appointment for a coronavirus vaccination.

Which personal data do we use?

Personal data

  • First name and surname;
  • address details;
  • date of birth;
  • Citizen Service Number (BSN);
  • telephone number;
  • email address;
  • gender;
  • partner’s date of birth (if applicable);
  • identity document:
  • type;
  • document number;
  • expiry date;
  • COA care number (only for asylum seekers);
  • patient number;
  • patient status (file open/closed);
  • date of death (if someone died).

Data about your coronavirus vaccination

  • Name of the vaccine;
  • batch number of the vaccine (serial or product number);
  • vaccination number (e.g. first or second jab);
  • date and time of the vaccination;
  • whether the vaccination has been administered, has failed or has been cancelled;
  • side effects, if any;
  • the GGD administering the vaccination;
  • the target group for which you have been invited (e.g. people of a certain age or with a medical condition). This is determined by the Ministry of Health, Welfare and Sport.

Data about your appointment

  • Medical information, such as answers to health questions or a prior medical check-up;
  • your consent to share data with the National Institute for Public Health and the Environment (RIVM);
  • your informed consent, which means that you are well informed and give your consent (only if necessary);
  • date and time of your appointment;
  • recording of a telephone conversation (only if recorded).

What do we use your data for?

The GGD uses your data to give you a coronavirus vaccination. We do this in several steps:

  • inviting you for the coronavirus vaccination;
  • making an appointment;
  • administering the coronavirus vaccination;
  • recording your data in your medical file;
  • providing you with aftercare if necessary;
  • sharing your data with RIVM.

The GGD may also use your data for scientific research into the coronavirus. GGD GHOR Nederland (the national umbrella organisation of the GGDs and Regional Medical Assistance Organisations) assists the GGD in organising and implementing the coronavirus vaccination process.

Inviting you for the coronavirus vaccination

The National Institute for Public Health and the Environment (RIVM) determines who is eligible for a coronavirus vaccination. It also sends out the invitations. If you then make an appointment, the GGD will use your data to enter the appointment into the computer system. This will enable us to help you more quickly on the day of the vaccination.

Making an appointment

  • Online: you can make an appointment yourself via the website. You will need to log in with your DigiD.
  • By telephone: you can call to make an appointment. The call will be recorded. The recording will only be used to improve staff training.
    • Via an invitation with an appointment: RIVM determines who receives a letter with a date and time for the coronavirus vaccination. GGD GHOR Nederland will schedule this appointment. RIVM will then send you the letter with the appointment.

Text message

The GGD will send you a text message to remind you of your appointment. You may also receive other text messages from the GGD. For example, if your appointment has been cancelled or the time or location has changed.

Identification

Before you receive the coronavirus vaccination, the GGD is required to ask for and register your Citizen Service Number (BSN). The GGD will use your BSN to identify you.

Determining whether the coronavirus vaccination can be administered safely

The GGD will check whether it is medically responsible to give you the coronavirus vaccination. To do this, we use important medical information, such as your medical history, allergies and medication use. We do this at several points: when making the appointment by asking health questions and at the vaccination location with a questionnaire about your health. This way, we make sure that you can receive the vaccination safely.

The coronavirus vaccination and your medical file

At the vaccination location, we will first check your identity. We will then note the number of your identity document in your medical file. After that, we will ask you a few medical questions. We will also record important answers in your medical file. If there are no medical objections, you will receive the coronavirus vaccination. The details of the vaccination (such as date, vaccine and batch number) will be stored in your medical file in the CoronIT system. This will allow the GGD to know exactly when you received the vaccination and which vaccine was used.

Aftercare following the vaccination

You may experience side effects from the coronavirus vaccination. If this happens, we will record this in your medical file. We can then take this into account during your next appointment.

Research

The GGD uses your data for scientific and statistical research into public health. Sometimes, the GGD conducts its own research. We may also share your data with research organisations such as RIVM. We only use and share data that cannot be traced back to you. This means that the researchers will not be able to see who the data belong to. Your name and other personal details will not be shared.

Would you rather not have your data be used for research?

If you do not want this, you can object to the use of your data for research purposes. Information about how to object can be found under ‘Objection to the use of data for research purposes’.

Why is the GGD allowed to use your data?

The GGD may only use your personal data if there is a valid reason for doing so. The law specifies a number of reasons, which we explain below:

  1. Government task or public interest: the GGD’s task is to combat infectious diseases, such as the coronavirus. Vaccination is an important part of this. The GGD uses your data to perform this task properly.
  2. Statutory obligation: the GGD is obliged to ask for and record your BSN when administering vaccinations. This is necessary to be able to properly identify you. This is because vaccination is a medical procedure, and the GGD is a healthcare provider.
  3. Performance of a contract: when you get a coronavirus vaccination at a GGD, you enter into a medical contract with the GGD. The GGD then needs your details to be able to help you properly.
  4. Consent: the GGD asks for your consent to use certain data. For example, if your data are shared with RIVM.

What laws is this based on?

  • Public Health Act, Section 6b(3);
  • Public Health Decree, Section 11(1);
  • Processing of Personal Data in Healthcare (Additional Provisions) Act, Sections 5, 6 and 8;
  • Medical Treatment Contracts Act, Section 457 of Book 7 of the Dutch Civil Code;
  • General Data Protection Regulation (GDPR), Article 6(1)(a) and (b), Article 9(2)(a) and (h) and Article 22(4).

Sharing your data with other organisations

Sometimes, the GGD will need to share your data with other organisations. It needs to do this for the proper execution of its task. These organisations assist the GGD and work on its instructions. We call these organisations ‘processors’. They may only use your data for the work assigned to them by the GGD. Examples of these organisations are:

  • GGD GHOR Nederland: responsible for the GGD’s IT systems. It also helps send out invitations for coronavirus vaccinations.
  • Topicus: the supplier of the CoronIT system;
  • Performation: helps share and analyse your data;
  • Teleperformance: provides telephony services for the GGD.

Sometimes, the GGD may also share your data with other organisations, such as:

  • National Institute for Public Health and the Environment (RIVM). This only happens if you have given your consent.

If the GGD shares your data with other organisations, clear agreements are made. These agreements are set out on paper and ensure that your data are processed securely.

The GGD does not share your data (with organisations) outside the European Union (EU).

The GGD shares your data with RIVM

Before you receive a coronavirus vaccination, you will be asked to complete a health questionnaire. On this questionnaire, you can indicate whether you consent to the data relating to your coronavirus vaccination being shared with RIVM.

Do you give your consent?
If you give your consent, the GGD will share your personal data together with your coronavirus vaccination data with RIVM. RIVM will then know to whom the data belong.

Do you not give your consent?
If you do not give your consent, you will still receive the coronavirus vaccination. RIVM will only receive your data about the coronavirus vaccination. Your personal data will not be shared in that case.

Personal data that are shared:

  • first name and surname;
  • address;
  • date of birth;
  • Citizen Service Number (BSN);
  • COA care number (only for asylum seekers).

Data about the coronavirus vaccination that are shared:

  • name of the vaccine and batch number;
  • date of vaccination and the location where you received the jab.

If you would like to know how RIVM handles your data, please read the privacy statement on the RIVM website: Privacy Statement: COVID-19 vaccination programme.

Sharing your data for research purposes

The GGD shares data about your coronavirus jab with research institutes, such as RIVM. These data are anonymous, which means that researchers cannot identify the individuals to whom the data relate.

Do you not want your data to be used for research purposes?
If you do not want this, you can object to it. Information about how to do so can be found below under ‘Objection to the use of data for research purposes’.

The GGD will retain your data about the coronavirus vaccination for 20 years. It is required to do so under the Medical Treatment Contracts Act. After those 20 years, the data will be destroyed or anonymised. In some cases, the GGD will retain your data for longer. It may only do so:

  • if you give your consent for this; or
  • if the GGD is obliged by law to do so, for example if this is necessary for your health, for legal proceedings or for the collection of claims.

Your data are stored in a special IT system of the GGD. This system is called CoronIT. Only authorised staff members are able to view your data.

What are your rights?

You have a number of rights when it comes to the use of your data:

  • right to be informed
    You have the right to clear information about what happens to your data. This privacy statement provides you with that information.
  • right of access
    You have the right to access your data. You can request a copy of your data by submitting an access request.
  • right to rectification
    If your data are incorrect, you can ask us to correct them. This is called a rectification request.
  • right to erasure
    In some cases, you may require us to delete your data. This is called a deletion request.
  • right to restrict processing
    In some cases, you may request that we temporarily stop using your data. For example, if you have made a rectification request and have not yet received a response.
  • right to data portability
    You can request that we return the data you have provided to us. Or you can ask us to send them to another organisation. This only applies to data:
    – that you provided to us yourself;
    – for which you have given your consent or which are necessary to perform a contract with you;
    – and which are stored digitally (i.e. not on paper).
  • right to object
    In some cases, you can object to the use of your data. For example, if you do not want them to be used for scientific research. More information about this can be found under ‘Objection to the use of data for research purposes’.
  • right to withdraw consent
    If you have previously given your consent for the use of your data, you may withdraw that consent at any time.

Sharing your data with RIVM

If you have given your consent for your data to be shared with RIVM, you can have the data removed from the RIVM system at any time. You can do this via the client portal at mijn.rivm.nl/vaccinaties. You will need your DigiD to do this.

How can you exercise your rights?

You can submit a request to the GGD that administered your coronavirus vaccination. Each GGD has its own privacy statement, which explains how to submit such a request. You can find the relevant privacy statement at www.ggd.nl.

Objection to the use of your data for research purposes

If you do not want your data to be used for scientific and statistical research, you can fill in an objection form. You can do this via the following link: objection form.

You may object at any time. This applies to:

  • data that the GGD already has about you; and
  • data that the GGD will receive from you in the future, for example if you receive a subsequent coronavirus vaccination.

The GGD will need approximately four weeks to process your objection. After processing, your data will no longer be used for research purposes. You will receive confirmation once you have submitted the form.

No automated decision-making

The GGD does not make decisions about you that are made entirely by an automated system.
This means that a human being is always involved in the decision-making process.

Securing of your data

The GGD is obliged by law to ensure that your data are secure. The administrator of the registration system, GGD GHOR Nederland, is NEN7510 certified, which means that it complies with the obligations for data security. The GGD ensures that your data are secure in the following ways, among others:

  • We ensure that we work with secure systems. We test this ourselves or have it tested.
  • Staff members who work with your data know what they are and are not allowed to do with them. They are required to keep the data confidential.

You can find more information about the security measures in the privacy statement of the regional GGD that administered your coronavirus vaccination.

 

Contacting your GGD about your data

If you have a question or complaint about how the GGD handles your data, please contact the Data Protection Officer (DPO) at your GGD. Each GGD has its own contact details in the privacy statement at www.ggd.nl.

If you are not satisfied with how your complaint has been handled, you can submit a complaint to the Dutch Data Protection Authority. You can do this via the following website: autoriteitpersoonsgegevens.nl/nl/voordat–u–een–klacht–indient.

You can also send a confidential report, question or complaint to GGD GHOR Nederland, the organisation that supports the GGD. To do so, please send an email to fg@ggdghor.nl.

Changes

We will amend this privacy statement if anything changes, for example if we use other data or if another organisation uses your data. The most recent version of this statement can always be found here.

This privacy statement was last amended in July 2025.