Privacy statement coronavirus vaccination

Vaccination against coronavirus
It is important that your data is kept secure. We are careful with it, and we comply with laws such as the General Data Protection Regulation (GDPR).

Who works with your personal data?
We at GGD GHOR Nederland ask you to share your personal data with us for vaccinations. We use and store the data. We must do this in the way the law says we should. This means that we handle your personal data properly and safely. We tell you what data we have about you, what we do with it, and who works with it.

We share your data with the following organisations:

The GGD: Local GGD departments, including GGD doctors (called the GGD in this document)
GGD GHOR Nederland
The IT provider of the CoronIT system (Topicus) and its sub-processors
Teleperformance (The National Vaccination Appointment Line) and its sub-processors
SOS International (GGD Vaccination Medical Information Line)
Family doctors, if you have given permission for this
The National Institute for Public Health and the Environment (RIVM), if you have given permission for this
The ION foundation, if you have given permission for this
The Ministry of Health, Welfare and Sport (VWS), if you access your data via the CoronaCheck app

If you make a vaccination appointment, your personal data is stored in CoronIT. CoronIT is the system that the GGD uses for the vaccination process and to communicate about this. The GGD can see your vaccination information in CoronIT. Normally, we cannot see this at GGD GHOR Nederland, but we can if there is a problem that we need to solve. That is because we work as a Service Desk for the CoronIT system.

What personal data do we use?
We need your personal data to carry out the vaccination properly. This is the personal data we need from you:

Your first and last name
Your address
Your date of birth
Whether your gender is male, female, unspecified or unknown
Your citizen Service Number (BSN)
Your phone number
Your email address
The vaccination target group you belong to
Medical information, to determine whether you can receive a vaccination (contra-indications and medical triage)
The code of the vaccination you received: the type of vaccine (for example mRNA) and whether you have had the basic vaccinations, a booster or repeat vaccinations
Information about the vaccine you receive: the name and number of the vaccine
The date and location of the appointment
The name of your family doctor

What happens to your personal data?
We use your personal data so that we can give you a vaccination. Do you want to know what else we use it for? Then see under ‘What else do we use your personal data for?’ You can see below what we use your personal data for.

Invitation / registration
Carrying out the vaccination
Administration / aftercare
Sending information to the RIVM / your family doctor
Making your vaccination certificate

STEP 1: You make an appointment for a vaccination

There are 2 ways that you can get an invitation:

You have received an invitation from the RIVM that says you can make an appointment yourself for a vaccination.

There are 3 ways to make, move or cancel an appointment:

1. - Via the National Vaccination Appointment Line
    You call the National Vaccination Appointment Line to make, move or cancel an appointment. The call centre employee asks for the information that we need to make, move or cancel an appointment. You can read more about this in points 1 to 9 in the section called ‘What personal data do we use?’ The employee asks you some questions, for example about your health. This way, the employee can decide if you can have a vaccination. The employee registers the target group you belong to and makes, moves or cancels your vaccination appointment. You receive confirmation of the appointment by email and text message.
  - Via the Digital Assistant
    When you call the National Vaccination Appointment Line you may be put in a queue if it is busy. During the phone call you will be given the option to make, move or cancel your appointment via an online digital assistant. If you want to, you can chat to a digital assistant via a hyperlink that will be sent to your mobile phone. (The digital assistant is not a real employee.) In the chat you enter the information that we need to make, move or cancel a vaccination appointment. You can read more about this in points 1 to 9 in the section called ‘What personal data do we use?’ A call centre employee will then make, move or cancel the vaccination appointment for you. You receive confirmation of the appointment by email and text message.
  - Online via the coronavirus vaccination appointment website
    You go to the coronavirus vaccination appointment website where you can log in with your DigiD. You answer some questions there. They are the same questions that the National Vaccination Appointment Line asks to decide if you can have a vaccination. When you have answered all the questions, you can choose a date, time and place. We also ask you for your phone number and email address so that we can send you a confirmation. Or contact you if we need to. You receive confirmation of the appointment by email and text message.
    When you answer the questions, we may refer you to the National Vaccination Appointment Line to make an appointment. Or we may tell you that it is not possible to make an appointment.
    .
You get an invitation from the RIVM that proposes a date for the appointment:
Did you give permission for your information to be shared with the RIVM (see step 4 for more information) when you were vaccinated before? Then you will get an invitation from the RIVM with a date, time and place. Because the RIVM can see who can receive a vaccination. And whether you have received a vaccination from the GGD before. In this case, the RIVM will let us know that you will get an invitation for a vaccination. We then plan an appointment for you and the RIVM sends the information on to you. Do you not want a vaccination? Then you can cancel the invitation or do nothing. Is the appointment not convenient? Then you can move the appointment. The RIVM gives us your citizen service number so that we can make an appointment in this way. We look you up in CoronIT and plan the appointment. We let the RIVM know the date, time and place and they send you the invitation. Do you want to know how the RIVM handles your data? Read the privacy statement of the RIVM. You can find it here: Privacy statement Covid-19 vaccination programme (rivm.nl)

STEP 2: The vaccination

You come on the agreed date and at the agreed time to the place where you are going to get the vaccination. The GGD employees will first check your identity and your appointment. You also hand them the health screening form that you filled in before coming. Depending on the information in the form, a doctor may want to examine you first. This happens at the vaccination location. If the GGD employees approve your health screening form, you get the vaccination.

STEP 3: Administration and aftercare

You must stay in a waiting room for 15 minutes after the vaccination. This is because you might develop symptoms directly after the vaccination. If you do not develop symptoms within 15 minutes you can go home.

STEP 4: Sharing your personal data with the RIVM and/or your doctor

Are you making an appointment? Or are you getting your vaccination? Then we will ask for permission to share your information with the RIVM and your family doctor.

Have you given the GGD permission to share your information with the RIVM? Then the GGD will send your information to the RIVM. We send the information below.

Vaccination information (product name, vaccination batch number, vaccination code (this shows the type of vaccine and whether you have had the basic jabs, a booster or repeat vaccinations))
Date and place of vaccination, and
Reason for the vaccination (age).

For more information about how the RIVM handles this personal data, please see: Vaccination registration at the RIVM and your privacy | RIVM

Have you given permission for the GGD to let your family doctor know that you have received a vaccination? Then the GGD will send a message to your family doctor. The message tells them the type (brand) of vaccination that you have received and the date of the vaccination. This way, your family doctor can give you the right kind of care if you get side-effects. The GGD looks in the ION database to find out who your family doctor is.

STEP 5: Making your vaccination certificate
Have you been vaccinated and do you want to be able to show a vaccination certificate? For example to travel or go to an event? Then you can use the CoronaCheck application. You can get a QR code for your vaccination certificate in this app.

If you are not able to pick up a QR code in the CoronaCheck app, go to this website for more information.

Is your data incorrect? Or do you have questions about your data? The GGD GHOR Nederland’s Back Office can check your data and correct it if needed. The phone number of the Back Office is 0800-5090.

Do you want to know more about your privacy in the CoronaCheck application? Read the privacy statement for the CoronaCheck application.

What else do we use your personal data for?
It is important that we know how many people have been vaccinated in the Netherlands. We use your personal data to make these types of overviews, but the overviews are anonymous. This means that the overviews do not contain any personal data. Your data might also be used for statistical purposes and scientific research. We make your data unrecognisable when we do this (through pseudonymisation) so that no one knows it is your data. We use your data according to the rules that apply to statistical and scientific research. Do you not want your data to be used for scientific research? You can object to this at the GGD of the place where you receive your vaccination.

When you make the appointment, the call centre employee asks for permission to send information about your vaccination to the RIVM. If you give permission, the GGD sends the RIVM information about your vaccination the same day. That information is directly traceable to you. If you do not give permission, you can still get a vaccination.

The RIVM uses your information for the following things:

for your safety
for research to see if the vaccine works well
to decide whether enough people have been vaccinated, for example, so that a lockdown can become less strict.
to be able to warn people quickly about any side-effects
to be able to invite you for your next vaccination

When you call the National Vaccination Appointment Line to make an appointment, we ask you for permission to record the telephone conversation. We only record the conversation if you give us this permission. We use these recordings to help improve our work. We use something called ‘automatic speech analysis’ to do this. The computer looks for specific words in the recording of your telephone conversation. This helps us to select recordings of telephone conversations to check. We check for things like employee fraud and employees who give medical advice. We also use it to find out why somebody was not able to make an appointment. This helps us to do our work better.

We also ask you for permission to do a client satisfaction survey. If you give permission for this, we send a link to your mobile phone. Via this link we ask you how satisfied you are. We do the client satisfaction survey for training purposes.

We do not use your personal data for anything else. Only for the things we have explained above.

Since 1 July 2021, it has also been possible to get a vaccination certificate via the CoronaCheck app. If you access your data via this app, it will be shared with you. The Ministry of Health, Welfare and Sport is responsible for the CoronaCheck app and for how the app processes your personal data. For more information about this, see the privacy statement for the CoronaCheck application.

Text messages
After you make a vaccination appointment, you receive a text message confirming the appointment. GGD GHOR Nederland also sends you other text messages when we need to. We send you these messages for different reasons. For example, when your appointment has been cancelled. Or if the time and place have changed. We may also send you a text message inviting you to have a vaccination.

What laws apply to our use of your personal data?
The General Data Protection Regulation (GDPR) states that we can only use your personal data if we have certain reasons. These are called ‘valid’ reasons. The GDPR states that these valid reasons are: consent, agreement, legal obligation, vital interest, public task / public interest or legitimate interest.

We use your data to fight an infectious disease epidemic. This is a public task or a public interest task. The GGD is also required by law to record, check and follow up on data for these types of diseases. This is stated in the Wet publieke gezondheid (translated here as Public Health Act).

The laws that apply here are:

Wet publieke gezondheid (translated here as Public Health Act), article 6b, paragraph 3.
Besluit publieke gezondheid (translated here as Public Health Decree), article 11, paragraph 1.
Wet aanvullende bepalingen verwerking persoonsgegevens in de zorg (translated here as Supplementary rules for processing personal data in the Public Healthcare Act), articles 5 and 6.
General Data Protection Regulation, Article 6 paragraph 1 (a) and (b), Article 9 paragraph 2 (a) and (h) and Article 22 paragraph 4.
Wet op de geneeskundige behandelingsovereenkomst (translated here as Medical Treatment Agreement Act), Article 457 of Book 7 of the Dutch Civil Code.

TWhen you receive a vaccination the GGD must ask you for your citizen service number and record it. This is because the GGD is a healthcare provider. And because a vaccination is a medical intervention. The law that applies to this is Article 6 paragraph 1 (c) of the GDPR in combination with Articles 5 and 6 of the Processing of Personal Data in Healthcare (Supplementary Provisions) Act.

The laws that apply to recording conversations on the National Vaccination Appointment Line and to sending data to the RIVM and your family doctor are Article 6, paragraph 1 (a) and Article 9, paragraph 2 of the GDPR and Article 457 of Book 7 of the Dutch Civil Code.

When you contact GGD GHOR Nederland’s Back Office to check your data used for vaccination certificates, the telephone conversation is recorded. We do this to make sure any complaints are handled properly. We record the conversations on the basis of Article 6, paragraph 1 (f) of the GDPR.

Automated decision-making
When you make an appointment via the chatbot, the chatbot decides automatically whether you will get an invitation for a vaccination. The chatbot does this based on the health information you enter. According to Article 22, paragraph 3 of the GDPR you have the right to have this decision checked by a call centre employee. So if you are not satisfied with the result from the chatbot, you can contact a call centre employee to make, move or cancel a vaccination appointment.

How long do we keep your personal data?
We keep your personal data for twenty years. This is allowed by the Wet op de geneeskundige behandelingsovereenkomst (translated here as Medical Treatment Contracts Act). Then we destroy the data or we make it anonymous. We will ask for permission if we want to keep your personal data longer, except if another law says we are obliged to keep it longer.

We keep recordings of conversations with the National Vaccination Appointment Line for 14 days. We use them to check the quality of our work and to handle complaints. We delete the recordings after 14 days. Sometimes a complaint or some other problem comes up within the 14 days and we need the recording for it. Then we keep the recording until we have dealt with the complaint or solved the problem. We make reports based on the speech analysis of the recordings and keep these reports for up to 14 months. They do not contain any personal data.

IWhen you contact GGD GHOR Nederland’s Back Office to check your data used for vaccination certificates, the telephone conversation is recorded. We keep the recording for 4 weeks.

How do we protect your personal data?
It is important to us to keep your personal data safe. To do that, we make agreements with the people and organisations that process data for us. The agreements say what they can do with your data for us.

What else do we do?

We make sure that we work with secure systems. We test this, or have it tested for us.
We make sure employees who work with your personal data know what they may and may not do with the data. They must keep personal data confidential.
We make sure that we work according to a fixed procedure. We also follow the laws and regulations about personal data.

What are your rights?
These are your rights according to the law:

You have the right to receive correct information about what happens to your personal data.
You have the right to view your personal data. You can get a copy of your data.
If your data is incorrect, we must correct it.
In some cases, you may tell us to delete your personal data. In some cases, you can object to the use of your personal data. For example, you can object if you do not want your data to be used for scientific research.

In all these situations, you must contact the GGD that gave you your vaccination.
Did you give permission for your data to be shared with the RIVM? Then you can ask for your data to be removed from the RIVM’s records at any time. This can easily be done in the client portal at rivm.nl/myrivm-vaccinations. You will need your DigiD to do this.

Do you have questions or complaints about what happens to your personal data?
Do you have questions or complaints about the use of your personal data? Then contact the Data Protection Officer at the GGD that gave you your vaccination. Every GGD has a Privacy Statement. This tells you who the Data Protection Officer is.

Appendix 1 lists the websites of all GGDs.

You can also send a confidential report, question or complaint about the processing of your personal data to GGD GHOR Nederland. You can send it to the GGD GHOR Nederland’s Data Protection Officer. The email address is fg@ggdghor.nl.

What can you do if we handled your complaint and you do not agree with the outcome or the way we handled it? Then you can send a complaint to the Dutch Data Protection Authority via this website: https://autoriteitpersoonsgegevens.nl/en.

Changes
We will change this privacy statement if necessary. For example, if we have to change who processes personal data, or which personal data we use.

We last updated this statement on September 30, 2022.