Privacy statement coronavirus vaccination


Coronavirus vaccination
It is important that your data is properly secured. We are careful with it, and we comply with all laws such as the General Data Protection Regulation (GDPR).

Who works with your personal data?
At GGD GHOR Nederland we ask you to give us your personal data for vaccinations. We use it and store it. We follow all laws as we do this. This means that we handle your personal data properly and safely. We tell you what data we have about you, what we do with it and who works with it.

We share your data with the following organisations:

  • GGD: Local GGD departments, including GGD doctors (called the GGD in this document)
  • GGD GHOR Nederland
  • The CoronIT application (Topicus) IT provider and sub-processors
  • Teleperformance (National Vaccination Appointment Line)
  • SOS International (GGD Vaccination Medical Information Line)
  • Your family doctor, if you have given permission
  • The National Institute for Public Health and the Environment (RIVM), if you have given permission
  • Stichting ION (Inschrijving Op Naam, or Registration By Name), if you have given permission
  • The Ministry of Health, Welfare and Sport (VWS), if you ask to see your data via the CoronaCheck app

If you make a vaccination appointment, your personal data will be transferred to CoronIT. CoronIT is the system that the GGD uses for the vaccination process and to communicate about this. The GGD can see your vaccination data in CoronIT. We normally can’t see this at the GGD GHOR. But we are allowed to if there is a problem we need to solve. That is because we work as a Service Desk for the CoronIT system.

What personal data do we use?
We need your personal data to carry out the vaccination properly. These are the personal data we need from you:

  1. First and last name
  2. Address
  3. Date of birth
  4. Whether your gender is male, female, unspecified or unknown
  5. Citizen Service Number (BSN)
  6. Phone number
  7. Email address
  8. The vaccination target group you belong to
  9. Medical information, to determine whether you can receive a vaccination (contra-indications and medical triage)
  10. Information about the vaccine you receive: vaccine name and number
  11. The name of your family doctor

What happens with your personal data?
We use your personal data to be able to give you a vaccination. Would you like to know what else we use it for? Please take a look at the section below called What else do we use your personal data for?. Here is a description of what happens to your personal data.

  1. Invitation / registration
  2. Performing the vaccination
  3. Administration / aftercare
  4. Sharing the data with RIVM / your doctor
  5. Creating your vaccination certificate

STEP 1: Making a vaccination appointment

You have received an invitation. Or you belong to a target group whose turn it is to get vaccinated. You can decide for yourself whether you want to be vaccinated.

There are 2 ways to make an appointment:
1. Through the National Vaccination Appointment Line
2.
Online on the coronavirus vaccination appointment website

  1. Through the National Vaccination Appointment Line

Call the National Vaccination Appointment Line to make an appointment. They will ask for the information that they need to create a file for you. You can read more about this in points 1 to 7 in the section called What personal data do we use?. They will ask some questions that include questions about your health. This way, they can decide whether you are able to receive a vaccination. They will register the target group to which you belong. They will also book your vaccination appointment. You will receive an appointment confirmation by email and text message.

  1. Online on the coronavirus vaccination appointment website

Go to the coronavirus vaccination appointment website and answer the questions there. These are the same questions that the National Vaccination Appointment Line asks to determine whether you can receive a vaccination. After answering the questions you can log in with your DigiD and choose a date, time and vaccination centre. We also ask for your phone number and email address. That way, we can send you confirmation and contact you if needed. You will receive confirmation of your vaccination appointment by email and a reminder by text message.

When you answer the questions, you might be referred to the National Vaccination Appointment Line to book an appointment. Or you might be told that it is not possible to make an appointment.

STEP 2: Performing the vaccination

Come to the vaccination centre on the agreed date and time. The GGD employees will first check your identity and your appointment. Give them the health screening form that you have filled in. A doctor might want to talk to you about your health screening form. They do this at the vaccination site. If the employees decide that your heal health screening form allows it you will then get your vaccination.

STEP 3: Administration and aftercare

You must stay in a waiting room for 15 minutes after the vaccination. This is because you might develop symptoms directly after the vaccination. If you don’t develop symptoms you can go home.

STEP 4: Sharing your personal data with the RIVM and/or your doctor

Have you given the GGD permission to tell your family doctor that you have had a vaccination? Then the GGD will send a message to your family doctor. This will state the type of vaccine (name) you received and the vaccination date. This way, your family doctor can give you the right kind of care if you get side effects. The GGD looks in the Stichting ION database to find your doctor’s name.

STEP 5: Creating your vaccination certificate
Have you been vaccinated and do you want to be able to show a vaccination certificate? For example, so that you can travel or go to an event? Then you can use the CoronaCheck application. You can pick up a QR code for your vaccination certificate in this app.

If you are not able to pick up a QR code in the CoronaCheck app, click here for more information.

Is your data incorrect? Or do you have questions about your data? The GGD GHOR Nederland’s back office can check your data and correct it if needed. Contact the back office at 0800-5090.

What else do we use your personal data for?
It is important that we know how many people have been vaccinated in the Netherlands. We use your personal data for these types of overviews, but the overviews are anonymous. This means that the overviews no longer contain any personal data. Your personal data can also be used for scientific research. This is also done anonymously and according to the rules that apply to scientific research. Do you not want your data to be used for scientific research? Then you can tell the GGD employees this at the vaccination centre.

If you phone the National Vaccination Appointment Line to make an appointment, we ask for permission to send information about your vaccination to RIVM. If you give permission, the GGD will send RIVM details about your vaccination the same day. If you don’t give permission, you can still get a vaccination.

This is what RIVM uses your personal data for:

  • your safety.
  • to see whether the vaccine is working properly.
  • to decide whether enough people have been vaccinated (for example, so that lockdowns can become less strict).
  • to provide fast warnings about possible side effects.

If you phone the National Vaccination Appointment Line to make an appointment, we ask you for permission to record the telephone conversation. We will only record it if you give permission. We use these recordings to help improve our work. We also use something called ‘automatic speech analysis’ to do this. Here’s how it works. The computer ‘listens’ to the recordings of your telephone conversation and looks for specific words. This helps us to select recordings of telephone conversations to check. We check for things like employee fraud or employees who give medical advice when they shouldn’t. It also helps us understand why somebody was not able to make an appointment. This helps us to do our work better.

We do not use your personal data for anything else besides what we have described above.

Since 1 July 2021, it has also been possible to get a vaccination certificate using the CoronaCheck app. If you ask for your data in this app, it will be shared with you. The Ministry of Health, Welfare and Sport is responsible for the CoronaCheck app and for how the app uses your personal data. Do you want more information about this? Then take a look at the privacy statement for the CoronaCheck application.

What laws apply to our use of your personal data?
The General Data Protection Regulation (GDPR) states that we can only use your personal data if we have certain reasons. These are called ‘valid’ reasons. The GDPR states that these valid reasons are: consent, agreement, legal obligation, vital interest, public task / public interest or legitimate interest.

We use your data to fight an infectious disease epidemic. This is a public task or a public interest task. The GGD is also required by law to record, check and follow up on data for these types of diseases. This is stated in the Wet publieke gezondheid (translated here as Public Health Act).

The laws that apply here are:

  • Wet publieke gezondheid (translated here as Public Health Act), article 6b, paragraph 3.
  • Besluit publieke gezondheid (translated here as Public Health Decree), article 11, paragraph 1.
  • Wet aanvullende bepalingen verwerking persoonsgegevens in de zorg (translated here as Supplementary rules for processing personal data in the Public Healthcare Act), articles 5 and 6.
  • General Data Protection Regulation (GDPR), article 6, paragraph 1, point a and article 9, paragraph 2, point a.
  • Wet op de geneeskundige behandelingsovereenkomst (translated here as Medical Treatment Contracts Act), article 7:457 of the Dutch Civil Code.

The GGD must ask for and register your Citizen Service Number (BSN) for vaccinations. This is because the GGD is a healthcare provider. And because vaccination is a medical procedure. The law that applies here is GDPR Article 6 paragraph 1c GDPR in combination with Articles 5 and 6 of the Supplementary rules for processing personal data in the Public Healthcare Act.

The laws that apply to recording conversations on the National Vaccination Appointment Line and to sending data to RIVM and your family doctor are Article 6, paragraph 1a and Article 9, paragraph 2 of the GDPR and Article 7:457 of the Dutch Civil Code.

If you contact GGD GHOR Nederland’s back office to check your data used for the vaccination certificate, the telephone conversation will be recorded. We do this to make sure any complaints are handled properly. The law that applies to the recording of these conversations is Article 6 paragraph 1f of the GDPR.

How long do we keep your personal data?
We keep your personal data for 20 years. This is allowed by the Wet op de geneeskundige behandelingsovereenkomst (translated here as Medical Treatment Contracts Act). Then we destroy it or we make it anonymous.

We will ask for permission if we want to keep your personal data for longer. The only time we wouldn’t ask you this is if we need to keep it longer because of another law.

We keep recordings of conversations with the National Vaccination Appointment Line for 14 days. We use them to check the quality of our work and handle complaints. We delete the recordings after 14 days. Sometimes, there is a complaint or problem related to the recording. If this happens within the 14 days, then we keep the recording until we have dealt with the complaint or solved the problem. We make reports based on the speech analysis of the recordings and keep these reports for up to 14 months. They don’t contain any personal data.

If you contact GGD GHOR Nederland’s back office to check your data used for the vaccination certificate, the telephone conversation will be recorded. We will keep the recording for 4 weeks.

How do we protect your personal data?
We think it is important to keep your personal data safe. To do that, we make agreements with the people and organisations that process the data for us. The agreements say what they can do with your data for us.

What else do we do?

  • We make sure that we work with secure systems. We test this, or have others test it for us.
  • We make sure that employees who work with your personal data know what they can and cannot do with this data. They must keep the personal data confidential.
  • We make sure that we work according to a fixed procedure. We also follow the laws and regulations about personal data.

What are your rights?
These are your rights under the law:

  • You have the right to receive correct information about what happens with your personal data.
  • You have the right to see your personal data. You can get a copy of your data.
  • If your data is incorrect, we must correct it.
  • In some cases, you can tell us to delete your personal data.
  • In some cases you can object to the use of your personal data. For example, you can object to your data being used for scientific research.

In all of these situations, you should contact the GGD that gave you your vaccination.

Have you given permission to give your personal data to RIVM? Then you can have this data removed from RIVM’s system at any time. This can easily be done in the client portal at mijn.rivm.nl/vaccinaties. You need your DigiD for this.

Do you have any questions or complaints about the use of your personal data?
Do you have any questions or complaints about the use of your personal data? Please contact the Data Protection Officer at the GGD that gave you your vaccination. Every GGD has a Privacy Statement. It tells you who the Data Protection Officer is.

Appendix 1 contains the websites of all GGDs.

You can also report a complaint to GGD GHOR Nederland. You can do this by sending it to the GGD GHOR Nederland’s Data Protection Officer. The email address is fg@ggdghor.nl.

What can you do if you don’t agree with the outcome or the way we handled your complaint? Then you can send a complaint to the Dutch Data Protection Authority. You can do this on this website: https://autoriteitpersoonsgegevens.nl/en.

Changes
We will change this privacy statement as necessary. For example, if we have to change who processes personal data, or which personal data we use.

We last updated this statement on July 23, 2021.