We process your data only to deliver your skin consult, handle it and keep it safe, and never more than necessary.
Your medical record is protected by the professional confidentiality of your BIG-registered dermatologist and is stored encrypted.
You always have the right to access, correct or delete your data.
We never sell your data and share it only with parties involved in your care.
This summary is provided for guidance and does not replace the full policy below.
ARTICLE 1
Purpose and scope
At 247dermatologist we attach great importance to the protection of privacy and personal data. This privacy policy explains how we, together with the dermatologists affiliated with our platform, handle personal data, and how data subjects can exercise control over their data.
This policy applies to all processing of personal data through the 247dermatologist platform, including:
the website and application;
the digital consultation and messaging functionality;
the administrative and supporting processes (such as invoicing, complaints handling and support).
Personal data is processed in accordance with:
the General Data Protection Regulation (GDPR);
applicable European and national privacy legislation and implementing decrees;
relevant healthcare legislation, including the Dutch Medical Treatment Contracts Act (WGBO) and the Dutch Healthcare Quality, Complaints and Disputes Act (Wkkgz).
ARTICLE 2
Definitions
In this privacy policy, the following terms have the following meanings:
General Data Protection Regulation (GDPR)
Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
Personal data
Any information relating to an identified or identifiable natural person.
Anonymous data
Data that can no longer be linked to an identified or identifiable person and therefore no longer qualifies as personal data.
Data subject
The natural person to whom the personal data relates (for example a patient, dermatologist or website visitor).
Controller / processor
The party that determines the purposes and means of the processing, or the party that processes personal data on behalf of the controller, respectively.
ARTICLE 3
Roles and responsibilities
247dermatologist B.V., established in Bergen op Zoom, the Netherlands, and registered with the Dutch Chamber of Commerce (KvK) under number 89921003, is the controller within the meaning of the GDPR for the platform and its supporting processes.
The affiliated dermatologists are controllers for the medical record within the meaning of the WGBO. They are bound by medical confidentiality.
For some processing operations, 247dermatologist acts as a processor on behalf of the dermatologists (for example hosting and technical storage), and for other processing operations as an independent controller (for example account management, security and platform statistics).
Where other parties are engaged as processors, 247dermatologist concludes data processing agreements with these parties that meet the requirements of the GDPR.
ARTICLE 4
Categories of personal data
4.1 Patients and users
247dermatologist processes, among other things, the following data of patients and users:
Identification and contact details
Name, address, place of residence, email address, telephone number, date of birth, gender.
Account details
Username, login credentials, preferences, communication settings.
Medical and health data
Data concerning health, diagnoses, medical history, anamnesis, medication, treatment plans and other data necessary for dermatological treatment.
Images (medical photos)
Photos and other images of skin abnormalities or related medical situations required for assessment and treatment.
Insurance and billing data
Health insurer details, policy number, invoice details and payment information.
Technical data
IP address, device information, log data and usage data for security and functional analysis.
4.2 Dermatologists and other healthcare providers
Of dermatologists and other healthcare providers, 247dermatologist processes, among other things:
Professional identification and contact details
Name, professional address, professional email address, telephone number, AGB code, BIG registration number, VAT number, billing address.
Biometric/image data
Profile photo for recognisability and professional presentation within the platform.
Administrative and financial data
Data for contract management, invoicing and payment.
4.3 Website and app visitors
For visitors who do not (yet) have an account, the following may be processed:
Contact details submitted through forms (for example name, email address and the content of a message).
Cookie and usage data (see Article 9).
Messages sent through the contact form are delivered by email to the 247dermatologist customer service team (info@247dermatologist.com). The email service provider that delivers these messages acts as a processor for 247dermatologist.
ARTICLE 5
Purposes and legal bases
5.1 Purposes
Personal data is processed for the following purposes:
Care delivery and platform use
creating and managing accounts;
scheduling and carrying out (tele)dermatological consultations;
recording and managing the medical record;
communication between patient and dermatologist.
Administration and invoicing
processing invoices and payments;
handling claims towards insurers where applicable.
Security and integrity of the platform
securing systems and data (including logging and monitoring);
detecting and handling (suspected) misuse, fraud or unauthorised use.
Customer service and complaints handling
answering questions and requests;
handling complaints and disputes.
Quality improvement, research and statistics
analysing anonymised or pseudonymised data to improve the service, functionality and user experience.
Marketing and communication
sending service messages required for use of the platform;
sending newsletters or other information about products and services, exclusively within the applicable consent and opt-out rules.
5.2 Legal bases
Personal data is processed on the basis of one or more of the following legal bases:
Performance of a contract
Processing necessary for the performance of the (care) agreement with the patient or the agreements with dermatologists.
Legal obligation
For example the retention obligation for medical records under the WGBO and retention obligations under tax law.
Vital interests of the data subject
In exceptional situations where processing is necessary to protect vital interests.
Legitimate interest
For example securing and improving the platform, provided the interests of data subjects do not override this.
Consent
For processing not covered by the bases above, such as certain marketing activities or the use of non-essential cookies. Consent can be withdrawn at any time.
Health data (a special category of personal data) is processed primarily on the basis of the healthcare exemptions in the GDPR in combination with the WGBO. Where consent is used for such data, it is explicit, specific and informed.
ARTICLE 6
Medical record and professional confidentiality
Under Section 7:454 of the Dutch Civil Code, the care provider (dermatologist) is required to create and maintain a medical record containing data on the patient's health and the procedures carried out.
The dermatologists are bound by medical confidentiality. Access to medical data is limited to persons directly involved in the treatment or its support, and only to the extent necessary.
247dermatologist provides the technical infrastructure and takes appropriate measures to safeguard the confidentiality, integrity and availability of medical data.
ARTICLE 7
Security
247dermatologist takes appropriate technical and organisational security measures to protect personal data against unauthorised or unlawful processing, loss, destruction or damage. These measures include:
encryption of data in storage and in transit (including end-to-end encryption for consultation data);
strict access control based on the need-to-know principle;
logging and monitoring of access and use;
periodic updates and security patches;
internal procedures for incident and data breach management.
In the event of a (possible) data breach, the legally required steps are taken, including, where necessary, notification of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and the data subjects concerned.
ARTICLE 8
Retention periods
Medical data
Documents in the medical record are, as a rule, retained for at least twenty years after they were created, in accordance with the care provider's retention obligation under Section 7:454 of the Dutch Civil Code (previously fifteen years).
Administrative and billing data
Retained for the period arising from tax and other legal obligations (generally at least seven years).
Log and security data
Retained for as long as necessary for security and audit purposes, subject to reasonable maximum periods.
Anonymised data
Data that can no longer be linked to a person may be retained without a fixed period for statistics, research and quality improvement.
In specific cases a longer retention period may be necessary, for example in connection with ongoing claims, complaints or disciplinary proceedings. In those cases, data is retained for as long as necessary for that purpose.
ARTICLE 9
Cookies and similar technologies
The 247dermatologist website and application use cookies and similar techniques.
Essential cookies
These are necessary for the website and app to function correctly (for example for logging in and session management) and are placed without consent.
Optional cookies (such as analytics and advertising cookies)
These are only placed with prior consent via the cookie banner. Examples include:
advertising and remarketing cookies (e.g. Google Ads);
web analytics cookies (e.g. Google Analytics) to collect statistics on usage.
The cookie settings and/or the cookie overview indicate, for each cookie category:
the purpose of the cookies;
the retention periods;
which third parties have access to the data.
Data subjects can change or withdraw their cookie preferences at any time via the available settings in the browser and/or the cookie banner.
ARTICLE 10
Sharing of personal data
To the extent necessary for the service, personal data may be provided to the following categories of recipients:
affiliated dermatologists and, where necessary, other healthcare providers involved;
IT and hosting service providers;
payment and invoicing providers;
(health) insurers, where necessary for claims;
supervisory authorities and other competent (government) bodies, where a legal obligation to do so exists.
Where these parties act as processors, they are contractually required to process personal data solely on the instructions of 247dermatologist and to secure it adequately.
International transfers
Where personal data is processed outside the European Economic Area (EEA), this only takes place if:
the country offers an adequate level of protection according to the European Commission; or
appropriate safeguards are used, such as the standard contractual clauses adopted by the European Commission, supplemented with additional measures where needed.
ARTICLE 11
Reporting unauthorised use
If a data subject suspects or discovers unauthorised use of his or her account, this should be reported as soon as possible via info@247dermatologist.com.
Upon receipt of such a report, 247dermatologist will take appropriate measures, including:
(temporarily) blocking or resetting the account;
investigating the cause and scope of the incident;
taking measures to prevent further damage.
ARTICLE 12
Rights of data subjects
Within the limits of the law, data subjects have the following rights:
the right to access their personal data;
the right to rectification of inaccurate or incomplete data;
the right to erasure (“right to be forgotten”) in the cases set out in the GDPR;
the right to restriction of processing;
the right to data portability;
the right to object to certain processing operations, including processing based on legitimate interest and direct marketing.
Requests to exercise these rights can be submitted via info@247dermatologist.com. 247dermatologist may ask for additional information to verify the identity of the requester.
Specific statutory rules apply to the medical record. In exceptional situations, the doctor may restrict access where this is necessary to protect the health of the patient or third parties, in accordance with the WGBO.
Data subjects have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if they believe their personal data is being processed in breach of privacy legislation.
ARTICLE 13
Complaints and disputes
Complaints about the processing of personal data or the handling of requests can be addressed to info@247dermatologist.com. The complaint will be handled by a complaints officer or another authorised member of staff.
If a complaint is not resolved satisfactorily, the data subject may, insofar as the complaint concerns the content of care, turn to the applicable complaints and disputes body (for example the Geschillencommissie Zorg Algemeen), in accordance with the Wkkgz and the regulations based on it.
This does not affect the right of data subjects to apply directly to the Dutch Data Protection Authority and/or the competent court.
ARTICLE 14
Changes
247dermatologist reserves the right to amend this privacy policy. The most recent version is always available via the website and application. In the event of material changes, data subjects may be actively informed, for example via the platform or by email.
ARTICLE 15
Governing law and competent court
This privacy policy and the processing of personal data by 247dermatologist are governed by Dutch law.
Disputes arising from or relating to this policy or the processing of personal data will, insofar as they have not first been resolved through a complaints or disputes body, be submitted to the competent court in the Netherlands.