GDPR Policy
(version 11.2024)
​
Definitions The following definitions apply in these regulations:
"Entity" which is a data operator Ruxandra Savulescu - Counselling KVK 92062466
"Law" the Law on the Protection of Personal Data (UAVG) and the Law of 25 May 2018 General Data Protection Regulation (GDPR);
"Personal data" any information that makes a natural person identifiable;
"Processing of personal data" any action or set of actions with respect to the data personal. This includes in any case the collection, recording, organization, storage, updating, modifying, retrieving, consulting, using, providing by transmission, distribution or any other form of making available, bringing together, relating to each other, as well as blocking, exchanging or destroying data;
"File" any coherent set of personal data, regardless of whether this data set is collected together or separately, according to certain criteria is accessible and refers to different people;
"Controller" the person who alone or together with others determines the purpose and the means for which establishes the processing of personal data. The responsible person could be a natural person, legal person or administrative body;
"Processor" the person who processes personal data on behalf of the operator, without being subject to his direct authority;
"Data subject" the person to whom the personal data refer;
"Third party" any person other than the data subject, the operator, the person authorized by the operator or any person who is authorized under the direct authority of the controller or processor to process personal data;
"Recipient" the person to whom the personal data is provided;
"Consent of the data subject": any free, specific and informed expression a wishes with which the data subject accepts that personal data about him or her be processed;
"Provision of personal data" the disclosure or provision of data with personal character;
"Collection of personal data" obtaining personal data.
I. Applicability
(1) These regulations apply to fully or partially automated processing of personal data personal. It also applies to the non-automated processing of personal data that are included in a file or intended to be included.
(2) These regulations mainly refer to the processing of customers' personal data, but they can also apply to employees.
II. Scope
(1) The purpose of collecting and processing personal data is to have the necessary data for the achievement of legal purposes, as well as the purposes described in the service description in the Terms and Conditions of the care provider and to implement policy and management in the context of this purposes.
​
III. Representation of the person concerned
If the data subject is a minor and has not yet reached the age of sixteen, or if the data subject is an adult and has been placed under guardianship, or a mentorship has been established for the benefit of the data subject, the consent of the data subject shall be substituted for requires the consent of his legal representative. The consent is recorded in writing. If the person concerned has given written authorization regarding his representation towards the processor, then permission from the written authorized representative is also required.
Consent may be withdrawn at any time by the data subject, his written representative or his legal representative.
​
IV. Responsibility for data management
(1) The controller is responsible for the proper functioning of data processing and management; is of usually the responsibility of the person in charge, an administrator charged with effective management of personal data, but this is not mandatory in the case of small-scale processing a personal data, as is the case here.
(2) The controller ensures that appropriate technical and organizational measures are taken protective measures against any loss or any form of illegal processing activity a data and is liable for damages or disadvantages caused by failure to comply with the requirements law or these regulations, to the extent it was caused by his actions.
(3) The responsibility referred to in paragraph 1 and the provisions of paragraph 2 remain unaffected if the processing takes place by a processor; this is arranged in an agreement (or by means of another legal act) between the processor and the controller.
​
V. Legal processing
(1) Personal data are processed in a transparent manner and in accordance with the law and in an appropriate and careful manner.
(2) Personal data will be collected only for the purposes mentioned here in these regulations and will not be further processed in a way incompatible with the purposes for which are intended.
(3) Personal data should be sufficient and relevant for the purposes for which are collected or processed later; no more personal data should be collected or processed than is necessary for the purpose of the registration.
(4) Personal data can only be processed if one or more of conditions:
-
the data subject has given his unequivocal consent to the processing;
-
the data processing is necessary for the execution of an agreement to which the data subject is party or for actions, at the request of the data subject, which are necessary for the conclusion of a agreement;
-
data processing is necessary to fulfill a legal obligation responsible of the controller;
-
data processing is necessary in relation to a vital interest of the data subject;
-
data processing is necessary considering an interest of the operator or a third party, with unless that interest conflicts with the interest of the person whose data it is processed and whose interests take priority.
(5) Registration of the unique identification code for citizens will take place only if there is a legal basis legal for this and/or if some form of care is provided to the person concerned by the controller or processor.
(6) Anyone acting under the authority of the operator or the person authorized by the operator - and, also the operator himself - processes personal data only on behalf the operator and the data will be processed only by persons who, by virtue of their position, profession are required by law or under a confidentiality agreement.
​
VI. Processing of personal data
(1) The processing takes place by social care providers or service providers insofar as this is necessary for the purpose of proper treatment or care of the data subject, or management of the relevant institution or professional practice.
(2) The processing takes place with the explicit consent of the data subject.
(3) The processing takes place at the request of an insurer to the extent necessary for the assessment of the risk to be insured by the insurer, or to the extent necessary for the execution of an insurance contract.
(4) Without the client's consent, data about the patient may be provided to another person for the purpose of statistics or scientific research in the field of public health if:
- requesting consent is not reasonably possible and such safeguards have been provided with regard to the conduct of the research that the client's privacy is not disproportionately damaged, or
- requesting permission, given the nature and purpose of the research, cannot reasonably be required and the care provider has ensured that the data is provided in such a form that tracing back to individual persons is reasonably prevented. Provision is only possible if:
- the research serves the public interest;
- the research cannot be conducted without the relevant data and
- insofar as the client concerned has not expressly objected to a provision.
(4) The prohibition on processing special data as referred to in Article 8 does not apply to the extent that this is necessary in addition to the processing of personal data about a person's health for the purpose of proper treatment or care of the data subject.
​
VII. Special Personal Data
(1) Processing of personal data about a person's religion or belief, race, political affiliation, health, sex life, union membership or criminal character data personally is prohibited, except in cases where the law expressly establishes by whom, for what purpose and under what conditions the data can be processed (articles 17-22 of the law with the exception provided in article 23 of the law).
(2) The prohibition referred to in the previous paragraph, without prejudice to the provisions of Articles 17 to 22 of the Act, does not apply insofar as there is an exception as referred to in Article 23 of the Act.
​
VIII. Data Acquisition
Data obtained from the person concerned
(1) If personal data are obtained from the data subject himself, the controller will inform the data subject before the time of collection:
-his identity;
- the purpose of the processing for which the data is intended, unless the data subject already knows that purpose.
(2) The controller will provide the data subject with further information to the extent that this is necessary - given the nature of the data, the circumstances under which they were obtained or the use made of them - to ensure proper and careful processing for the data subject.
(3) If data is obtained without the data subject's consent, the controller will inform the data subject:
- his identity;
- the nature of the data and the purpose of the processing for which the data is intended;
(4) The time when this must happen is:
- the moment the controller records the data or
- if the controller collects the data solely to provide it to a third party: at the latest at the time of first provision to that third party
(5) The controller will provide further information to the extent that this is necessary - given the nature of the data, the circumstances under which they are obtained or the use made of them - to ensure proper and careful processing for the data subject.
(6) The provisions under 3 do not apply if the notification referred to there proves impossible or requires a disproportionate effort. In that case, the controller records the origin of the data.
(7) The provisions under 3 also do not apply if the recording or provision is prescribed by or pursuant to the law. In that case, the controller must inform the data subject at his request about the legal provision that led to the recording or provision of the data in question.
​
IX. The right to access
(1) The data subject has the right to take note of the processed data relating to his person and may receive a copy of them.
(2) The controller will inform everyone at their request - as soon as possible, but not later than four weeks after receiving the request - in writing if the personal data which I look at them will be processed.
(3) If this is the case, the responsible person will provide the applicant with this information as soon as possible as soon as possible, but not later than four weeks after receiving the request - a written statement complete, general presentation followed by detailing the purpose or purposes of data processing or categories of data to which the processing refers, recipients or categories of recipients of the data as well as the origin of the data.
(4) If a legitimate interest of the applicant requires this, the operator will comply with the request in a form other than the written one, which is adapted to the respective interest.
(5) The operator may refuse to comply with a request if and to the extent that this is the case necessary in relation to:
• a legal obligation related to the investigation and prosecution of crimes;
• protection of the data subject or the rights and freedoms of others.
​
X. Provision of personal data
(1) In principle, personal data will not be provided to a third party without consent the person in question or his representative, unless otherwise provided legal requirement or state of emergency.
(2) If the controller provides personal data to third parties without the consent of the data subject or his legal representative, the controller will immediately inform the data subject or his legal representative thereof, unless this poses a danger to persons and/or property.
​
XI. The right to correction, completion, deletion
(1) At the written request of a data subject, the operator will make improvements, additions, delete and/or will block (the right to be forgotten) personal data about the applicant, if and to the extent where these data are factually incorrect, for the purpose of processing they are incomplete, irrelevant or extend beyond the purpose of processing, registration is not required or are otherwise processed in violation of a legal requirement. The request of the person concerned must contains the requested changes.
(2) The responsible person will inform the applicant as soon as possible, but not later than four weeks after receiving the request, inform in writing if they comply with it. If not conforms or does not wish to fully conform, reasons for this and provides a course of action for mediation with the help of an external commission if the applicant is not satisfied with the answer.
(3) The responsible person ensures that a decision to improve, supplement, remove and/or protection within 14 working days and, where this is not reasonably possible, will endeavor to do so as soon as possible.
(4) Any request related to access, enhancements, additions, deletion, blocking or portability can be made to counselling.ruxandrasavulescu@gmail.com
​
XII. Data Retention
(1) Personal data will not be kept in a form that allows the data subject to be identified for longer than is necessary for the achievement of the purposes for which it was collected or subsequently processed.
(2) The controller determines how long the recorded personal data will be retained.
(3) The retention period for medical and/or healthcare data is in principle twenty years, starting from the time they were created, or as much longer as reasonably results from the care of a good care provider or responsible person.
(4) Data of a non-medical nature will not be kept for longer than is necessary for the achievement of the purposes for which they were collected or subsequently processed, unless they are kept exclusively for historical, statistical or scientific purposes. If the data in question has been processed in such a way that it can be traced back to individual persons is impossible, they can be kept in an anonymized form.
(5) If the retention period for the personal data has expired or the data subject requests deletion before the expiry of the retention period, the relevant medical data will be deleted within three months.
(6). However, deletion will not occur if it can reasonably be assumed that
• the storage is of great importance to someone other than the data subject;
• storage is required based on a legal regulation or
• if there is an agreement between the data subject and the operator.
​
XI. Appeal procedure
If the person concerned is of the opinion that the provisions of these regulations are not being complied with, he can contact:
- the person responsible; any body functioning within the organization for independent complaints handling or a similar body functioning outside the company to which the therapist has joined;
- the court, in the cases referred to in Article 46 of the Act and the Dutch Data Protection Authority with the request to mediate and advise in the dispute between the data subject and the controller.
​
XII. Changes entering into force and copy
(1) Changes to these regulations are made by the responsible person. Any changes of the regulations enter into force two weeks after they have been announced to those involved.
(2) These regulations come into effect on 1.02.2024.
(3) These regulations can be viewed by the person responsible. If desired, a copy of these regulations can be obtained at cost price.
​
XIII. Unforeseen
In cases not provided for by this regulation, the responsible person will decide, taking into account the provisions of the law and the purpose and scope of this regulation.
​
​
ANNEX 1. Overview of the maximum data to be registered in Personal Processing
​​
CLIENT DETAILS
>To execute the contract, legal obligations of invoicing and bookkeeping:
Name​
Address
Date of birth
​
>To contact the client:
Telephone
Id messaging or video platform
​
>To organize and receive payment:
IBAN
​
>To the extent that this is necessary in addition to the processing of personal data about a person's health for the purpose of proper care of the data subject (according to the exception provided in article 23 of the law):
Personal healthcare data