General terms and conditions of the dental practices whose shares are held
by Holding Lassus Tandartsen BV, namely: Lassus Tandartsen BV Lassusstraat 9A (Chamber of Commerce
nr 61752614) www.lassustandartsen.nl, Lassus Tandartsen Keizersgracht BV, Keizersgracht
132A / B (Chamber of Commerce no. 61754501) www.lassustandartsen.nl, Lassus Dentists Olympic Stadium
BV, Johan Cruijffplein 125 (Chamber of Commerce no. 68292112) www.lassustandartsen.nl, Tandartspraktijk De
Liefde BV, Rietwijkerstraat 52 (Chamber of Commerce no 61753858) www.tandartspraktijkdeliefde.nl, Tandartspraktijk
Plantage Middenlaan 1-H (Chamber of Commerce no 62791400) www.tandartsplantagemiddenlaan.nl
and Dental Factory B.V., Jan van Galenstraat 171 (Chamber of Commerce no. 64763692) www.dentalfactory.nl te
Amsterdam, hereinafter referred to as “Lassus”.
Article 1. General
Lassus ensures that with (special) Personal Data of patients, care is taken
dealt with. We comply with applicable laws and regulations, including the General
Data Protection Regulation. We would like to inform you further with these Privacy Regulations
about our policy.
Article 2. Definitions
For clarity, we briefly indicate what we mean by certain terms:
1. Personal data: all data through which the patient can become
2. Controller: the controller, as referred to in Article 4 paragraph 7
of the Regulation. For this privacy regulation, the dental practice.
3. Processing / Processing: processing of personal data, whether or not performed
through automated processes, such as collection, recording, ordering,
save, update, change, request, consult, use, provide by
by means of transmission, dissemination or any other form of posting,
to bring together, to relate to each other, as well as to shield, to erase
or destruction of Personal Data.
4. Processor: the person who works for the benefit of the dental practice for the Processing of Personal Data without being subject to direct authority,
such as auxiliary persons hired by the Controller.
5. Data subject: the person to whom the Personal Data relate, in general
6. Implementation Act: the Implementation Act General Data Protection Regulation.
7. Regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council
of 27 April 2016 on the protection of natural persons in connection with this
with processing of personal data and regarding the free movement of that data
and repealing Directive 95/46 / EC (OJ 2016, L 119).
8. Privacy regulations: this document.
9. Pseudonomized data: Personal data that is no longer related to a specific
data subject can be linked without additional data
are used. This additional data is kept in such a way that it is not
can be linked to a person to be identified.
Article 3. How do we get the data?
Personal data is derived or derived from data that is oral and written
are provided by the Data Subject or his legal representative. Personal data
can also be provided by the health insurer, the general practitioner, other practitioners,
specialists, counselors or persons or agencies other than the aforementioned.
Article 4. How and why do we process data?
1. Processing takes place in a manner that is lawful, proper with regard to the Data Subject
and is transparent. In addition, the collection of Personal Data takes place
for certain, explicit and legitimate purposes. The
Processing does not take place in a manner incompatible with those purposes.
2. Processing for archiving in the public interest, scientifically
or historical research or statistical purposes is not considered incompatible with
considered the original purposes.
3. The Processing is only lawful if and insofar as at least one of the
the following conditions are met:
a. Consent of the Data Subject;
b. Entering into and carrying out a treatment (agreement);
c. Safeguarding the vital interests of the Data Subject, such as emergencies;
d. Looking after a legitimate interest of the Controller or of
a third party (for example, business continuity);
e. Need for a legal obligation or an agreement with the Data Subject
4. Personal data will only be Processed insofar as it has regard to the purposes
what they are Processed for are adequate, relevant and limited to what
5. The dental practice processes Personal Data for the following purposes:
a. Treatment of the Data Subject;
b. Informing and contacting the Data Subject (s);
c. Financial administration;
d. Proper functioning of the website.
Article 5. Conditions for permission
1. The Controller can demonstrate that the Data Subject has given permission
for the Processing.
2. The Data Subject can always withdraw a given consent.
Article 6. Other information
Article 7. What information is involved?
Processing may refer to the following data categories:
a. Name, first names, initials, title, gender, date of birth, address, postcode,
place of residence, telephone number and similar data required for communication,
as well as payment details of the Data Subject;
b. An administration number that contains no information other than under a;
c. Information as referred to under a, of the parents, guardians or guardians of a minor
d. Data as referred to under a of the family or relatives of the Data Subject
as well as others who become concerned about the welfare and health of the Data Subject
e. Information about the health status of the Data Subject and in the case of hereditary
disorders of his family and relatives;
f. Other special Personal Data with a view to proper treatment or
care of the Data Subject;
g. Information about the Data Subject’s treatment and follow-up as well as
the medicines or facilities provided;
h. Information about calculating, recording and collecting the compensation;
i. Information about the Data Subject’s insurance;
j. Other information necessary for the treatment.
Article 8. Obligation to provide information
1. Before Processing the Personal Data Controller, he shares the Data Subject
and / or its legal representative:
a. Who is responsible for the processing with contact details;
b. Why certain, concrete Personal Data will be Processed;
c. Where applicable, the contact details of the data protection officer;
d. How the Personal Data are Processed;
e. The period during which the Personal Data will be stored,
or, if that is not possible, the criteria for determining that period;
Any other information that needs to be provided for the sake of care.
This also means: The more sensitive the Personal Data that the Controller is
the more thorough information must be provided.
2. If Personal Data is requested through a third party, or is transferred to a third party the obligation to provide information is complied with in the same way before the Personal data is obtained or supplied, unless only with a disproportionate amount effort can be made.
Article 9. Right of inspection
1. The Data Subject has the right to access his Personal Data and can do the following
a. A description of the purpose or purposes of the Processing of Personal Data;
b. All available information regarding the origin of the Personal Data;
c. The categories of data to which the Processing relates;
d. An overview of recipients or categories of recipients who have the Personal Data have received;
e. If possible, the period during which the Personal Data is expected
will be stored, or if that is not possible, the criteria
to determine that period;
f. That the Data Subject has the right to rectification, the right to erasure and the
right to restriction of processing.
2. A request for access may be refused for the following reasons:
a. The applicant is not a Data Subject or his / her request does not relate to
data pertaining only to the applicant;
b. The applicant has not yet reached the age of 16 and / or is under guardianship
has been asked. In that case, only the legal representative can make the request
c. The controller has recently submitted a similar request from the same
the applicant’s hearing;
d. Protecting the Data Subject or the rights and freedoms of others;
e. Because of the security of the state, and / or prevention, detection and prosecution offenses.
Article 10. Other rights
1. The Data Subject has the right to object to the Processing at any time
of Personal Data concerning him. Processing will be stopped in case of objection
by the Controller.
2. The Data Subject has the right to request immediate rectification from the Controller obtain incorrect personal data from him.
3. The Data Subject has the right of the Controller without unreasonable delay
obtain erasure of Personal Data concerning him.
In addition, the Controller is obliged to provide data without unreasonable delay
erase when the Data Subject has withdrawn his consent or the Controller
no longer needs the Personal Data for the purposes for which
these have been collected.
4. The Data Subject has if the accuracy of the Personal Data is by him
disputes the Controller’s right to obtain restriction of the Processing.
5. The Data Subject has the right to transfer the Personal Data concerning him to the
Responsible has provided, in a structured, common and machine-readable
Article 11. Exercise of rights by the Data Subject
The Controller takes appropriate measures to ensure that the Data Subject communicates
in a transparent and accessible manner and in clear terms.
Article 12. Access to and recipients of Personal Data
1. In principle, only those who have direct access to Personal Data
are involved in the execution of the treatment of the Data Subject, insofar as
that access is necessary for their work.
2. When a Processing is performed on behalf of the Controller, the Controller shall do so
only appeals to Processors who provide adequate guarantees
that the Personal Data are Processed in accordance with the Regulation, the Implementation Act
or regulations based thereon.
3. For the rest, the following persons and bodies may be admitted
granted / Personal data will be provided:
a. Investigators as referred to in Section 7: 458 of the Dutch Civil Code;
b. Health insurers to the extent necessary with a view to the obligations from
the insurance contract;
c. Third parties that are charged with collecting claims insofar as access / provision is concerned
is necessary and it is not medical data;
d. Others, when the basis of the Processed Data is:
(i) Consent of the Data Subject;
(ii) A need to comply with a legal obligation;
(iii) Safeguarding the vital interest of the Data Subject.
e. Others, when further Processing for historical, statistical or scientific
purposes, if the Responsible Party takes the necessary measures has made arrangements to ensure that further Processing is solely for the benefit of for these purposes.
Article 13. Register
The Controller keeps a register of the processing activities that are under it
responsibility takes place. This register contains the following information:
a. The name and contact details of the Controller and, if applicable,
from the data protection officer;
b. The processing purposes;
c. The categories of data to which the Processing relates;
d. The categories of recipients to whom Personal Data is provided;
e. If possible, the intended period within which the Personal Data must be
f. If possible, a description of the affected technical and organizational
Article 14. Reporting infringement
1. If an infringement related to Personal Data has taken place, the
Responsible – if and insofar as required by law – as soon as possible after
she is informed of this to the Data Subject and the Dutch Data Protection Authority.
2. The notification referred to in the first paragraph contains at least:
a. The nature of the infringement;
b. The likely consequences of the infringement;
c. The measures taken by the Controller as a result of the infringement;
d. A contact point for more information.
Article 15. Retention periods
1. Medical information obtained to declare a treatment agreement
go or fulfill are kept for 15 years. The Controller is not held
to longer retention periods than by law, in particular Article 7: 454 paragraph 3 of the Civil Code, mandatory.
2. Other Personal Data will not be kept longer than is necessary for the
purposes for which they were Processed. If that Personal Data is no longer needed they are deleted.
Article 16. Confidentiality
1. The Controller, the Processor and anyone under the authority of the Controller
has access to Personal Data, are required to maintain confidentiality
of the Personal Data.
2. Data regarding the health of the Data Subject (s) is considered to be ‘special’
Personal data identified. For Processing special Personal Data
everyone who Processes them has a duty of confidentiality. This one
results from the office, profession or employment contract of the person.
Article 17. Security
1. The Controller must ensure appropriate technical and organizational
measures to protect Personal Data.
2. “Appropriate” means that the security measures taken are appropriate
the risk that the Personal Data will become (further) careless or unlawful
Processed and the damage that would result from it. The measures taken must
to make sure that:
a. Only authorized persons have access to Personal Data;
b. The Personal Data is correct and will not be lost;
c. The Personal Data are available without restriction for lawful ones
Processing according to the agreements within the organization.
3. In all cases, the Controller is responsible for the information security policy
and propagates this policy within the dental practice.
Article 18. Final provisions1. The Controller does not accept more obligations than what he has
is required by law, unless otherwise agreed in writing with the Data Subject.
2. The Data Subject has the right to file a complaint with the supervisory authority
Data Subject (s) after Data Subject (s) have been notified of the change.
4. These Privacy Regulations came into effect on 25-05-2018 and at the dental practice
For questions or exercising the rights of the Data Subject, you can contact us
Address: Lassusstraat 9, 1075GV Amsterdam
Phone: +31 (0) 204713137