Various terms are used in this document, which are briefly explained below.
Personal data: all data that provide information about a natural person and with which the identity of this person could be established directly or indirectly. For example, a name, (e-mail) address or a professional identification number.
Data subject: the person to whom the Personal Data relates, or his/her representative.
Processing data: everything that can be done with the data in the application, such as:
- Collecting, recording and organizing data
- Requesting, changing and consulting data
- Providing information to others
- Protecting or destroying data
Portfolio: a validated collection of evidence of acquired competences of an individual.
Owner: the user the Portfolio is about.
2. Purpose of processing the data
Reconcept Portfolio (hereinafter: application) is used by participating hospitals to support and guide the professional development of its medical staff.
3. Personal Data
The General Data Protection Regulation (GDPR) is based on the principle that the amount of stored Personal Data must be limited to a minimum.
Personal data of all users
The following Personal Data is required for all users in order for the application to function:
- First name, prefix and last name: The user’s first name, any prefix and last name are stored to create a recognizable account for the user.
- Email Address: The email address of the user. The email address is used for communication between the application and the user and as a username.
- Professional identification number: a professional registration number that identifies a medical practitioner (required depending on the country where they are registered)
Personal data of users with a Portfolio
For users with their own Portfolio, the application offers the possibility to fill this Portfolio with relevant data. This concerns, for example:
- Assessments: such as practical feedback
- Interviews: e.g. a scheduled performance interview
- Competence certificates: e.g. a statement of independence for a particular skill
- Education: such as proof of attending a conference
4. Data protection
Rules for recording Personal Data are laid down in the General Data Protection Regulation (GDPR). The GDPR requires Reconcept to protect the Personal Data processed in the application against loss and against unlawful processing.
Reconcept complies with the law when Processing Personal Data. Reconcept processes this data in a proper, careful and transparent manner, as required by law. The Personal Data belongs to the Data Subject and is only used for the purposes described above. If Reconcept wishes to use the data more broadly, permission will be requested from the Data Subject and/or we will provide a legal basis for this.
Reconcept has taken appropriate technical and organizational measures to secure the Personal Data. The choice of these measures is based on the available technology, the implementation costs, the type of data that Reconcept processes and the associated risks. Reconcept strives to ensure that these measures meet the requirements in Article 32 of the GDPR. For example, the application has an SSL certificate and all Reconcept employees operate with complete confidentiality. This concerns employees in the broadest sense of the word; including any interns and freelancers.
5. Data breach notification obligation
A data leak is a security incident in which Personal Data has been lost or where possible unlawful processing of Personal Data cannot be ruled out. The following statements apply to this:
- In the case that Reconcept discovers that a data breach is taking place or has taken place, and there is a significant chance that this data breach will have adverse consequences for the protection of the Personal Data processed by Reconcept, then Reconcept will let you know immediately. Reconcept does this no later than 48 hours after we have discovered the data breach.
- Reconcept then consults with you about:
- the nature of the data breach;
- the risk that you and Reconcept are, have been or could be exposed to;
- the measures that Reconcept is taking or has already taken to resolve the data breach or to limit the consequences or damage as much as possible.
- After our report, we jointly determine whether we must report the relevant data breach to the Dutch Data Protection Authority
- If the Dutch Data Protection Authority starts an investigation into the data breach, Reconcept will inform you immediately and Reconcept will cooperate with an investigation by the Dutch Data Protection Authority.
Reconcept uses services provided by sub-processors for parts of the application. These are persons or organizations that process Personal Data from the application on behalf of Reconcept.
Reconcept makes thorough agreements with these sub-processors about how they handle the relevant data. We also agree with them on the same security measures that we do with you in this agreement. Reconcept remains responsible towards the sub-processors for compliance with the obligations under this agreement.
7. Data storage location
Reconcept hosts and processes the Personal Data within the European Economic Area (EEA). Reconcept uses European servers at Amazon in Frankfurt for this.
8. Duration of storage
The Personal Data in the Portfolio will be stored for a maximum of five (5) years after archiving the Portfolio and will then be automatically deleted. In the meantime, the Owner can also delete the data earlier by explicitly performing this action.
The Personal Data entered into the Portfolio remains the property of the Owner. This means that if the hospital where the Owner works terminates their agreement with Reconcept, the Owner will have the opportunity to keep their Personal Data (their Portfolio). The Owner can do this by exporting the Portfolio. Please note: this must take place before the termination of the agreement. Reconcept removes the Personal Data in the Portfolio after termination.
9. Rights of Data Subjects
Data Subjects are those persons to whom the Personal Data relate, for example the learners and supervisors. These Data Subjects have a number of rights based on the GDPR. Reconcept is obliged to uphold those rights. Where possible, Reconcept supports this or Data Subjects can exercise these rights themselves within the application. This includes the following rights:
- The Data Subjects may ask which of their Personal Data Reconcept processes and stores. We are then obliged to provide this information, within the framework of the law.
- The Data Subjects may request that the Personal Data that Reconcept has stored about them be corrected or supplemented.
10. Responsibilities of the Data Subjects
As a Data Subject for the processing of Personal Data, you must meet a number of requirements:
- You must comply with the legal requirements that apply to the processing of Personal Data. This means that you must check whether you are legally entitled to record certain Personal Data. This is not permitted for all Personal Data. For example, you may not store patient data or other sensitive Personal Data.
- You must check whether the Personal Data you want to record is sufficiently protected by the security measures. We have tailored our security policy to the type of data we have described in Article 3 of this privacy statement. If you want to record another type of data, we cannot guarantee that our security measures are sufficient for this.
- You must secure your account as much as possible. It is important, for example, that you choose a good password and pin code and that you change them regularly.
In case you do not meet these requirements and we are held liable by others for damage caused as a result, this indemnifies us against that liability. Reconcept is only liable for damage that can be attributed to Reconcept. In the event of damage related to the security of Personal Data, Reconcept is not liable if Reconcept can prove that we have taken sufficient technical and organizational security measures, as described in Article 4 of this privacy statement.
11. Disputes & Conflicts
In the event of a dispute, we will do our best to find a solution together with you. If that is not possible, we will submit the dispute to an appropriate court in The Netherlands or – if another court is more appropriate on the basis of the law – to this court.
Feel free to contact us with any questions: firstname.lastname@example.org
This privacy statement came into effect on April 1, 2019.