Hikos is responsible for processing your personal data as described in this Privacy Statement. Regarding the personal data processed about customers, Hikos acts as the controller for some of the processing activities, namely:

1. Providing and promoting the website (www.hikos.nl) and our services.
2. Verifying your identity.
3. Scheduling an appointment with a Hikos healthcare professional.
4. Sending a feedback form after your conversation with the Hikos healthcare professional.
5. Handling your questions or any complaints.
6. Measuring and improving our service.
7. Financial handling, directly or via an affiliated insurer.

The Hikos healthcare professional with whom you schedule an appointment is responsible for the processing of your personal data for the following activities:

1. Verifying your identity.
2. Exchanging medical information between you and the Hikos healthcare professional for the purposes of the consultation, including your healthcare request.
3. Conducting the consultation remotely (via audio or video call).
4. Creating/maintaining a medical file for you. Under healthcare regulations, the Hikos healthcare professional is obliged to do so.

Hikos assists the healthcare professionals in carrying out the activities listed under 8–11 above. For this purpose, a data processing agreement has been concluded between Hikos and the healthcare professional concerned, in line with the requirements of the GDPR.

This Privacy Statement applies to all individuals whose personal data Hikos processes in the context of its services. This includes people who visit our website (website visitors), people who subsequently use our services (customers), Hikos healthcare professionals, and other business relationships of Hikos, such as our service providers and business partners (business relationships and collaboration partners).

• Providing the website
• Providing a contact option via the contact form
• General purposes (see below)

• Name
• Gender
• Email address
• Telephone number
• Subject and message content of the contact form
• Social media name/account
• Business data (organization, position, names of business contacts)
• Whether or not consent has been given
• Analytics data, including browsing behavior
• Type of device and unique device identifier (MAC address)
• IP address and browser type
• General geographic location (e.g., country- or city-level location)
• Other technical information concerning interaction between your device and our website, the web pages visited, clicked links, and log data

• Enabling the scheduling of appointments
• Facilitating communication between the customer and the Hikos healthcare professional
• Offering and processing a feedback form after the Hikos appointment
• Invoicing and financial handling
• General purposes (see below)

• Name, address, city (NAW-gegevens), date of birth, and BSN (citizen service number)
• Gender
• Email address
• Telephone number
• Any other information provided by the customer (for instance, via the contact form)
• Date and time of the Hikos appointment
• Healthcare provider/specialization for the Hikos appointment
• Payment details
• Analytics and feedback data
• For the benefit of the Hikos healthcare professional: information received from the customer for the consultation, such as any prior diagnoses and treatment plans, as well as a consultation report/conclusion from the Hikos doctor
• Data related to other chosen contact channels (email or phone)
• Content and metadata of messages/contacts with customers
• IP address
• Browsing behavior

• Handling questions or complaints by email, telephone, and/or via social media
• Providing a newsletter
• Maintaining social media accounts
• Offering social media campaigns
• General purposes (see below)

• Whether or not consent has been given (e.g. for the newsletter)
• Email address
• Interaction with the newsletter
• Messages and responses from data subjects, for example via Hikos social media and by email
• Social media name/account and connection to Hikos social media
• Content and metadata of messages/contacts with data subjects

• Registration with Hikos and administration
• Fulfilling the duty of verification (vergewisplicht)
• Enabling the entry of availability and scheduling
• Making payments
• Maintaining contact
• General purposes (see below)

• Name, address, city (NAW-gegevens)
• Date of birth
• Specialization
• BIG number (possibly RGS- or RTG-number)
• AGB number
• BSN (citizen service number)
• Bank account number
• Email address
• Telephone number
• CV
• VOG (Certificate of Conduct)
• “Blacked-out” copy of ID/passport
• Answers to questions for the professional liability insurance
• Available hours per week
• Invoice number
• Administration number
• Transfer reference
• Amount paid out over one year

• Concluding and executing agreements
• (Financial) administration
• Initiating and maintaining contact with business relationships
• Receiving, executing, and verifying payments
• Receiving services
• General purposes (see below)

• Contact person: name, position, title, gender, contact details (email, telephone number, business address)
• All content and metadata of communication with business relationships
• Business data (organization, position, names of business partners)
• Financial data including payment details
• Administration data
• Other personal data necessary for receiving a service from a business relationship

• Measuring and improving the effectiveness of our website, services, and/or communication
• Establishing, exercising, or defending our rights
• Complying with legal obligations and professional regulations, and requests from competent government authorities
• Internally managing and hosting information
• Internal control and business operations
• Implementing security measures

Hikos only processes your personal data when allowed to do so based on one of the legal grounds under the GDPR. We rely on the following legal grounds:

• Performance of a contract
• Consent
• Legitimate interest
• Legal obligation

Where and insofar as the processing of your personal data is necessary for the performance of a contract to which you are a party, we base this processing on this ground.

You have given (explicit) consent for our processing of your personal data. For example, we rely on your consent for possibly publishing your online feedback. Sending our newsletter is also based on your consent.

If you have given us permission to process your personal data, you always have the right to withdraw this consent. You can do so, for example, by contacting us at [email protected].

For children under 16 years of age, consent or authorization to consent is required from the person who holds parental authority over the child.

Certain processing of your personal data is based on our legitimate interests. For example, this applies to providing our website (on which we do not use privacy-sensitive cookies), handling any questions and complaints submitted to Hikos, managing our business relationships, and our internal management and security. Our interest lies in being able to offer our services responsibly, with the underlying principle that people can find their way in the healthcare landscape more easily and consult with a medical professional if desired. Hikos only relies on legitimate interest insofar as the potential impact on your privacy is minimal. In these situations, our legitimate interest prevails over your privacy interest. If you do not agree with this balancing of interests, you can object to this processing of your personal data at any time. For example, you can do this by contacting us at [email protected].

Finally, it may be that Hikos bases the processing of your personal data on a legal obligation, such as applicable minimum retention periods.

The Hikos healthcare professionals process your personal data in the context of the treatment agreement with you. They only share your data via an electronic patient file with other Hikos healthcare professionals based on your explicit consent. Lastly, they must also comply with certain legal obligations, such as the retention obligation for medical records.

We automatically collect some information when you visit our website, for example, by using cookies. See also our Cookie Statement.

We obtain other information when you actively provide it to us, for example when you become our customer, fill out the contact form, or sign up for the newsletter.

We do not store your personal data longer than necessary for the purposes for which it is processed, unless we are required by law to keep your personal data for a longer period:

• We will delete your personal data if you withdraw your consent or if you have opted out (for example, for the newsletter).
• We will store customers’ personal data in our system, on behalf of the Hikos healthcare professionals, for up to 20 years after the last appointment.
• We will delete personal data of Hikos healthcare professionals in our system at the latest 1 calendar year after the agreement with the Hikos healthcare professional has ended.
• We will delete personal data of business relationships in our system at the latest 1 calendar year after the end of the business relationship.
• Regarding the storage periods for cookies, please refer to our Cookie Statement on our website.

We may share your personal data with the following parties on a need-to-know basis:

• Authorized persons working for Hikos who are involved in the relevant processing activity (our employees).
• Authorized persons working for service providers/subcontractors engaged by Hikos who are involved in the relevant processing activity (e.g., our service providers).
• Authorized persons working for a party that is also involved in processing your personal data (e.g., the healthcare professionals).
• Competent governmental authorities (e.g., courts). This situation will only occur under exceptional circumstances.

We only share your personal data with others if:

• And insofar as this is necessary within the context of our services and for pursuing the aforementioned processing purposes. For example, service providers engaged by us generally only have access to the personal data they need for the part of the service in which they are involved.
• The persons within such third parties who have access to your personal data are obliged to keep those personal data confidential. Where necessary, this is also contractually agreed.
• This third party is obliged to comply with the applicable regulations on personal data protection, for example because we have concluded a data processing agreement with the party or because our General Terms and Conditions apply. Among other things, this means that the party is required to implement appropriate technical and organizational security measures.

Parties involved in processing your personal data may be based in another country. Or they may otherwise process your personal data from another country, for example because their servers are located there. Where the country in question is located outside the European Economic Area (EEA), this transfer must be legitimized. This may be legitimized primarily on the basis of an adequacy decision by the European Commission, which has determined that the relevant (part of the) third country provides an adequate level of data protection. See this link for an overview of existing adequacy decisions.

If your personal data is transferred to a country outside the EEA for which there is no adequacy decision, we or our service providers will agree on a model contract (Standard Contractual Clauses) with the relevant party. This is a standard contract approved by the European Commission to ensure the protection of your personal data, and the annexes are completed by the parties. See this link for the various model contracts.

You can contact us for more information on how we legitimize transfers of your personal data to countries outside the EEA. Our contact details can be found at the end of this Privacy Statement.

We have taken appropriate technical and organizational security measures to protect your personal data against loss or unlawful use. For this reason, Hikos is ISO27001 and NEN7510 certified. All individuals and parties we engage to process your personal data are also obliged to respect the confidentiality of the personal data.

Under the GDPR, you have various privacy rights. The extent to which you can exercise these rights may depend on the circumstances of the processing, such as how Hikos processes the personal data and the legal basis for doing so. If a specific Privacy Statement applies, it may specify this in more detail. In other cases, you will be notified separately, for example when you contact us regarding this or in response to a request to exercise a privacy right.

Below is an overview of your privacy rights under the GDPR. For more information, please see the website of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens)—the supervisory authority for privacy in the Netherlands.

• Withdraw consent
• Right of access
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Right to object

If Hikos has asked for and obtained your (explicit) consent for certain processing of your personal data, you may withdraw this consent at any time. Withdrawing your consent does not affect the lawfulness of the processing before you withdrew your consent. As a result of withdrawing your consent, Hikos will no longer process these personal data for the purpose for which you gave consent. However, it may be that Hikos continues to process the personal data for another purpose, such as performing a contract with you or complying with a minimum retention period. If that is the case, you will be informed about it.

You have the right to obtain access to the way we process your personal data. In the first place, you have the right to a copy of the personal data, although in principle not to a copy of the documents in which these personal data are recorded. Secondly, you have the right to further information about the way we process your personal data, for example the purposes for which we process your personal data, how we obtain them, and with whom we share them.

You have the right, under certain circumstances, to have Hikos correct or supplement the personal data we process about you. You have this right when:

• The personal data processed about you are factually incorrect;
• The personal data are incomplete or not relevant for the purpose for which they were collected;
• Or they are being used in another manner that conflicts with an applicable law.The right to rectification does not apply to correcting professional impressions, opinions, and conclusions you disagree with. However, Hikos may consider adding your opinion about it to the personal data.

Under certain circumstances, you have the right to have us erase personal data we process about you. You may have this right in the following cases:

• Consent withdrawn. We processed the personal data based on your (explicit) consent, but you have withdrawn that consent.
• Successful objection. You have successfully objected to the processing of these personal data by Hikos (see below about the right to object).
• Data no longer needed. Hikos no longer needs your personal data for the purposes for which Hikos processed them.
• Unlawful processing. Hikos processes your personal data unlawfully, for example because Hikos no longer has a valid legal ground for processing.
• Mandatory erasure. The personal data must be erased by Hikos to comply with a legal obligation.
• Children. The person whose data is involved is under 16, and the personal data were collected via our website.

This right means that Hikos, at your request, continues to store personal data about you but in principle may not do anything else with it. You have this right when Hikos has no (further) legal basis for the processing of your personal data or if this is in dispute. More specifically:

• Unlawful processing. Hikos may not (or may no longer) process certain personal data about you, but you do not want Hikos to erase the data. For example, because you may wish to request them later.
• Data no longer needed. Hikos no longer needs your personal data for the purpose for which Hikos processed them, but you still need the personal data for a legal claim. For example, in the context of a dispute.
• Pending objection. You have filed an objection against the processing of personal data about you by Hikos (see below for the right to object). While we assess your objection, we may not further process these personal data at your request.
• Questioning accuracy of personal data. You dispute the accuracy of certain personal data we process about you (for example via your right to rectification; see above). While we assess the dispute, we may not further process the personal data at your request.

This right means that Hikos must, under certain circumstances, provide personal data about you in a format that allows you to work with it (“in a structured, commonly used, and machine-readable format”). You can indicate whether you want to receive these personal data yourself or whether you prefer Hikos to transfer these personal data directly to another party you designate.

You can object to Hikos processing personal data about you. Under certain circumstances, Hikos must honor this objection. Hikos will then no longer process these personal data for the purpose you objected to. However, it may be that Hikos continues to process the personal data for another purpose, such as performing a contract with you or complying with a minimum retention period. If that is the case, you will be informed accordingly.

When we process your personal data for direct marketing purposes, we will always honor an objection request. For example, think of unsubscribing from newsletters or other direct marketing communications.

After you submit a request to us indicating you wish to exercise a privacy right, you will first receive an acknowledgment of receipt. Next, we may ask for additional information, for example, to verify your identity. Alternatively, we may respond directly to your request. We will then let you know whether we will comply with your request or not and—if not—why not.

We handle all privacy requests without undue delay and, in principle, within one month of receipt. However, it may be that we need more time, for example due to the complexity and number of requests we receive. In that case, we will inform you that we need up to an additional two months. We will notify you of this as soon as possible, and at the latest within one month of receiving your request, and will then respond to your request within a maximum of three months.

Hikos uses cookies on its website. A cookie is a small text file that is stored by a web browser on your computer. You can block or modify the use of cookies by adjusting your web browser settings. This may affect the functioning of the website. For more information, see our Cookie Statement.

Hikos uses Google Analytics. Hikos has followed the privacy-friendly configuration instructions for Google Analytics from the Dutch Data Protection Authority in order to set up Google Analytics in a privacy-friendly way, complying with the GDPR. Hikos has concluded a data processing agreement with Google. In addition, the last octet of the IP address is masked. In the Google Analytics settings, “data sharing” is disabled.

Our website may contain hyperlinks to websites of other parties. We are not responsible for the content of those websites or their services. Nor is Hikos responsible for the privacy policy and use of cookies on those websites.

If you have any questions, comments, or complaints about the way we handle your personal data, you can contact us via [email protected] or by calling +31 (0)20-2117206. You can also lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). However, we would appreciate the opportunity to seek a solution to your complaint first.

This Privacy Statement may be amended. We recommend that you consult this Privacy Statement periodically. Where appropriate, you will be actively informed of any material changes.