Do you have a question?
Privacy Policy - Hikos

Privacy Statement

Version: 9 August 2021

Hikos BV (Hikos or we) considers it important that personal data is handled with care. Hikos processes personal data of its customers, Hikos doctors and other healthcare professionals (Hikos healthcare professionals) and other people involved, such as newsletter subscribers, website visitors and suppliers.  In this privacy statement we describe how we handle your personal data. This privacy statement has been drawn up in accordance with applicable privacy requirements, including the General Data Protection Regulation (GDPR).

General

Hikos is responsible for the processing of your personal data for the following activities:

  1. Provision of the website and bring attention to the website (www.hikos.nl) and our services.
  2. Scheduling an appointment with a Hikos healthcare professional.
  3. Sending a questionnaire before your appointment with the Hikos healthcare professional.
  4. Sending a thank you email and survey after your appointment with the Hikos healthcare professional.
  5. Handling your questions or complaints.

The Hikos healthcare professional with whom you schedule an appointment is responsible for the processing of your personal data for the following activities:

  1. Processing the questionnaire that you completed in preparation for the appointment.
  2. Conducting the appointment with you remotely (via audio or video calling).
  3. Creating and maintaining a medical file for you. This is mandatory for Hikos healthcare professionals due to healthcare regulations.

Hikos assists healthcare professionals in carrying out the activities mentioned under point 6 and 8 above. To facilitate this, Hikos has processing agreements with the healthcare professionals involved, in line with the requirements of the GDPR.

This Privacy Statement applies to all persons for whom Hikos processes personal data in the context of providing services. For example, people who visit our website (website visitors), people who subsequently use our services (customers), the medical specialists involved in providing our services (Hikos healthcare professionals) and other Hikos business relations such as our service providers (business relations).

Website visitors

  • Provisioning of the website
  • Offering contact options via contact form
  • Improving the website and/or service
  • Bring attention to the website/service
  • Internal management of information
  • Internal auditing and operations
  • Applying security measures
  • Offering a newsletter
  • Providing social media campaigns
  • Research, analysis and statistics
  • Establishing, exercising or defending our rights
  • Complying with legal obligations, professional regulations and requests from competent governmental authorities

The personal data items that we process from website visitors are:

  • Name
  • Gender
  • Email address
  • Phone Number
  • Subject and content of message sent in contact form, including IP address
  • Social media name / account
  • Business information (organization, position, contact names)
  • Consent (yes/no)
  • Analysis data including surfing behavior
  • Device type and unique device identification number (MAC address)
  • Browser type
  • Global geographic location (e.g., location at country or city level)
  • Other technical information, such as data regarding the interaction between your device and our website, the web pages visited, the links clicked and log data

Customers

  • Providing information about the Hikos service viahikos.nl
  • Facilitating the scheduling of appointments
  • Facilitating paying for the appointment
  • Sending appointment confirmation, and if necessary, a questionnaire
  • Facilitating the return of the questionnaire, if applicable
  • Facilitating the technology for making a remote appointment
  • Sending a thank you email after the Hikos appointment
  • Internal management of information
  • Internal auditing and operations
  • Applying security measures
  • Facilitating submission of questions or complaints by e-mail and by telephone
  • Handling questions or complaints
  • Offering a newsletter
  • Providing social media campaigns
  • Research, analysis and statistics
  • Establishing, exercising or defending our rights
  • Complying with legal obligations, professional regulations and requests from competent governmental authorities

The personal data we collect from our customers includes:

  • IP address
  • Surfing behavior
  • Name
  • Gender
  • Email address
  • Phone Number
  • Date and time of Hikos appointment
  • Healthcare provider for Hikos appointment
  • Payment Information
  • Experience and satisfaction with Hikos / service
  • Analysis data
  • Social media name / account
  • Business information (organization, position, contact names)
  • Consent (yes/no)
  • Contact form details (name, gender, email address, telephone number)
  • Data from other contact channels (e-mail or telephone)
  • Content and metadata of the message / contact

Hikos healthcare professionals

  • Registering with Hikos
  • Complying with the obligation to verify. (Including verifying doctor’s registration number (BIG), certificate of good conduct (VOG), passport, and checking social account as far as publicly accessible
  • Facilitating the option to specify availability
  • Facilitating payment
  • Maintaining contact
  • Internal management of information
  • Internal auditing and operations
  • Applying security measures
  • Establishing, exercising or defending our rights
  • Complying with legal obligations, professional regulations and requests from competent governmental authorities

The personal data that we process from Hikos doctors and other healthcare professionals include:

  • Name and address
  • Date of birth
  • Specialty
  • Dutch Healthcare Worker Registration number (BIG), and if applicable, medical specialist registration number (RGT and/or RGS)
  • Bank Account Number
  • Email address
  • Phone Number
  • CV
  • VOG (certificate of good conduct)
  • “Black-lined” copy of passport
  • Available hours per week
  • Invoice number
  • Administration identification number
  • Description used for bank transfers

Business relations

  • Performing administration
  • Seeking and maintaining contact with business relations
  • Making and checking payments
  • Receiving services
  • Internal management of information
  • Internal auditing and operations
  • Applying security measures
  • Establishing, exercising or defending our rights
  • Complying with legal obligations, professional regulations and requests from competent governmental authorities

The personal data we collect and process from business relations are:

  • Contact person: name, position, title, gender, contact details (e-mail, phone number, work address)
  • All content and metadata of communications with business relation
  • Business information (organization, position, contact name)
  • Financial data including payment data
  • Administration data
  • Other personal data necessary for procuring a service from the business relation

Grounds

Hikos processes your personal data only when permitted on the basis of one of the principles of the GDPR. We rely on the following principles:

  • Implementation of the agreement
  • Consent
  • Legitimate interest
  • Legal obligation

We base our data processing on this principle when the processing of your personal data is necessary for the performance of an agreement to which you are a party.

You have (expressly) given consent for us to process your personal data. We rely on this principle of consent, for example, for the processing of your personal data for scheduling your appointment with a Hikos healthcare professional, sending the questionnaire for your appointment with the Hikos healthcare professional, for sending our email and survey after your appointment, and for dealing with your questions and complaints. Sending you our newsletter is also based on this principle of consent.

If you have given us your consent to process your personal data, you always have the right to withdraw this consent. You can do this by contacting us at [email protected] .

For children under 16 years of age, consent or authorization of consent is required from the person who has parental responsibility for the child.

We base certain processing operations of your personal data on the principle of our legitimate interest. This applies for example for provision of our website (for which we do not use any privacy-sensitive cookies) and our internal operations and security. Our interest lies in being able to offer our services in a responsible manner, with the underlying idea being to help people better navigate their way through the healthcare landscape and to allow them to spar with a medical professional when desired. Hikos relies on this principle of legitimate interest only insofar as this processing does not concern special personal data, and insofar as the potential privacy impact is minimal. In these situations, our legitimate interest prevails relative to your privacy interest. If you do not agree with this balance of interests, you can object to this processing of your personal data at any time. You can do this, for example, by contacting us at [email protected].

Finally, it may be that Hikos bases the processing of your personal data on a legal obligation, such as applicable minimum retention periods.

The Hikos healthcare professionals process your personal data in the context of the treatment agreement with you. They only share your data via your electronic patient file with other Hikos healthcare professionals based on your explicit consent. Finally, they must also comply with certain legal obligations, such as the obligation to retain medical records.

Obtain data

We obtain some information automatically when you visit our website. We collect this information, for example, by means of cookies. See our Cookie Statement for more details.

We obtain other information when you actively provide it to us. For example, when you become our customer, fill in the contact form, or when you sign up for the newsletter.

Retention obligation

We do not store your personal data longer than is necessary to fulfill the purposes for which it is kept and processed. Unless we have to keep your personal data longer due to legal obligations:

  • We will delete your personal data if you withdraw your consent or if you choose opt-out.
  • We will delete a patient’s data from our system no later than 1 calendar year after their last appointment.
  • We will delete personal data about a Hikos healthcare professional from our system, no later than 1 calendar year after the termination of the agreement with that Hikos healthcare professional.
  • We will delete personal data about a business relation in our system, no later than 1 calendar year after termination of that business relationship.
  • For the storage periods of cookies, we refer you to the Cookie Statement on our website.

Access

We may share your personal data on a need-to-know basis with the parties below:

  • Our employees. Authorized persons who work for Hikos, who are involved in the relevant processing activity.
  • Our service providers. Authorized persons who work for service providers and/or subcontractors engaged by Hikos, who are involved in the relevant processing activity.
  • Healthcare professionals, among others.  Authorized persons who work for a party that is also involved in the processing of your personal data.
  • Competent government authorities. For example, the courts. This situation will arise only under exceptional circumstances.

 

We only share your personal data with others (third parties) in these cases:

  • If and insofar as is necessary to provide our services and to pursue aforementioned processing purposes. As such, our service providers have, in principle, only access to the personal data they need for the part of the service they are providing.
  • The persons within this third party who have access to your personal data are obliged to treat the personal data confidentially. Where necessary, this is also set forth in a contract.
  • The third party is obliged to comply with the applicable regulations in the area of personal data protection.  To this end, we may have a data processing contract with the third party, or our General Terms and Conditions may apply. The third party is required to take appropriate technical and organizational security measures to protect your data.

Transfer

Parties involved in the processing of your personal data may be located in another country. Or they otherwise process your personal data from another country, for example, because their servers are there. When the relevant country is located outside the European Economic Area (EEA), this transfer must be authorized. This can be justified on the basis of an adequacy decision of the European Commission, where it has been established that the relevant (party within the) third country offers an adequate level of data protection. See this link for an overview of the applicable adequacy decisions.

If your personal data is transferred to a country outside the EEA that is not subject to an adequacy decision, we or our service providers will agree an applicable Standard Contractual Clause with the relevant party. This is a measure to ensure the protection of your personal data, approved by the European Commission, the appendices of which are completed by the parties. See this link for the various model contractual clauses.

You can contact us for additional information about how we legitimize transfers of your personal data to countries outside the EEA. Our contact details are shown at the bottom of this Privacy Statement.

Protection

We have taken appropriate technical and organizational security measures (and / or have arranged for such) to protect your personal data against loss or unlawful use. All persons and parties that we engage to process your personal data, are obliged to respect the confidentiality of the personal data. We have also taken the following measures, among others.

 Technical measures that we and / or our service providers take:

  • Logical and physical (access) security and protection of equipment (for example, not just safes and access control, but also firewalls).
  • Technical management of the (as limited as possible) authorizations, and maintenance of log files.
  • Management of technical vulnerabilities (patch management).
  • Keeping software, such as browsers, virus scanners and operating systems up to date.
  • Making of backups that allow, if necessary, timely recovery and access of your personal data.
  • Automatic deletion of obsolete data.
  • Encryption of data.

Organizational measures we have taken are:

  • Assignment of responsibilities for information security.
  • Promotion of security awareness among Hikos physicians and healthcare professionals.
  • Testing of applied security measures.
  • Auditing of log files.
  • Maintaining a protocol for handling data breaches and security incidents.
  • Concluding confidentiality and data processing agreements.
  • Assessing whether the same goals can be achieved with less personal data.
  • Allowing access for as few people as possible within the organization to personal data.

Your rights

You have various privacy rights based on the General Data Protection Regulation (GPDR). The extent to which you can exercise these rights may depend on the circumstances of the information processing, such as how Hikos processes the personal data and the legal basis for this processing. If a specific Privacy Statement applies, this may be further specified therein. In other cases, we will inform you separately, for example, when we respond to your request for information about your privacy rights or your request to exercise a specific privacy right.

Below we have included an overview of your privacy rights under the GDPR. For more information, see this web page of the Dutch Data Protection Authority, the privacy regulator in the Netherlands.

  • Withdraw consent
  • Right of inspection
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object

If Hikos has requested and received your (explicit) consent for certain processing of your personal data, you can withdraw that consent at any time. Withdrawing your consent does not affect the legitimacy of any processing done before you withdrew your consent. The consequence of withdrawing your consent is that Hikos will no longer process this personal data for the purpose for which you gave your consent. It may well be that Hikos continues to process the personal data for another purpose, such as for the execution of an agreement with you or to comply with a minimum retention period. If this is the case, we will inform you.

You have the right to inspect how we process your personal data. First and foremost, you are entitled to a copy of your personal data, although in principle this does not include a copy of the enclosing documents in which this personal data is included. Secondly, you have the right to additional information about how we process your personal data. For example, the purposes for which we process your personal data, how we obtain it, and with whom we share it.

The right to rectification means that you are entitled, under certain circumstances, to provide Hikos with changes or supplemental information about your personal data. You have this right when we process personal data about you that is:

  • factually incorrect,
  • incomplete or irrelevant to the purpose for which it was collected, or
  • otherwise used in violation of an applicable law.

The right of rectification is not intended to correct professional impressions, opinions and conclusions with which you do not agree.  Hikos can, in that case, consider adding your perspective to the personal data.

Under certain circumstances you have the right to have us erase the personal data we process about you. You can exercise this right in the following cases:

  • Withdrawn consent. We processed the personal data on the basis of your (explicit) consent, but you have withdrawn this consent.
  • Successful objection. You have successfully objected to the processing of this personal data by Hikos (see below about the right to object).
  • Data no longer needed. Hikos no longer needs your personal data for the purposes for which the data was acquired and processed.
  • Unlawful processing. Hikos unlawfully processes your personal data, for example because Hikos no longer has a valid legal basis for this processing.
  • Mandatory erasure. The personal data must be deleted by Hikos to comply with a legal obligation.
  • Children. The data was collected via our website from a child under the age of 16.

The right to restriction of processing implies that, at your request, Hikos may continue to store your personal data, but in principle, not do anything with it. In short, you have this right when Hikos no longer has a legal basis for the processing of your personal data or if this legal basis is under discussion. More precisely, this right applies in the following situations:

  • The processing is unlawful. Hikos may not have (or no longer has) the right to process certain personal data about you, but you do not want Hikos to erase the data. For example, because you want to request this data at a later moment.
  • Personal data is no longer required. Hikos no longer needs personal data about you for the purpose for which Hikos originally required it, but you still need the personal data for a legal claim. For example, in the context of a dispute.
  • Pending objection. You have filed an objection to the processing by Hikos of your personal data (see below about the right to object). While we are assessing your objection, we are not allowed to further process this personal data if you have requested such suspension of processing.
  • Dispute accuracy of personal data. You dispute the accuracy of certain personal data that we process about you (for example, through your right to rectification; see above). While we are assessing your dispute, we are not allowed to further process this personal data if you have requested such suspension of processing.

This right implies that Hikos must, in certain circumstances, provide personal data about you in a usable form (“a structured, commonly used and machine-readable format”). You can indicate whether you would like to receive this personal data yourself, or whether you prefer Hikos pass this personal data directly on to another party that you designate for this purpose. 

You can object to Hikos processing your personal data. Under certain circumstances Hikos must comply with this objection. In these circumstance, Hikos will then no longer process this personal data for the purpose to which you have objected. It may well be that Hikos continues to process the personal data for another purpose, such as for the execution of an agreement with you or to comply with a minimum retention period. If this is the case, we will inform you.

When we process your personal data for direct marketing purposes, we will always comply with your filed objection. For example, unsubscribing from newsletters or other direct marketing communications.

After you have submitted a request to us in which you indicate that you wish to exercise a privacy right, you will first receive a confirmation of receipt from us. We may then ask for additional information, for example, to verify your identity. Or we may immediately respond substantively to your request. We will then indicate whether or not we will comply with your request, and if not, why not.

We deal with all privacy requests without delay and in principle no later than one month after receipt. However, we may need longer, for example due to the complexity and the number of requests we receive. If that is the case, we will inform you that we need extra time (up to a maximum of 2 additional months). We will inform you about this delay as soon as possible and no later than one month after receipt of your request and will then respond substantively within three months after receipt of your request.

Cookies

Hikos uses cookies on its website. A cookie is a small text file that is stored on your computer by a web browser. You can block or adjust the use of cookies by adjusting the settings in your web browser. However, this can affect the functioning of the website. For more information, see our Cookie Statement.

Google Analytics

Hikos uses Google Analytics. Hikos has followed the privacy-friendly setting of Google Analytics manual of the Dutch Data Protection Authority in order to set up Google Analytics in a privacy-friendly manner and thus comply with the General Data Protection Regulation. Hikos has concluded a processor agreement with Google. In addition, the last octet of the IP address is masked. In the settings of Google Analytics, ‘data sharing’ has been turned off.

Third-party websites

Our website may contain hyperlinks to websites of other parties. We are not responsible for the content of those website or their services. Nor is Hikos responsible for the privacy policy and the use of cookies on those websites.

Contact

If you have any questions, comments or a complaint about the way we handle your personal data, you can contact us at [email protected] or 020 -2117206. You can also submit a complaint to the Dutch Data Protection Authority. We suggest and very much appreciate if you first give us the opportunity to find a solution to your complaint.

Changes

This privacy statement can be changed. We recommend that you consult this privacy statement from time to time. You will be actively informed about material changes where appropriate.