PRIVACY STATEMENT MIHAELA CALIN

I, Mihaela Calin (NIP registration number: 252381), established in Amsterdam and registered with the Chamber of Commerce under number 99599066, attach great importance to the protection of personal data.

This privacy statement explains how I handle information about an identified or identifiable natural person, as referred to in the General Data Protection Regulation (GDPR).

Legislation and Regulations

The law requires healthcare psychologists (gz-psychologists), clinical psychologists, and clinical neuropsychologists to create and maintain a file. In this file, I must record the data necessary to provide proper care and/or conduct careful research.

The law requires me and my colleagues to retain these files for twenty years.

Scope

This privacy statement applies to the following categories of natural persons whose personal data I process:

  • (potential) patients/clients;

  • visitors to my practice;

  • visitors to my website;

  • participants in meetings organized by and/or with me;

  • job applicants;

  • all other persons who contact me or whose personal data I process, with the exception of my employees.

Processing of Personal Data

I process personal data that:

  • have been personally provided by the data subject (during a consultation or meeting), by telephone, or digitally (via email or web forms on the website), such as contact details or other personal data.

  • are requested, with the consent of the data subject, from other healthcare providers or referrers.

  • are generated during a visit by the data subject to my website, such as the IP address, browsing behavior on the website (such as data about the first visit, previous visit and current visit, the pages viewed and the way in which the website is navigated) and which parts of the website the data subject clicks on.

  • are obtained only with consent and agreement, and in accordance with the arrangements made, through possible video recordings during sessions.

  • are collected in the context of e-health applications in accordance with the agreements made and the consent provided.

Purposes of Processing

I process personal data for the following purposes:

  • the execution of a treatment agreement and the invoicing of services provided.

  • maintaining contact, by sending invitations to meetings and information that a data subject has requested.

  • improving the practice website.

  • keeping user statistics.

Legal Basis

I process personal data on the basis of one of the following legal grounds: 

  • consent of the data subject.

This consent may be withdrawn at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

  • performance of – or with a view to concluding – a treatment agreement, including invoicing third parties such as health insurance companies.

  • a legal obligation, such as the obligation to maintain a medical file or to register the citizen service number (BSN).

  • a legitimate interest, such as the use of contact details to send invitations to a meeting.

Processors

For the processing of personal data, I may engage service providers (processors) who process personal data exclusively in accordance with my instructions. I conclude a processing agreement with these service providers that meets the requirements set by the General Data Protection Regulation (GDPR).

1. Use of Google Workspace

For the purposes of scheduling, professional communication, and secure record-keeping, I utilize Google Workspace Business Standard. To ensure the highest level of data protection for my clients, I have entered into the following legal agreements with Google:

  • Data Processing Addendum (CDPA): This incorporates the European Commission’s Standard Contractual Clauses (SCCs) to ensure GDPR-compliant data transfers and processing within the EU/EEA.

  • Business Associate Agreement (BAA): This is a specialized agreement that confirms Google’s commitment to securing sensitive health-related information and provides additional administrative safeguards.

2. Data Minimization and Security Measures

I have configured my Google Workspace environment specifically for clinical confidentiality:

  • Service Restriction: All "Additional Google Services" not covered by the BAA/CDPA (such as YouTube, Google Maps, or Google Photos) have been disabled for this account to prevent accidental data leaks to non-compliant services.

  • Encryption: Data is encrypted both at rest (within Google’s infrastructure) and in transit.

  • Access Control: Multi-factor authentication (MFA) is strictly enforced on all devices accessing clinical data.

3. Scheduling via Google Calendar

When you book a session through my website, your name and email address are processed directly by Google Calendar. This data is used solely for the purpose of managing your appointment and sending automated confirmations. No health-related "notes" are stored within the calendar invite itself to protect your privacy.

Sharing Personal Data with Third Parties

I share personal data with third parties only if this is necessary in the context of the treatment (for example, a referral) or to comply with a legal obligation.

I comply with my duty of confidentiality and therefore do not share personal data with third parties, and certainly not for commercial purposes, unless it concerns meetings that I organize together with another organization. In that case, only the necessary contact details will be shared.

Transfer Outside the EEA

In principle, I do not transfer personal data to (institutions in) countries outside the European Economic Area (EEA). If this should nevertheless be necessary, I ensure that the transfer only takes place if the European Commission has indicated that the country concerned provides an adequate level of protection or if appropriate safeguards are in place within the meaning of the General Data Protection Regulation (GDPR).

Retention of Data

I do not retain personal data longer than necessary.

In accordance with applicable laws and regulations, I apply the following retention periods in principle:

  • medical data: at least 20 years after the end of the treatment agreement.

  • (financial) administrative data: 7 years after the data has been recorded.

  • data of employees and self-employed contractors, other than (financial) administrative data: 5 years after termination of employment or after the end of the assignment agreement.

  • data of job applicants: 6 months after completion of the application procedure.

  • website visitors: 5 years after the last visit to the website, unless an objection is made earlier, in which case the data will be deleted.

Changes to the Privacy Statement

I may amend this privacy statement at any time. An up-to-date version of the privacy statement will be published on my website. It is advisable to consult this privacy statement regularly so that you are aware of any changes.

Rights, Questions and Complaints

You have the right to access your personal data, rectify it, delete it, transfer it, restrict its processing and to object to the processing. You may submit your request by sending me an email.

If you have any questions or complaints about the way I process personal data, you may also contact me by sending an email. I will attempt to resolve any complaint to your satisfaction. If this is not successful, you may contact the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): https://autoriteitpersoonsgegevens.nl/nl/.

The following laws apply:

Medical Treatment Contracts Act (WGBO: https://wetten.overheid.nl/BWBR0005290/2020-07-01/#Boek7_Titeldeel7_Afdeling5)

Healthcare Quality, Complaints and Disputes Act (Wkkgz: https://wetten.overheid.nl/BWBR0037173/2022-01-01)

General Data Protection Regulation (GDPR: https://wetten.overheid.nl/BWBR0040940/2021-07-01)

Website user statistics provide information about the number of visitors, the duration of visits, which parts of the website are viewed, and clicking behavior. These are generic reports that cannot be traced back to individual visitors.