Privacystatement Gimd (English)

Gimd only collects the personal information about you that is truly necessary to best serve you as a client or customer. The collection of this personal data is purely for the performance of services. No data is therefore collected for other purposes. Gimd requests certain personal data, to be collected at a subsequent point, only at the time when it is really necessary for the performance of its duties.

Gimd makes every effort to keep your personal data as secure as possible. To this end, we actively maintain a system of coherent information security measures. The ISO 27001 standard for information security is guiding this process. There is a continuous improvement process: to respond appropriately to current risks, to technical opportunities and to meet legal obligations. Our personal data is stored in highly secure data centres in the Netherlands. If you would like to know more about the security measures Gimd takes, contact [email protected].

Through the registration with Gimd by yourself, your employer or a healthcare referrer, Gimd receives administrative contact details. From the first substantive contact or from the point of registration, a file is created that meets professional guidelines. Gimd believes it is important that you have insight and control over the data recorded about you. If you would like to view your data or change it, please notify your contact.

If you believe Gimd has or retains information about you that it should not have, or if you want to revoke consent that you have previously given, you can always discuss this with your contact. If you don’t have a contact, please send a request to [email protected] .

Personal data is information that says something about you, or that can be associated with you. These are data that say something about you as a person. Examples of personal data include your name, your address and your contact information such as email address and phone number. Your citizen service number (BSN), date of birth and the IP address of your computer also constitute personal data. Data that says something about your personality, such as your interests, also constitute personal data.

In addition, the law has a category called special personal data. These are data about you that are particularly confidential. Examples of special personal data include information about your health, race, sexual orientation, religious beliefs and political affiliations.

Processing is a term from the European Privacy Act (GDPR). Processing includes virtually everything that can be done with personal data, from collection to consultation and destruction. Article 4 of the General Data Protection Regulation (GDPR) describes processing as “collecting, recording, organising, structuring, storing, updating or modifying, retrieving, consulting, using, transmitting, disseminating or otherwise making available, aligning (bringing together) or combining, blocking, erasing and destroying data.”

This includes, for example:

• Corporate Social Work and Coaching
• Confidential advisor and guidance under the Dutch Healthcare Quality, Complaints and Disputes Act (WkkGZ)
• Mediation
• Training sessions
• Trauma care
• Duurzaam@Work

The goal of these tasks is to prevent breakdown, provide tools to take control (again) and create a healthy work environment. Gimd performs these tasks on behalf of the parties with whom Gimd has an agreement: the client and the employer.

The external complaints committee is used in cases of transgressive behavior in the workplace. Under the Dutch Occupational Health and Safety Act (Art. 3), employers are required to provide a safe working environment for employees and to protect employees as far as possible from undesirable and transgressive behavior. The complaints committee consists of a chair and two members, one member with legal expertise and two members with expertise in the areas of sexual harassment and Psychosocial Workload. The committee is supported by a secretary.

The complaints committeeapplies its own complaints procedure.

Those involved (complainant, defendant, any witnesses) sign a confidentiality agreement in which they agree to treat confidentially and carefully anything that comes to their knowledge in relation to the complaint.

There are sometimes signs that you are in danger of losing balance. Then too, Gimd is there for you, to guide and coach you in response to a request for help. Together, we can prevent you from breaking down. Gimd does this based on the agreement it has made with you as a client and your employer.

Gimd uses telephony and video calling when circumstances prevent an in-person appointment. For example, customer appointments and consultations can be held via video calls.  Gimd uses carefully selected IT facilities for this purpose, namely ZOOM and Microsoft Teams. Contractual arrangements are made with these regarding privacy protection and information security. Where necessary, additional measures are taken in terms of the transmission and storage of personal data and security.

Gimd supports employers in performing various administrative tasks. These tasks include:

• Breaking down invoices by department, cost centre, among others, according to customer requirements.

Gimd performs this work on behalf of the employer, with whom Gimd has a customer agreement.

Gimd offers (group) training sessions to employees and managers in order to teach them to work more pleasantly and efficiently. Gimd conducts these training sessions on behalf of the party with whom Gimd has an agreement: the client and the client’s employer.

• In order to improve the quality of Gimd’s work, Gimd professionals regularly share their knowledge and practices with fellow professionals. In doing so, cases and files are occasionally discussed. This is done only with data that cannot be traced back to individuals.
• Furthermore, Gimd may order random file reviews by area managers to improve the quality of the files. Your file is only eligible for file review if you explicitly consent to this. If you do not give permission, this will be noted so that it can also be guaranteed in the future that your file will not be used for file review.
• Furthermore, records are also used for the purpose of quality control as part of internal and external audits. Your file is only eligible for this if you give explicit permission.
• Finally, Gimd builds up reports for internal analysis and service improvement. These reports do not contain data that can be traced back to you as a client or referrer. As a result, the GDPR medical confidentiality no longer applies: after all, the reports no longer contain personal data.

Quality reviews are conducted on the basis of “legitimate interest,” and where appropriate “explicit consent”. Gimd conducts quality reviews to fulfill its duty of care and to keep the quality of services offered high.

Asking you if you are satisfied with Gimd as a client, customer or referrer 

Gimd wants to continue to develop and improve itself. This is why Gimd regularly conducts client and customer satisfaction surveys. Your e-mail address may be used to send you an invitation to complete a satisfaction survey. You are not required to participate in this research.

Maintaining a good relationship with the client 

Are you the contact for the agreement with Gimd on behalf of the employer? If so, Gimd will record your personal data in the CRM system. This enables Gimd to maintain a good relationship with you. This involves the following, for example:

• Recording contracts, contract reviews, appointments made and dates of follow-up visits.
• Recording the wants and needs of your organisation.
• Sending targeted offers for additional services to your organisation.
• Sending newsletters.

Handling any complaints 

You may be dissatisfied with something that takes place as part of Gimd’s operations. If so, you can file a complaint. In handling your complaint, Gimd will use – to the extent necessary – your personal information to address that complaint. This is also the case if there are any suspicions of a data breach that may involve your personal data.

Gimd generates reports for internal analysis to evaluate service delivery and for the purpose of Gimd’s management (financial and otherwise). The generation of reports for internal analysis to evaluate our services and for the purpose of Gimd’s (financial) management is carried out on the basis of legitimate interest.

Gimd collects the following basic data from clients:

• Name
• Residential address
• Telephone number
• E-mail address
• Date of birth
• Gender
• Details of the organisation where you work:
  • Employer name
  • Contact and/or supervisor
  • Personnel number
  • Position
  • Number of hours
  • Location
  • Department
  • Cost centre

In addition, Gimd creates a unique client code (case number). This client code is used in correspondence to prevent cases of mistaken identity and to ensure that the right people receive the right information.

From employers, Gimd processes the following personal data:

• The (digital) invoicing address
• Names of contacts within the organisation
• Data required by the customer such as order number, cost centre, employee number, etc.

Finally, Gimd also processes personal data from healthcare referrers:

• Name of the healthcare referrer
• E-mail address
• Telephone number

When you use the services offered by Gimd, Gimd stores data about your health. This data can concern both your physical and mental health. Gimd collects this information in order to provide you and your employer the best advice, to get you and your employer to take appropriate actions, and to build up a file that meets the requirements of laws/directives/agencies. This service begins as soon as a file is created.

Examples of health data that Gimd processes include:

• Any absenteeism and, if so, for how long
• Any cases of imbalance
• Any cases of work restriction

Gimd has a strict authorisation model when it comes to accessing personal data. This means that this data can only be viewed by Gimd employees who need it to perform their duties. Gimd does not use medical records. However, Gimd does use health data.

If you visit a Gimd location, it is possible that your presence may be recorded by camera footage. Only a limited number of people authorised to do so may view these images, and only if there is a specific reason to do so: for example, because an incident has occurred or to verify the accuracy of a complaint. Camera images can only be viewed at the location where they were recorded, and not outside.

Not every Gimd location has cameras. When camera recording is used, you will be informed of this at the location.

Gimd stores data about you when you use Gimd’s website. For example, your IP address, data about your visit to the website and the device used to visit the website. More information can be found in the cookie statement at the bottom of this page.

The employer may sign you up using an assignment form. The employer provides their own and your contact information, and orders counselling. Your employer will not be asked to provide health information. The employer reports you to Gimd only after consulting with you and with your consent.

A referrer, such as a company doctor or your employer’s absence insurance company, can sign you up with Gimd. The referrer provides your employer and contact information to Gimd. In addition, the referrer may provide health information, such as the date the absence began, your symptoms that they have recorded and the expected care needed. The referrer is not required to fill out this information when they sign you up. Before registering you, the referrer first needs your permission.

Gimd’s activities may involve several parties. They include other practitioners with whom Gimd collaborates in providing services and outside parties who need to be informed due to legal obligations. These parties only see your personal data when they need to do so to perform their job and when permitted by law. Zorg van de Zaak never shares medical information with other parties without your consent, unless it is based on a legal obligation or court order.

Counsellor/coaches are trained professionals who work at Gimd as part of your counselling. Sometimes, Gimd hires an outside professional, who then works temporarily on behalf of Gimd. Gimd makes proper arrangements with this counsellor/coach so that they adhere to professional guidelines and legislation to the same extent as the professionals employed by Gimd.

Gimd believes it is important that your employer be closely involved in counselling. Your employer may receive the following personal information about you during the process:

• Quotes.
• The goal and advice plan.
• The interim review.
• The final report.
• The invoice.

The documents your employer receives only contain information necessary for the process. There is never any medical information in the documents that go to your employer. However, certain documents may contain health data.  The (interim) reports are only shared with your employer if you have given your explicit consent. Consent is not requested for sending quotes and invoices, as this is essential for the reimbursement of the costs of treatment.

When counselling is provided by a confidential counsellor, no personal information is shared with the client this is to ensure the confidentiality of the counselling. If the practitioner wants to provide information to your employer based on such a service, this will only be done if you have given explicit consent.

If you want to know what your employer does with the personal data it receives about you from Gimd, check with your employer or in its privacy notice.

Your company doctor may have referred you to Gimd. During and at the end of the course at Gimd, it may be important to share information about your counselling with this doctor. This only involves process information. If there is suspicion of a work-related illness, Gimd can also point this out to the doctor so that they can file a work-related illness report with the Netherlands Center for Occupational Diseases (NCB).

Gimd always asks for your consent before sharing medical or health information with your company doctor.

An external practitioner 

Gimd may not be able to perform the complete treatment. When Gimd refers you to an external practitioner for intervention or because of the medical expertise needed for treatment (e.g. psychologist, mediator, employment specialist, debt counselling), Gimd provides this practitioner with information about you that they need. This is only done with your explicit consent. Personal data is only provided to practitioners who are authorised to process such data.

If you would like to know what data we share with an external practitioner, read KNMG’s Data Traffic Code.

Government bodies 

Gimd provides health information to government bodies when necessary for their legal duties, or when there is a vital interest (for you or someone else).

• If the law is broken or there is suspicion thereof, Gimd may choose to notify government parties. If (possible) fraud has been committed, this can be reported to the police. If there is a suspicion that children are negatively involved in certain situations, Gimd may notify a confidential doctor or body.

Gimd provides health information to government bodies when necessary for their legal duties.

The absenteeism insurer 

The absenteeism insurer receives personal data only if you give explicit consent. This concerns health information related to your employability and reintegration, which is sent to the relevant case manager. The absenteeism insurer may also receive invoices from Gimd. Employer information is listed on the invoice. The file number referring to the application is also indicated on the invoice.

Other companies, if you ask 

If you wish, Gimd may share information with other parties in specific cases. For example, to a trustee, a doctor who provides a second opinion for you, an insurance doctor or a lawyer. This is done only if you request it, with your explicit consent. To exchange information with other parties, please contact your supervisor. If you do not (or no longer) have a counsellor, send a request to [email protected].

In order to make sure that Gimd operates as effectively and efficiently as possible, some services have been outsourced to other companies. This includes, for example, data centres, records managers, software companies, web designers and generating reports for internal analysis for the purpose of Gimd’s (financial) management.

These external partners have been carefully selected. Gimd requires them to handle privacy-sensitive data as carefully as Gimd itself.

Gimd considers security of your personal information of major importance and pays close attention to it. Risk assessments are performed on a regular basis and they involve looking for new technological opportunities or threats. We also review the function of our information security system. We follow the NEN 7510 standard and the ISO 27001 guidelines when it comes to information security.

An important principle is that Gimd only stores personal data within the European Economic Area (EEA). If personal data is stored outside the EEA, this will only be done after Gimd has determined that there is a level of protection consistent with the requirements of privacy legislation.

If a data breach or information security incident does occur – despite all the measures – Gimd will take immediate action to analyse the cause, mitigate the damage and inform stakeholders.

Gimd adheres to legal retention periods. If there is no legal retention period, Gimd does not retain data longer than necessary to perform the task.

• By law, Gimd is required to retain financial data for 7 years after the end of the relevant calendar year.
• (Non-medical) personal data for company social work, confidential counsellors and the complaints committee will be kept for up to 2 years after file closure.
• The retention period for the Mediation file retention period is 20 years after the event that caused the injury or longer if interruption of the statute of limitations is invoked.
• The retention period for the files of the external complaints committee is kept for 2 years as standard. This can be deviated from if the customer requests a retention period of 5 years. This is reflected in the customer’s complaints procedure.
• Emails are retained for up to 1 year after receipt.
• Camera footage will be kept for a maximum of 4 weeks unless an ongoing case due to a specific incident requires it to be kept for longer.

If you would like to find out about the retention periods for data that Gimd processes via its website, you can find this under “Information for website visitors”.

The General Data Protection Regulation describes your rights as an individual. Briefly, these are the following rights:

• The right to inspection. You may request your file and other records of your personal data from Zorg van de Zaak and view them yourself.
• The right to rectification and supplementation. Is information incomplete or inaccurate? If so, you can have it completed and/or corrected.
• The right to restriction of processing. This means that Gimd may (temporarily) not process your data.
• The right to objection. Do you want certain information Gimd has about you not to be processed? If so, you can object.
• The right to data portability. This means that at all times you can receive the personal data you have shared with Gimd in a machine-readable format so that you can transfer it to third parties.
• The right to the destruction of your (medical) record or personal data (the right to be forgotten). This means that any personal data that you want destroyed will be deleted, as long as it does not violate any legal obligations that Gimd must comply with.

In addition, under the Dutch Medical Treatment Agreement Act (WGBO) and the Dutch Supplementary Provisions on Processing Personal Data in Healthcare Act (WABPVZ), you as a client have the right to copies. This means that you can request an electronic copy of any processed personal data that Gimd holds about you free of charge. Gimd will comply with your request for a right to an electronic copy unless the privacy of another person outweighs your right to a copy.

For Mediation, we adhere to the guidelines of the Dutch organisation Mediator Federation Netherlands (MfN). You can read information about this via this link: https://mfnregister.nl/mediators/best-practices-ervaringen-uit-de-mediationpraktijk/best-practice-vertrouwelijkheid-mediationdossier-2/

Gimd does not only adhere to the General Data Protection Regulation, but also to other laws. You may therefore invoke a right under the GDPR, but Gimd may have to deny the request because it violates another law. Gimd will always notify you of this. If your request can be granted in part but also not in part, Gimd will inform you of this as well

Gimd treats your personal data as carefully as possible. No more personal data is collected than necessary and the best possible security of this data is ensured. That being said, things can still go wrong. In these circumstances, Gimd is aware that your personal information may end up with third parties who should not have access to it. With health data, in extreme cases this can lead to stigmatisation or exclusion. When it comes to identifying information, such as name and date of birth, you may be at risk of identity fraud. Your contact information, especially an e-mail address, may be misused by an unauthorised recipient for SPAM or phishing activities. For Gimd, this is reason to pay particular attention to the security of your personal data.

Do you believe that Gimd has not handled your personal data properly? Or are you dissatisfied with Gimd’s services? If so, you can file a complaint by sending an e-mail to [email protected] .

You can also file a complaint with other bodies and initiatives, such as the LVV, BPSW, MfN, NVVK to which Gimd is affiliated. You may only file a complaint about Gimd with these bodies after you have submitted the complaint to Gimd.

For the involvement of the external complaints committee, the complaints procedure is used for the engagement of this committee.

If so, please contact [email protected] or your contact within Gimd.

If you have any question or complaints about structural deficiencies at Gimd in terms of privacy protection, please send a message to the Data Protection Officer, Mr. S. van der Molen. You can reach the Data Protection Officer by sending an e-mail to [email protected]. You can also file a privacy complaint with the Dutch Personal Data Authority. This can only be done after you have submitted the complaint to Gimd.

If you contact us via the contact form or request additional information via an information form 

When you fill out a contact or information form on the Gimd website, Gimd processes the following personal data from you:

• First and last name
• Phone number
• E-mail address
• Employer data

The purpose of this is to contact you and be able to answer your complaint or question. The processing of this data is necessary for the proper handling of your request.

When you fill out a form on the website, it is sent to a mailbox. This mailbox is accessible to employees who handle complaint and quote requests, among other things. These forms are kept for a maximum of one year after receipt. The website itself keeps a copy of this form, which is automatically deleted after three months.