The MEB privacy statement informs you about which personal data we process and for which purpose(s).
The MEB considers privacy to be very important and processes personal data in a lawful, proper and transparent way in accordance with the applicable legislation and regulations.
This privacy statement explains how the MEB deals with your personal data.
The statement is made up of different sections:
- What is personal data?
- What personal data does the MEB process?
- How does the MEB deal with your personal data?
- When is your personal data shared?
- Your rights
What is personal data?
Personal data is information that relates directly to someone or information that can be traced to a person. Examples of personal data are a home address, telephone number and email address.
Special personal data
Some personal data is especially sensitive because its processing can have a major impact on someone's life. Data relating to someone's ethnicity, religion, political preference or health are examples of special personal data. The MEB processes the following special personal data: health data.
The MEB receives health data almost always in pseudonymised form. This means that the MEB receives and processes the personal data in such a way that the personal data can no longer be linked to a specific data subject without additional data being used. The MEB does not have access to the additional data needed to identify a person because it does not receive this additional data from the issuing parties. Only in very exceptional cases -for example in the case of rare diseases where there are only a few Dutch patients- it could occur that pseudonymised health data can be linked to an individual.
The MEB often receives data unintentionally from which someone's ethnicity, religion, labour union membership or political preference can be inferred. For example if an applicant or an assessor who has cooperated on research into a medicine has voluntarily included a photo in his CV. The MEB does not use this special data for any other purposes.
You can find more information about personal data on the website of the Dutch Data Protection Authority.
What personal data does the MEB process?
The MEB processes the following types of personal data:
The information above is a summary. For more information please consult the GDPR register of the Central Government.
How does the MEB deal with your personal data?
The MEB takes measures to ensure that your personal data are processed reliably, properly and carefully:
- Personal data are treated confidentially. This means that the MEB ensures that your data can only be processed by people with the right authorities and a duty of confidentiality.
- Personal data is suitably protected. In this context the MEB observes at least the national government's regulations and standards for information security.
- The MEB makes agreements regarding measures with external parties such as software suppliers and data centres. It also checks whether external parties abide by these agreements.
When is your personal data shared?
In a number of cases the MEB is authorised and sometimes even obliged to request data and information from, or issue it to, other (government) organisations. If this authorisation or obligation does not apply, the MEB will never share data without your consent.
Data on pseudonymised reports of adverse reactions
The European Medicines Agency (EMA), which manages the EudraVigilance database, is the recipient of the collected reports of adverse reactions by the Netherlands Pharmacovigilance Centre Lareb and the MEB. From the EudraVigilance database these reports are distributed further to other institutions, as laid down in the EudraVigilance Access Policy. Institutions with which data are shared are marketing authorisation holders and the World Health Organisation (WHO). The sharing of the data is subject to a statutory obligation and the further distribution falls under the responsibility of the EMA.
Exchanging data with national institutions within the framework of assessing medicines
The identified personal data is processed by the MEB within the framework of the execution of the Medicines Act [Geneesmiddelenwet]. The tasks of the MEB are referred to in Article 9 of the Medicines Act. From Article 13 it follows that the MEB must, in certain cases, provide information to the National Health Care Institute (ZIN) and the National Institute for Public Health and the Environment (RIVM). This exchange takes place within the framework of the Medicines Act for which data is collected, within the chain used to provide patients with safe medicines. The Minister of Health, Welfare and Sport (VWS), the MEB, ZIN and RIVM are government bodies which play a role in that chain and can only function by exchanging information with each other for the same purposes.
You have a number of rights:
- The right to information. If you would like to know which of your personal data we may process, please consult the Central Government's GDPR register.
- Right of access. On the basis of the online GDPR register, do you suspect that we may process your personal data and you would like to know more? If so, you can submit a request for access by sending an email to email@example.com. Please send a secure copy of your identity document along with your request. You can do so by using the Central Government's KopieID app. That will ensure that your data, such as your Citizen Service Number and photo, is protected.
- The right to rectification and supplementation of your personal data. You can request this after requesting access.
- The right to having your data erased or rectified.
- The right to request that we temporarily stop keeping your data.
- The right to have us transfer your data to another organisation.
- The right to request that we do not take any automated decisions on the basis of what we know about you.
- The right to object to us processing your personal data.
The possibilities may differ per case. The processing of your personal data within the framework of reports of adverse reactions and personal data which is part of the dossier requirements for marketing authorisations (CVs from experts and data from clinical studies) is subject to rights which are specified in more detail.
Privacy Officer and Data Protection Officer
The MEB has a Privacy Officer who ensures the application of, and compliance with, the GDPR within the MEB and who advises the organisation on privacy protection on request or otherwise.
The Ministry of Health, Welfare and Sport also has a Data Protection Officer (DPO). The DPO is independent and checks whether the MEB is applying, and complying with, the General Data Protection Regulation. The Dutch Data Protection Authority supervises the application of privacy legislation.
In addition to the MEB's Privacy Officer, the ministry's Data Protection Officer is your point of contact for questions and comments about the processing of your personal data. You can submit your requests digitally or on paper to:
Privacy Officer en Data Protection Officer contact details
If you have any questions and complaints you can, in the first instance, contact the MEB Privacy Officer via firstname.lastname@example.org.
If the matter is not resolved with the MEB, you can contact the Data Protection Officer via FG@minvws.nl
or in writing via the Data Protection Officer
Ministry of Health, Welfare and Sport
Directie Bestuurlijke en Politieke Zaken
2500 EJ The Hague
In the case of complaints you can also contact the Dutch Data Protection Authority.
The rights of data subjects who have reported adverse reactions via the Lareb and the rights of data subjects who have taken part in clinical studies
The right to access data.
It is possible to submit a request for access to the MEB. However, the right of access does not apply to data subjects whose personal data has been received by the MEB from the Lareb. It would require a disproportional effort on the part of the MEB to identify these data subjects itself. Anyone who submits a request like this is referred to the Lareb. We will then also contact the Lareb ourselves. In this respect the MEB invokes Article 14, paragraph 5b of the GDPR and Article 44 of the General Data Protection Regulation Implementation Act (hereinafter uAVG).
It is possible to submit a request for access to the MEB. However, the right of access does not apply to data subjects who have participated in clinical studies. It would require a disproportional effort on the part of the MEB to identify these data subjects itself. Anyone who submits a request like this is referred to the marketing authorisation holder/applicant in question. We will then also contact the marketing authorisation holder/applicant ourselves. In this respect the MEB invokes Article 14, paragraph 5b of the GDPR and Article 44 of the uAVG.
The right to rectification and supplementation of data.
It is, in principle, possible to have the personal data which the MEB has received from Lareb rectified. An exception to this applies if this jeopardises the integrity of the report of an adverse reaction. Such a restriction is justified on the grounds of Article 44 of the UAVG. We also refer to the restrictions which applied to the right to access.
It is, in principle, possible to have the personal data collected by the MEB which is part of the dossier for which a marketing authorisation is based. An exception to this applies if this jeopardises the integrity of the data assessment or assessment reports. Such a restriction is justified on the grounds of Article 44 of the uAVG. We also refer to the restrictions which applied to the right to access.
The right to erasure of the data and 'the right to be forgotten'
Reports of adverse reactions are almost always anonymised when entered into the EudraVigilance database and cannot be used to identify people (except in the case of certain, very rare diseases). It is not possible to have this data erased from the EudraVigilance and/or the MEB database. In this case the EC Implementing Regulation 520/2012 and the Medical Research Involving Human Subjects Act (WMO) carries more weight than the rights and freedoms offered in the GDPR. In this respect the MEB invokes Article 17, paragraph 3b of the GDPR. We also refer to the restrictions which applied to the right to access.
In order not to jeopardise the integrity of marketing authorisation dossiers and assessment reports it is, in principle, not possible to erase the data of data subjects. In this respect the MEB invokes Article 17, paragraph 3b of the GDPR. This states that the right to erasure does not apply due to the requirement to fulfil a statutory processing obligation laid down in EU law or the law of the member state, which obligation is vested in the MEB in terms of the data in question. We also refer to Article 44 of the uAVG in this context. We also refer to the restrictions which applied to the right to access.
The right to restriction of data processing.
Adverse reactions and clinical studies
This right is limited in accordance with Article 18, paragraph 2 of the GDPR. The personal data in question is, after all, processed by the MEB for reasons of general interest for a member state in the field of public health.
The right to object to the data processing.
Adverse reactions and clinical studies
This right does not apply because the processing is necessary for the execution of the task of general interest in the field of public health (Article 21, paragraph 6 of the GDPR).
The right to data portability.
Adverse reactions and clinical studies
This right does not apply because the processing is based on statutory obligations (Article 20, paragraph 3 of the GDPR).
The right not to be subject to automated decision-making.
Adverse reactions and clinical studies
This right is not applicable because no automated decision-making takes place with regard to individual data subjects.