A new European law applies as of 25 May 2018, namely the General Data Protection Regulation (GDPR). This law replaces the old Personal Data Protection Act [Wet bescherming persoonsgegevens (Wbp)]. The new law will enhance privacy-related rights.
Privacy relates to the right of all citizens and employees to protection of their privacy. Data collection and exchange is very important for the realisation of social and corporate objectives. Protecting personal data and lawful data processing is an important part of that data exchange. The MEB considers privacy to be very important and processes personal data in a lawful, proper and transparent way in accordance with the applicable legislation and regulations.
This privacy statement explains how the MEB deals with personal data.
The statement is made up of different sections:
- What are personal data?
- Why does the MEB process your personal data?
- How does the MEB deal with your personal data?
- When are your data shared?
- Contact about your rights
This privacy statement will be revised as necessary.
What are personal data?
Personal data are information that relates directly to someone or information that can be traced to a person. Examples of personal data are a home address, telephone number and email address.
Special personal data
Some personal data are especially sensitive because their processing can have a major impact on someone's life. Data relating to someone's race, religion or health are examples of special personal data. The law provides extra protection for these data. The personal data on children and criminal-law data are always extra sensitive and are therefore subject to extra protection.
You can find more information about personal data on the website of the Dutch Data Protection Authority.
Why does the MEB process your personal data?
Personal data are created, collected, consulted and updated at many locations within the MEB. Such as the primary process that uses (pseudomynised) personal data when assessing marketing authorisations, monitoring medicinal products in practice, warning organisations in the event of problems or adverse reactions from medication. These personal data are for instance names of assessors or medical data such as blood pressure, heart rate, medication and treatment. Also, data such as CVs and name/address/place of residence information of employees is collected to make our daily work possible.
How does the MEB deal with your personal data?
The MEB applies a number of starting principles when processing personal data and takes measures to ensure that your personal data are processed reliably, properly and carefully.
For a legal reason and for a purpose
The MEB processes personal data if there is a legal reason to be allowed to process the data, or on the basis of permission. The MEB ensures that the personal data you provide to the MEB and on www.cbg-meb.nl are only processed for the specific purpose for which the data are collected.
As little data as possible
The MEB does not process any more personal data than is necessary. If at all possible, less or no personal data are processed.
Invasion of privacy as small as possible
The MEB ensures that the privacy invasion is restricted to the purpose served by the collection of the data. This involves choosing to process personal data that cause the smallest invasion of privacy, if there is a choice between different types of personal data in order to achieve a goal.
Kept only as long as necessary
At the MEB we keep your personal data:
- as long as is necessary for the purpose for which they have been collected
- or on the basis of the requirements of the Public Records Act [Archiefwet], and
- no longer than is legally permitted.
Measures for reliability, integrity and confidentiality
The MEB takes measures to ensure that your personal data are processed reliably, properly and carefully:
- Personal data are treated confidentially. This means that the MEB ensures that your data can only be processed by people with the right authority and a duty of confidentiality.
- Personal data are suitably protected. In this context the MEB observes at least the central government's regulations and standards for information security.
- The MEB makes agreements regarding measures with external parties such as software suppliers and data centres. It also checks whether external parties abide by these agreements.
When are your personal data shared?
In a number of cases the MEB is authorised and sometimes even obliged to request data and information from, or issue it to, other (government) organisations. This may be related to, for example, reporting adverse reactions to a medicinal product manufacturer. In case this authority or obligation does not apply, the MEB will not share personal data without your permission.
Contact about your rights
You have a number of rights, such as the right to access and amend.
If you would like to know which personal data the MEB processes, you can submit a request for access. The MEB will process your request within 4 weeks.
If it transpires that your data are incorrect, incomplete or irrelevant, you can submit an additional request to have your data changed or supplemented.
Data Protection Officer
The MEB has a Data Protection Officer (DPO). The DPO is independent and checks whether the MEB is applying, and complying with, the General Data Protection Regulation. The Dutch Data Protection Authority supervises the application of privacy legislation.
The Data Protection Officer (DPO) is your point of contact for questions and comments about the processing of your personal data. You can submit your requests digitally or on paper to:
Data Protection Officer contact details
FG-CBG@minvws.nl or in writing via the Data Protection Officer
Ministry of Health, Welfare and Sport
Directie Bestuurlijke en Politieke Zaken
2500 EJ The Hague
If you have questions about your rights or if you have a complaint, please contact the Dutch Data Protection Authority.