The Dutch National Institute for Public Health and the Environment (hereinafter: ‘RIVM’) uses personal data. In this general privacy statement, we will explain – among other things – why we use your personal data and why we are allowed to do so. In addition, we will tell you your privacy rights and where you can ask questions about privacy and the protection of your personal data.

Table of contents

Privacy is about people’s right to the protection of their private life. Privacy also includes the protection of personal data. Personal data is any data that is about a person or can be traced back to a person. Examples of this include a home address, telephone number or email address.

We believe it is important to handle sensitive information about people properly and carefully. That is why we follow the relevant laws and regulations when using personal data. The most important law about the use of personal data is the General Data Protection Regulation (hereinafter: ‘GDPR’).

RIVM is an agency (independent part) of the Ministry of Health, Welfare and Sport (hereinafter: ‘VWS’). The Minister of VWS is responsible for RIVM’s use of personal data. This does not mean that the Minister keeps the personal data we use. In principle, we keep the personal data we use ourselves.

Specific privacy statements of RIVM

We also have specific privacy statements. These give further information about how we use your personal data for certain topics.

The specific privacy statements may be relevant to you, for example if you are taking part in the National Immunisation Programme or a particular study, or if we invite you for a COVID-19 vaccination. The specific privacy statement for your situation is an addition to this general privacy statement.

In many cases, the consent forms for taking part in studies give information about the use of your personal data as well. That information may also be an addition to this general privacy statement.

 

Why RIVM uses personal data

RIVM is working towards a healthy population and a sustainable, safe and healthy living environment. The main goals for which we use personal data are the following:

  • To give advice on a clean, healthy and safe living environment
    RIVM gives advice on how to keep our living environment clean, healthy and safe. We may use personal data – including data about health – to do research on this and to give advice. We share our knowledge about a clean, healthy and safe living environment with others. When we share personal data with others, we follow the law.
  • To prevent and control infectious diseases
    Infectious diseases are diseases caused by bacteria, viruses, fungi or parasites. RIVM collects information about this. We do research and explain how these diseases can be prevented and controlled. To do so, we work together with other organisations. To prevent and control infectious diseases, we may use and share personal data – including data about health – with other organisations.
  • To do research about good healthcare and healthy lifestyles, and to run programmes
    RIVM researches what people need for good healthcare and a healthy lifestyle. We give advice and run health programmes for the government, such as the National Immunisation Programme. RIVM is also responsible for several population screenings to detect or prevent diseases in time. For these programmes and studies, RIVM may use personal data, including data about health.

An important part of our work is doing scientific research. We always think about privacy as much as possible. This means we use as little personal data as possible. The information we make public about studies and put in our reports can never be traced back to individual people.

Research with human subjects is covered by the Dutch Medical Research (Human Subjects) Act (hereinafter ‘WMO’). Research that is covered by the WMO or the Dutch Embryo Act needs to be checked by an independent expert committee. Without a positive decision from this committee, the research may not start. The Central Committee on Research Involving Human Subjects (CCMO Central Committee for Research involving Human Subjects (Central Committee for Research involving Human Subjects)) checks if the privacy of the human subjects who take part in medical research is protected.

RIVM does not make automated individual decisions based on profiles. This means that no decisions about you are made by computers (that is, without a human being looking at them) or based on profiles.

RIVM also uses personal data for goals that are not directly linked to our statutory duties. For example, we use personal data to carry out our duties as an employer or to send you a newsletter.

RIVM’s specific privacy statements give more specific information for each topic about the goals for which we use personal data.

 

Whose personal data RIVM uses

When needed for our duties, we can and may use personal data from anyone. We may – for example – use the personal data of people who take part in our studies or programmes. Our specific privacy statements give more information about this.

We may also use the personal data of people who work for us or for our suppliers, and from people who come to our offices or have signed up for our newsletters.

 

The types of personal data RIVM uses

Personal data is information about a person or information that can be traced back to a person. Examples of personal data include a home address, a citizen service number (BSN), a telephone number or an email address.

Some personal data is extra sensitive because its use can have a significant impact on a person’s life, such as information about a person’s race, religion or health. These special categories of personal data are extra protected by law.

We can and may use both ordinary and special categories of personal data as needed for our duties. When we do so, we obviously follow the law. We can and may use the citizen service number (BSN) for goals such as our immunisation programmes. We always do our best to use as little personal data as possible.

The special category of personal data we use most often is data about health. However, when needed for our duties, we can and may also use data about topics such as sexuality or race, or genetic data.

RIVM’s specific privacy statements give more specific information for each topic about the type of personal data we use. We always do our best to use only as much personal data as we need to achieve the goal.

 

How RIVM gets personal data

RIVM may get your personal data directly from you, for example when you personally give data to us during a study you are taking part in.

We may also get your personal data from another organisation, rather than directly from you.

A few examples:

  • We get your personal data from professional care providers, such as your general practitioner (GP), the Municipal Public Health Service or a hospital. In some cases, we will need your permission ahead of time.
  • We get your personal data from the Key Register of Persons (BRP) if the law states that we may do this or need this.
  • We get your personal data from cooperation partners, such as universities, research institutes or Statistics Netherlands (CBS).

We may also get your personal data in other ways. Our specific privacy statements give more specific information for each topic about how we get your personal data.

 

The laws and regulations about RIVM’s use of personal data

The GDPR says that organisations can only use personal data if they have a valid ‘ground’ for doing so.

The GDPR identifies six grounds: consent, performance of an agreement, a legal obligation, a vital interest of the data subject or others, a public interest (legal or public duty) or a legitimate interest.

RIVM only uses personal data if the law says we can. We often use personal data because it is needed for one of our duties – that is, for the public interest – or because we have a legal obligation. In these cases, we may use your personal data without your permission ahead of time.

Our duties are explained in the Dutch RIVM Act. These duties are sometimes explained in further detail in other laws, such as the Dutch Public Health Act, or in instructions from the Minister of VWS.

In certain situations, your doctor may ask that we carry out ’diagnostic tests’ as part of your treatment. For example, he or she may ask us to diagnose a disease or condition. We give the results of our diagnostic test to your doctor. To carry out the diagnostic test, we will need data from you first. We get this data from your doctor. We do not need your permission for this. We may process this data as part of the ‘medical treatment contract’ between you and your doctor. What data this is depends on your doctor’s request and the diagnostic test we need to carry out.

In some cases, RIVM uses your personal data because you have given your permission, for example when we send you a newsletter.

We may also use your personal data if you are an employee or supplier of RIVM. For example, because this is necessary for your employment agreement, for a purchase agreement or because we have a legal obligation.

Our specific privacy statements give more specific information for each topic about the basis on which RIVM uses personal data.

Permission to take part in studies and permission to share data with us

If you are taking part in a study, we often need your ‘informed consent’. This means that we may only collect your personal data if:

  • we have given you enough information about the study, and;
  • you give us permission to take part in the study.

In many cases, care providers must ask you for permission before they can share your medical data with RIVM.
Even if you give – for example – a care provider permission to share data or give us permission to use your data in a study, we may only use your personal data if this is needed for our duties.

When we ask you for your permission, we will also always tell you how you can withdraw it later.

 

Keeping personal data

RIVM does not keep your personal data for longer than we need to carry out our duties. 

We keep your personal data:

  • for as long as we need it to achieve the goal for which it was collected;
  • for as long as we need to under the Dutch Public Records Act, and;
  • for no longer than the law allows.

When we use personal data, we always keep it for a period of time (retention period). In some cases, this is explained in the law. The retention period depends on the work for which we use personal data.

For most of our studies, we must keep the personal data for at least 10 or 15 years after the study is finished.

Our specific privacy statements give more specific information for each topic about retention periods.

 

Sharing personal data

In some cases, RIVM may want or need to share personal data with others. RIVM is very careful when sharing personal data with other organisations and follows the rules of the GDPR.

We may share your personal data with organisations that use your personal data for their own goals, such as other research institutes, universities, ministries or Statistics Netherlands (CBS). RIVM only shares your personal data if we may or need to do so. We always make proper arrangements with the organisations we share personal data with. When needed, we will work with these organisations to make sure that your privacy is protected.

When we work together with other organisations on a joint goal, we make arrangements to protect your privacy.

Sometimes, we also ask other parties to help us achieve our own goal. In the GDPR, such parties are called ‘processors’. Examples include companies that carry out surveys or analyses for us, and companies that help us make sure that personal data cannot be traced back to individual people. We always make written agreements with these parties to make sure that they handle your personal data with care.

RIVM also follows the GDPR when it sends personal data to a party outside Europe. This is also true when we work together with Aruba, Curaçao or Sint Maarten, or Bonaire, Sint Eustatius or Saba. When needed, we will take extra measures – together with the receiving party – so that your personal data is as well protected as it is under the GDPR.

RIVM’s specific privacy statements give an explanation for each topic about the sharing of personal data.

 

Your privacy rights

Under the GDPR, you have a number of rights. Our specific privacy statements give more specific information for each topic about the rights you have under the GDPR, and on how to send us a GDPR request for that topic. Examples include the National Immunisation Programme, the coronavirus vaccination register and certain specific studies.

How do I send a general GDPR request to RIVM?
If you would like to send a general GDPR request to us or have questions about this, please send an email to AVG-RIVM@rivm.nl.

We will answer GDPR requests within a month. If we cannot do so, we can get a two-month extension. If this happens, we will let you know on time.

Under the GDPR, you can:

  •  ask for access to the data RIVM has about you;
  • ask for incorrect data about you to be corrected;
  • ask for information about you to be removed;
  • ask for your data to be sent to another organisation;
  • ask for the use of your personal data to be limited;
  • object to the use of your personal data.

If you contact RIVM to make use of one or more of these rights, we will need to check your identity. We will check your identity in the way that is most privacy-friendly for you. How we do this may vary from topic to topic. In some cases, you can use DigID.

When you send a general GDPR request to RIVM, we may ask that you send us a copy of your ID. Valid IDs include your passport or driving licence. The KopieID app allows you to make a secure copy of your ID using your smartphone. Click here for more information about the KopieID app.

Sometimes, we will also ask that you come to RIVM in person to identify yourself. For example, if your request is about special categories of personal data, criminal data or data of minors. By asking you to identify yourself in person, we can make sure we are giving this sensitive information to the right person.

Using the above-mentioned rights does not always mean you will get what you ask for. Sometimes, we have to refuse a request. For example, because an exception has been made in the GDPR itself. Or because your data has not been made traceable for scientific research, so we cannot find and/or remove it. In many cases, you also cannot ask us to send your data to another organisation.

We can only act on the above-mentioned rights if we actually have your personal data. The GDPR does not cover company data.

 

What we do to secure personal data

It is very important to RIVM that we treat your personal data confidentially and carefully. Because we are part of the government, we must follow the Government Information Security Baseline (BIO). This is the national information security standard for municipal authorities, water boards, provincial authorities and the central government.

RIVM does its best to secure and protect personal data. For example, by encrypting personal data and making sure our computers are properly secured. We also make sure that not all employees can access all personal data. In addition, all our employees have a duty of confidentiality. They get training courses, presentations and explanations on privacy and information security, so that they always know how to handle personal data safely and carefully.

 

Questions or complaints about how your personal data are used

If you have any questions about this privacy statement, or think that RIVM does not or has not respected this statement in a particular case, please send an email to AVG-RIVM@rivm.nl. You can also send a letter to RIVM’s central privacy team, Freepost 3270, 3720 VB in Bilthoven.
If you have a complaint, please go to our website for more information about our complaints procedure and how to send a written complaint to us. You can also send your complaint to us by sending an email to the Data Protection Officer (DPO) of the Ministry of VWS: FG-VWS@minvws.nl.

The DPO of the Ministry of VWS is independent and checks if the Ministry uses and follows the rules of the GDPR. Because RIVM falls under the Ministry of VWS, its DPO monitors us as well.

Under the GDPR, you may also send a complaint to the Dutch Data Protection Authority. You can contact the Dutch Data Protection Authority if you want to do this.

 

Changes to this privacy statement

Laws and regulations about privacy change frequently. Because of this, we update this general privacy statement regularly. We recommend that you read this general privacy statement again from time to time. This will keep you informed about how we use your data.

We last updated this general privacy statement on 1 May 2023.

 

Version control - General privacy statement of RIVM

1.0

24 May 2018

2.0

1 May 2023