PRIVACY NOTICE

PRIVACY NOTICE SITE WEB: PATIENTS

As the data controller, the Clinique Saint-Jean attaches particular importance to respecting and protecting the privacy of its patients and therefore commits to process and protect your personal data with the greatest care and discretion.
The purpose of this “privacy notice” is to inform you about the various personal data processing operations that the Clinic carries out during your outpatient and/or inpatient treatment.
If you have any questions, please do not hesitate to send them to our DPO via the following e-mail address: privacy-dpo@clstjean.be.

NB: Please note that for a series of specific treatments (e.g. participation in a clinical study, organ donation, etc.) additional information notices are available and/or will be sent to you in order to inform you in the most accurate and exhaustive manner possible.

  1. Legal framework

Clinique Saint-Jean processes your personal data in accordance with the regulations on the protection of privacy and personal data, including

  • Point III, Article 9quater of the Royal Decree of 23 October 1964 fixing the standards to which hospitals and their services must conform;
  • The European Regulation No. 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data (hereinafter: the “GDPR”) and its implementing laws and decrees;
  • The law of 30.07.2018 on the protection of individuals with regard to the processing of personal data.

  1. Definitions

  • Responsible of process: this is the natural or legal person, public authority, department or other organization that determines which of your personal data are/will be processed, how they will be processed and for what purpose.
  • Contractor: this is the natural or legal person, public authority, department or other organization that processes your personal data on behalf of the responsible of process. For example: the supplier of the Clinic's e-mail box, the suppliers of the diagnostic assistance equipment, the suppliers of the computerized patient file platform, etc.
  • Concerned person(s): the patient(s) of the Clinique Saint-Jean, i.e. the natural persons admitted or treated within the Clinique Saint-Jean.
  • EEA: European Economic Area

  1. Processing activities

  2. Making an appointment

When you make an appointment at the Clinic, whether by telephone, via our website or directly via your practitioner, we are obliged to process the following personal data about you:

Types of personal data
  • Identification data (e.g. name, first name, ...) ;
  • Contact data (e.g. telephone number, e-mail address, ...);
  • Data

Purposes of the processing

  • To allow you to make appointments in a secure manner;
  • To allow us to manage and organize appointments internally;
  • To send you an SMS of confirmation for your appointment.  

Legal basis for processing

The pre-contractual relationship you establish with the Clinic by making an appointment with one of our practitioners.

Receivers/categories of receivers and transfers outside the EEA

You will find this information in the dedicated section “Potential external receivers of your personal data”.

Conservation period

  • 30 years for all data that will be included in your medical and nursing records.

  1. Reception & Admissions

Within the context of your reception for your appointment or admission, we are obliged to process the following personal data about you:

Types of personal data
  • Identification data (e.g. name, first name, ...);
  • Contact data (e.g. telephone number, e-mail address, ...);
  • Image capture (e.g. passport photo);
  • Identification number (e.g. national register number, patient number, ...);
  • Financial and economic data (e.g. data related to the stay, fixed price, ...);
  • Data relating to the mutual insurance company and/or other insurance organizations (e.g. affiliation, insurance, etc.).

Purposes of the processing
  • To enable the organization of your stay;
  • To enable internal management of admissions and bed allocation;
  • To generate labels and all documents related to your care;
  • To allow the invoicing of services;
  • And any other operation necessary for the management of patient administration.

Legal basis for processing

The care contract concluded between you and the clinic in the context of your treatment by your practitioner.

Receivers/categories of receivers and transfers outside the EEA

You will find this information in the dedicated section “Potential external receivers of your personal data”.

Conservation period
  • 30 years for all data that will be included in your medical and nursing records;
  • 7 years for all data serving as accounting vouchers or related to invoicing.

  1. Medical follow-up - care

Within the context of your medical care, practitioners are required to collect, analyze and encode the following personal data in your medical and/or nursing file:

Types of personal data
  • Identification data (e.g. name, first name, ...) ;
  • Contact data (e.g. telephone number, e-mail address, ...);
  • Image capture (e.g. passport photo, X-ray, ultrasound, ...);
  • Identification number (e.g. national register number, patient number, ...);
  • Physical health data (e.g. family and personal history, consultation data, hospitalization data, pathology history, ...);
  • Mental health data (e.g. treatment, diagnosed pathologies, ...);
  • Private data (e.g. family situation, habits, food preferences, ...);
  • Professional data (e.g. employment, ...) ;
  • Data revealing racial or ethnic origin (e.g. nationality, origins, ...);
  • Data revealing religious and/or philosophical convictions (e.g. religion, belief, opinion on medical over-treatment, ...);
  • Genetic data (e.g. genes, DNA sequence, ...);
  • Data concerning sex life and/or sexual orientation (e.g. frequency of sexual relations, ...).

 

Not all of this data will be processed by your practitioner. Only the data that the practitioner considers relevant to your care and that guarantee your safety will be processed.

Purposes of the processing
  • To enable optimal and relevant care by your practitioner;
  • To record patient data in accordance with the obligations imposed by the competent authorities.
  • The contract of care between you and the clinic as part of your care by your practitioner;
  • Our legal obligations under medical law.

Legal basis for processing

The processing of special categories of data about you (e.g. your medical data) is also based on Article 9(2)(h) GDPR which allows us to process such data for medical diagnosis, health or social care or for the management of health care systems and services.

Receivers/categories of receivers and transfers outside the EEA

You will find this information in the dedicated section “Potential external receivers of your personal data”.

Conservation period

  • 30 years for all data that will be included in your medical and nursing records. Please note that this period starts from the date of your last hospital discharge or medical treatment.

  1. Emergencies

When you visit - or are admitted to - our emergency department, we may process your personal data as follows:

 Types of personal data
  • Identification data (e.g. name, first name, ...) ;
  • Contact data (e.g. telephone number, e-mail address, ...);
  • Image capture (e.g. passport photo, X-ray, ultrasound, ...);
  • Identification number (e.g. national register number, patient number, ...);
  • Physical health data (e.g. family and personal history, consultation data, hospitalization data, pathology history, ...);
  • Mental health data (e.g. treatment, diagnosed pathologies, ...);
  • Private data (e.g. family situation, habits, food preferences, ...) ;
  • Professional data (e.g. employment, ...);
  • Data revealing racial or ethnic origin (e.g. nationality, origins, ...);
  • Data revealing religious and/or philosophical convictions (e.g. religion, belief, opinion on medical over-treatment, ...);
  • Genetic data (e.g. genes, DNA sequence, ...);
  • Data concerning sex life and/or sexual orientation (e.g. frequency of sexual relations, ...).

Please note that in emergency situations all the data mentioned above that are necessary for your care will be processed by the practitioner.

Purposes of the processing

  • To enable your care ;
  • To provide you with the necessary care;
  • To ensure your safety and guarantee the quality of the care provided.

Legal basis for processing

  • The contract of care concluded between you and the clinic in the context of your treatment by your practitioner;
  • The processing of your data is necessary to safeguard your vital interests;
  • Our legal obligations under medical law.

The processing of special categories of data about you (e.g. your medical data) is also based on Article 9(2)(h) GDPR, which allows us to process this type of data in the context of medical diagnosis, health or social care or for the management of health care systems and services.

Receivers/categories of receivers and transfers outside the EEA

You will find this information in the dedicated section “Potential external receivers of your personal data”.

Conservation period

30 years for all data that will be included in your medical and nursing records.

Please note that this period starts from the date of your last hospital discharge or medical treatment.

  1. Invoicing

Within the context of the invoicing of your care (i.e. care, medicines, ...) we are led to process your personal data in the following way:

Types of personal data
  • Identification data (e.g. name, first name, ...) ;
  • Contact data (e.g. telephone number, e-mail address, ...);
  • Image capture (e.g. passport photo);
  • Identification number (e.g. national register number, patient number, ...);
  • Physical health data (e.g. INAMI code, ...);
  • Mental health data (e.g. INAMI code, ...);
  • Financial and economic data (e.g. data related to the stay, fixed price, ...);
  • Data relating to the mutual insurance company and/or other insurance organizations (e.g. affiliation, insurance, etc.).

Purposes of the processing
  • Invoice management;
  • Send paper and/or electronic invoices;
  • Enable your mutual insurance company to cover the costs.

Legal basis for processing
  • The contract of care concluded between you and the clinic in the context of your treatment by your practitioner;
  • Our legal obligations under tax law.

Receivers/categories of receivers and transfers outside the EEA

You will find this information in the dedicated section “Potential external receivers of your personal data”.

Conservation period

  • 30 years for all data that will be included in your medical and nursing records;
  • 7 years for all data serving as an accounting voucher or related to invoicing.

  1. Contentious

In the context of dispute management, we may process your personal data in the following ways:

Types of personal data
  • Identification data (e.g. name, first name, ...) ;
  • Contact data (e.g. telephone number, e-mail address, ...);
  • Image capture (e.g. passport photo);
  • Identification number (e.g. national register number, patient number, ...);
  • Financial and economic data (e.g. data related to the stay, fixed price, ...);
  • Data related to the mutual insurance company and/or other insurance organizations (e.g. affiliation, insurance, ...);
  • Physical health data (e.g. family and personal history, consultation data, hospitalization data, pathology history, ...);
  • Mental health data (e.g. treatment, diagnosed pathologies, ...) ;
  • Private data (e.g. family situation, habits, food preferences, ...);
  • Professional data (e.g. employment, ...);
  • Data revealing racial or ethnic origin (e.g. nationality, origins, ...);
  • Data revealing religious and/or philosophical convictions (e.g. religion, belief, opinion on medical over-treatment, ...);
  • Genetic data (e.g. genes, DNA sequence, ...);
  • Data concerning sex life and/or sexual orientation (e.g. frequency of sexual relations, ...).

Only data relevant to the resolution of the dispute will be processed by the services concerned.

Purposes of the processing
  • To enable patient mediation;
  • To enable internal management of disputes;
  • To enable dispute resolution;
  • To allow the anonymization of your data in the context of the annual report that we have to communicate to the COCOM.  

Legal basis for processing
  • Processing is necessary to comply with our legal obligations under the law relating to patients' rights;
  • Legitimate interests.  

Receivers/categories of receivers and transfers outside the EEA

You will find this information in the dedicated section “Potential external receivers of your personal data”.

Conservation period

  • Mediation: 2 years following the resolution of the dispute;
  • The retention period is that which is necessary for the management and resolution of the dispute. If there are legal requirements regarding the dispute, these will be taken as the basis for defining the maximum retention of the data concerned. In all other cases, the data will be kept for a maximum of 2 years after the dispute has been resolved.

  1. Audit

In the context of a targeted medical audit as provided by Article 6/1 of the Royal Decree of 15 December 1987 implementing Articles 13 to 17 of the Hospitals Act, coordinated by the Royal Decree of 7 August 1987, or any other audit related to the provision of health care, we may need to process your personal data in the following way:

Types of personal data
  • Identification data (e.g. name, first name, ...) ;
  • Contact data (e.g. telephone number, e-mail address, ...);
  • Image capture (e.g. passport photo);
  • Identification number (e.g. national register number, patient number, ...);
  • Financial and economic data (e.g. data related to the stay, fixed price, ...);
  • Data related to the mutual insurance company and/or other insurance organizations (e.g. affiliation, insurance, ...);
  • Physical health data (e.g. family and personal history, consultation data, hospitalization data, pathology history, ...);
  • Mental health data (e.g. treatment, diagnosed pathologies, ...) ;
  • Private data (e.g. family situation, habits, food preferences, ...);
  • Professional data (e.g. employment, ...);
  • Data revealing racial or ethnic origin (e.g. nationality, origins, ...);
  • Data revealing religious and/or philosophical convictions (e.g. religion, belief, opinion on medical over-treatment, ...);
  • Genetic data (e.g. genes, DNA sequence, ...);
  • Data concerning sex life and/or sexual orientation (e.g. frequency of sexual relations, ...).

Only data relevant to the audit will be processed.

Purposes of the processing

Quality of care, management of health care systems and services.

Legal basis for processing

  • The processing is necessary to comply with our legal obligations; 
  • The legitimate interests of the Clinic;
  • The management of health care systems and services.

Receivers/categories of receivers and transfers outside the EEA

You will find this information in the dedicated section “Potential external receivers of your personal data”.

Conservation period

10 years

  1. Social service

Types of personal data
  • Identification data (e.g. name, first name, ...) ;
  • Contact data (e.g. telephone number, e-mail address, ...);
  • Image capture (e.g. passport photo);
  • Identification number (e.g. national register number, patient number, ...);
  • Financial and economic data (e.g. data related to the stay, fixed price, ...);
  • Data related to the mutual insurance company and/or other insurance organizations (e.g. affiliation, insurance, ...);
  • Physical health data (e.g. family and personal history, consultation data, hospitalization data, pathology history, ...);
  • Mental health data (e.g. treatment, diagnosed pathologies, ...) ;
  • Private data (e.g. family situation, habits, food preferences, ...);
  • Professional data (e.g. employment, ...);
  • Data revealing racial or ethnic origin (e.g. nationality, origins, ...);
  • Data revealing religious and/or philosophical convictions (e.g. religion, belief, opinion on medical over-treatment, ...);
  • Genetic data (e.g. genes, DNA sequence, ...);
  • Data concerning sex life and/or sexual orientation (e.g. frequency of sexual relations, ...).

Only the data necessary for your support by the social service will be processed.

Purposes of the processing
  • Promoting access to health care;
  • Management of psychosocial problems arising from illness and/or hospital admission to coordinate patient discharge, continuity of care, or stay;
  • Planning admission to an outpatient center or other clinic unit.

Legal basis for processing

The care contract between you and the Clinic.

Receivers/categories of receivers and transfers outside the EEA

You will find this information in the dedicated section “Potential external receivers of your personal data”.

Conservation period

30 years

  1. Spiritual, religious and/or philosophical guidance

Types of personal data
  • Identification data (e.g. name, first name, ...) ;
  • Contact data (e.g. telephone number, e-mail address, ...);
  • Data revealing religious and/or philosophical convictions (e.g. religion, belief, opinion on medical over-treatment, ...).

Purposes of the processing
  • Spiritual, religious and/or philosophical support for the patient.

Legal basis for processing

The care contract between you and the Clinic.

Receivers/categories of receivers and transfers outside the EEA

You will find this information in the dedicated section “Potential external receivers of your personal data”.

Conservation period

30 years

  1. Benchmarking

Types of personal data
  • Medical data ;
  • Financial data (in case of participation in CAMS);
  • Billing data.

Purposes of the processing
  • Comparison of the Clinic's results with other hospitals participating in the project;
  • To provide the Clinic with reports and analyses representing performance and quality indicators in order to improve.

Legal basis for processing
  • Consent
  • Care contract  

Receivers/categories of receivers and transfers outside the EEA

You will find this information in the dedicated section “Potential external receivers of your personal data”.

Conservation period

Minimum 3 years and maximum 4 years.

Withdrawal of the consent

At any time, without specific reason(s), without affecting the validity of the processing carried out prior to the withdrawal.

 

  1. Potential external receivers of your personal data

Within the limits imposed by the GDPR, in compliance with the legal basis on which we process your personal data and to the extent necessary to achieve the purposes of processing described above, we have to transfer some of your personal data to the following receivers:

CATEGORY

TRANSFERT OUTSIDE OF THE EEA

APPROPRIATE GARANTEES

Insurance organizations when required by law.

Not applicable

Not applicable

The National Institute for Sickness and Disability Insurance where required by law.

Not applicable

Not applicable

External care providers as part of the continuity of patient care.

Not applicable

Not applicable

Public instances and judicial or administrative authorities where required by law.

Potentially

If an action is start up in a country outside the European Economic Area, some of your data may be transferred to that country. In this case, the transfer is subject to strict security and confidentiality rules in accordance with Articles 44 to 49 of the GDPR in order to ensure a level of security for your data that is essentially the same as that which you benefit from in Europe.

The civil liability insurer of the Clinic or its care providers insofar as this communication is necessary to defend a legal claim or to establish, exercise or support a legal action.

Not applicable

Not applicable

The external subcontractors used by the Clinique Saint-Jean as well as the subcontractors they use for the processing of personal data.

 

Yes

Some of our subcontractors may host data outside the European Economic Area. All transfers are subject to strict security and confidentiality rules in accordance with Articles 44 to 49 of the RGPD in order to guarantee a level of security of your data essentially similar to that which you benefit from in Europe.

The Clinic remains your main contact for further information regarding these transfers.  

The patients concerned or their representatives in accordance with the provisions of the law of 22 August 2002 on patients' rights.

Not applicable

Not applicable

 

  1. Your rights regarding the processing of your personal data


Right of information

You have the right to be informed about the processing of your personal data by the Clinique Saint-Jean.

Right of access

You have the right to access your data and obtain a copy.

Right of rectification

You have the right to rectify incorrect data about yourself.

 

Medical data cannot be rectified, but you can always ask for a note to be added to your file.

Right of erasure (*)

In limited cases, you have the right to request the deletion of some of your personal data.

Right of limitation of processing (*)

 

In limited cases, you have the right to request that all or part of your personal data are no longer processed.

Right of portability (*)

In limited cases, you may request that your data be provided to you or to a particular receiver in a commonly readable format.

Right to object (*)

In limited cases, you have the right to object to the processing of some or all of your personal data.

For processing based on your consent

You have the right to withdraw your consent

  • At any time;
  • Without any particular reason;
  • Without affecting the validity of the processing carried out prior to the withdrawal.

 

To do so, please contact the DPO at the following address: privacy-dpo@clstjean.be

You can exercise these rights by contacting:

  • The DPO at the following address: privacy-dpo@clstjean.be
  • The mediator at the following address : mediation@clstjean.be

In order to ensure your security, we reserve the right to verify your identity when you request to exercise your rights.

(*) These rights are not absolute. All requests will be analysed by the DPO who will decide what action to take.

 

Right to submit a complaint

You have the right to file a complaint at the supervisory authority:

Autorité de protection des données
Rue de la Presse 35, 1000 Bruxelles

 +32(0)22744800
 +32(0)22744835
contact@apd-gba.be

 

  1. Securing personal data

Clinique Saint-Jean takes reasonable technical and organizational precautions to prevent the destruction, loss, alteration, unauthorized access or inadvertent disclosure to third parties of personal data under its control. In addition, measures are taken to physically secure the location of the stored data.

  1. Managing personal data breaches

Any person who becomes aware of a breach, leakage or loss of personal data must notify the Clinique Saint-Jean through its Data Protection Officer as quickly as possible and provide as much information as possible about the breach.
Thereafter, the Clinique Saint-Jean will take the necessary steps, i.e.:

  • Investigation, evaluation and follow-up of the incident;
  • Taking measures to remedy, prevent or reduce the consequences of the incident;
  • Notification to the Data Protection Authority, if applicable;
  • Communication to data subjects, if applicable.
  1. Contact

If you have any further questions about the processing of your personal data, please do not hesitate to contact our DPO at the following email address: privacy-dpo@clstjean.be.