The new privacy legislation in The Netherlands and the impact on the healthcare industry

As from the 25th of May, the new privacy legislation in The Netherlands is introduced (Algemene Verordening Gegevensbescherming, AVG). As from that moment, general privacy legislation is active in the entire European union, which is called the general data protection regulation (GDPR).

AVG explained in short

Based on AVG, companies can gather personal information based on:

User’s consent: freely given, unambiguously, informed and specific, the consent can be easily withdrawn and is verifiable.


Vital interests: When it is about an interest that is essential for someone’s life or health and this person cannot be asked for consent.


Legal obligation: The processing of personal information must be necessary to meet legal obligations.


Agreement: When you have an agreement, which is not based on processing personal data, but for the agreement to be concluded, the processing of personal data is necessary.


Common interest: When gathering data is necessary for common interest or public authority. These are tasks that are written in the law and are relevant for your organisation.


Legitimate interest: Valid if you have a legitimate interest, the processing is necessary to represent this legitimate interest and you have weighed up your interests and those of the person whose personal data you process.


Only based on the above-mentioned fundamentals, it is allowed to process personal data, besides this, in all cases there is a responsibility issue to take into consideration. This is probably the biggest change in the AVG. This means that at all times, the reason for processing personal data needs to be well substantiated based on one of these fundamentals.

Within the AVG there is a clear distinction between ordinary, extraordinary and criminal personal data.

Extraordinary personal data are, because of their nature, more sensitive. Extraordinary personal data are more secured in the AVG. New in the AVG is that also genetic and biometric data are included when these can be traced back to an individual.
Criminal personal data are concerned with criminal convictions and criminal acts or related security issues

What is changing?

When introducing the AVG, some privacy rights will become stronger and some rights are added.

The biggest difference might be that people have more possibility to stand up for their rights concerning the processing of their personal data. It is also going to be easier to withdraw consent

New rules in AVG are for example the right of oblivion; all gathered data would then be deleted upon request. It is also novel that all institutions that received these data are also obligated to delete the data. Furthermore there is a new rule concerning receival of personal data. The right for data portability means that people have the right to receive their personal data in a standardized format.

For institutions, there are also a few matters that are going to change significantly. The biggest change is going to be the responsibility matter. This means that institutions are obligated to be able to justify the reason for gathering personal data. Moreover, the following concrete changes will be implemented:

  • The Dutch authority of personal data does not have to be informed of the processing of personal data
  • It might be obligated to carry out a data protection impact assessment
  • It might be obligated to appoint an official for data protection

The new law is not only implemented to cause more difficulties for institutions, there will also be a few noticeable positive changes:

  • Less administrative costs and compliance costs
  • More legal certainty
  • More equality within the European Union, since this law will be applicable for all institutions
  • Only one supervisor

What will be the consequence for the healthcare sector?

Within the healthcare sector, privacy is without a doubt very important. Every day massive amounts of personal data are being processed whose privacy needs to be properly safeguarded. Within the healthcare sector it will often be about extraordinary personal data. The rules for these are even stricter. A few rules, which are highly important in the healthcare industry, are:

  • As a caregiver you are not allowed to process more personal data than needed for the aim of the processing.
  • Care givers who do not have a treatment relation with the patient, also do not need to have access to their personal data
  • Personal data can not be stored any longer than needed

Within healthcare, the protection of personal data is very important, mostly not only because it has to be handled according to the law but also because, within the sector, it is generally expected that privacy issues are being handled with care, since everyone wants their data to be properly protected.

Within the AVG, new informative obligations are applicable and there are new rules about working with permission from the patient. In many occasions, a care provider will be obligated to keep track of a register of processing activities, to execute a data protection impact assessment and to appoint an official for data protection.

The existing rules about privacy are confirmed by the AVG and strengthened on some aspects. The right for data portability is a new rule within the AVG and will also impact the healthcare sector. This rule, amongst others, entails that data can be transferred to other institutions upon request of the person of interest. This can thus also happen between care providers. This rule only applies to data that actively and consciously have been provided or data that have been provided by the use of a service or device.

How can Foston Europe’s software contribute to safeguarding this new law regulation?

Foston offers technology-based solution for healthcare institutions. Calas is Foston’s System integration platform for healthcare institutions. Calas obviously gathers a lot of data and these data have to be carefully handled concerning privacy and in accordance with the new privacy legislation in The Netherlands and now all of the European Union, by the care provider.

Leave a Reply

Your email address will not be published. Required fields are marked *