Data Protection
On this page we explain how we handle data and which assessment we have carried outData Protection Impact Assessment (DPIA):
This form has been developed from the following sources:
- The GDPR itself
- The General Data Protection Regulation Manual, issued by the Authority Personal Data.
- Group data protection impact assessment guidelines Data Protection, ss last amended and adopted on October 4, 2017
- Privacy Impact Assessment (PIA): Introduction, guidelines and questionnaire Version 1.2 – November 2015 published by NOREA
Organizational data
Name, address of organization:
Guido Terhorst, Touristdoc, Prinsengracht 762 A HV – 1017 LD Amsterdam
Drafter DPIA:
Guido Terhorst
Name and contact details of DPO (if appointed):
At the moment no DPO has been appointed, this task will be held by Guido Terhorst for the time being.
Other stakeholders and experts consulted:
No other stakeholders or experts were consulted when completing the Data Protection Impact Assessment.
Step-by-step implementation:
The Data Protection Impact Assessment was conducted and completed on June 14, 2021
Data of the processing
Describe here which personal data is involved (name, email, medical, …):
There are a number of forms on our websites and iOS app that we use to collect data:
1. The first is the form on our home page that records a consumer’s name, phone number, email address and location. The location can also be kept empty so that it is not registered. This data is then processed in the Touristdoc iOS app and deleted after 72 hours.
2. On every Touristdoc website there are also contact forms where the following information is collected: name, telephone number and e-mail address. These contact forms are used for customers or companies that want to work with us.
3. We register the name and address details of doctors via the Touristic app. In addition, also the public registration number of doctors. This way we can determine whether this is a licensed doctor. In addition, the specialties and whether the doctor in question has insurance.
For what purpose and in what process is this data used?
Touristdoc collects three different data streams. The first is for customers where we collect the data to contact a customer and also complete billing to the customer or insurers.
The second data stream is the registration data of doctors. We collect this data because we want to determine whether we are dealing with a licensed doctor.
The third data stream is from people who want to contact us and we collect this data because they also want to contact the person who contacts us.
Which groups of data subjects are the personal data of (website visitors, students, customers, …):
The groups involved are linked to the visitors of the website and doctor in the form as users of the app.
Is this DPIA for an existing situation, or for a newly proposed situation?
This DPIA is for a newly proposed situation.
Should a DPIA be performed
A DPIA is only required if a data processing is likely to pose a high privacy risk for the data subjects (the people whose data the organization processes). At least that’s how an organization:
- systematically and comprehensively evaluate personal aspects, including profiling;
- processes special personal data on a large scale;
- Widely and systematically monitor people in a publicly accessible area
(for example with camera surveillance).
To determine whether there may be a high risk, the supervisors use the rule of thumb below. There is a high risk if two or more of the following nine criteria are met:
- evaluation of persons or scoring;
- automated decision-making with legal effect or similar material consequence;
- systematic monitoring;
- sensitive data or data of a very personal nature;
- widely processed data;
- matching or merging of data sets;
- data relating to vulnerable data subjects;
- innovative application of new technological or organizational solution;
- Blocking of any right, service or contract.
What criteria does this processing meet? Provide a short motivation for each criteria:
- The evaluation of persons or possible scoring thereof always takes place between the personal conversation between patient and doctor. We collect the data on our website(s) to facilitate contact between both parties, but do nothing for evaluation or scoring. This takes place in the confidential conversation between doctor and patient.
- Automated decision-making does not take place.
- Systematic monitoring does not take place.
- Sensitive data in the field of name and address, doctor’s data and additional patient data are included in our forms and these are used to facilitate contact between both parties and also to ensure the quality of doctors.
- The data will not be processed on a large scale. Touristdoc has different subdomains per location, each of which manages and processes their information. This allows us to split the data processing into small pieces, so that no large-scale processing takes place.
- Data sets will not be merged
- The data related to vulnerable data subjects will not be stored if it will ever be processed at all.
- This is an application of an innovative new technology that enables patient requests to be identified and acted upon.
- There is no blocking of any right, service or contract
Systematic description of the data processing Describe here in more detail how the data processing works:
The data processing takes place in the field of a form on the website that collects the name, telephone number, e-mail address and location of patients. In addition, the information of patients and doctors is processed on the app, which is processed via a secure connection.
How/where is the information collected?
The data is collected via a registration form on the website and a form on the Touristdoc app.
Where is it stored? Who can join here?
The data is stored at a Netherlands web hosting provider on a secure server. The name of the web hosting provider is Vservs which then rents servers from Transip which is a Dutch ISP. No one can participate in this without explicit permission and access from us.
How is the information used? Is every field used?
The information is used to contact the patient and make an assessment of whether further steps are necessary.
What are the purposes of the processing? Can these goals be achieved without the data?
The goals of the processing of the data are that a follow-up step can be successfully continued and a successful assessment can be made based on the information.
Is permission requested within the process? Are there any later unsubscribe/opt-out options?
Within the process, permission is requested in advance for the use of certain hardware functionalities such as Bluetooth and when filling in the form, the patient or doctor is made aware of the privacy policy of Touristdoc.
What is the retention period of the data? How is the deletion of the data arranged?
The data of patients is stored on our server for 72 hours and a copy of the consultation is stored for 3 years on the Microsoft exchange mail account of Touristdoc.
What hardware and software are used for data processing?
No hardware is used for the data processing and the software uses APIs that link the WordPress websites of Touristdoc and the iOS app of Touristdoc.
Which departments, suppliers and other parties are involved in the processing as a processor?
As a processor in the processing, Vservs are involved as an ISP and Microsoft as a cloud service where the e-mails are stored.
Is there an international transfer? Which countries does this concern?
There is no automatic international transfer, it is possible that the patient can take his data on paper abroad.
Where is the data archived? Is this paper or digital?
The data is digitally archived on the server(s) of the organization.
What is the expected scope of the data processing (number of data subjects):
There is as yet no insight into the expected scope of the data processing.
Assessment of necessity and proportionality
Is there a clearly specified goal? What exactly is this purpose, and why is it legitimate?
The clearly specified goal is the treatment of tourists by local general practitioners.
Can this goal also be achieved without this personal data? Why not, or why not do it differently?
This goal cannot be achieved without personal data that we retrieve from the app or the website, because patients must be contacted that we do not yet know and cannot get somewhere else in advance.
Is there a clear maximum retention period?
The legal retention periods in the field of medical law are adhered to.
Is sufficient information provided to the data subject? Is it clear to data subjects what rights they have and how they can exercise them?
The information provided to the data subjects is our privacy policy which is reflected in every request that is sent.
How is the right of access guaranteed?
The right of access is guaranteed by emailing our privacy officer at info@touristdoc.com.
How is the right to rectification guaranteed?
The right to rectification is guaranteed by emailing our privacy officer at info@touristdoc.com.
How is the right to removal guaranteed?
The right to erasure is guaranteed by emailing our privacy officer at inf@touristdoc.com.
How is the right to data portability guaranteed?
The right to data portability is guaranteed by emailing our privacy officer at info@touristdoc.com.
Privacy Risk Assessment
How do you estimate the probability and impact of the following risks:
|
Risk |
How can this risk arise? |
Chances of this happening in a year |
Impact on those involved |
|
Unlawful Access – Internal Employees |
This is possible when internal employees gain access to the e-mail addresses of doctors, registered users of the app and/or colleagues within the organization to which the created login codes of accounts arrive. |
Low because these codes are generated every time, which means that the employee must systematically access the e-mail addresses of the administrators. |
Low because the information is stored encrypted and data is also stored in a fragmented way, so that no coherent information can be extracted. |
|
Unauthorised access – by outsiders |
If the cloud service and ISP of Touristdoc are broken into. |
Low because a two-step verification reduces the chance of burglary. |
Low because the information is stored encrypted and data is also stored in a fragmented way, so that no coherent information can be extracted and adapted. |
|
Unwanted changes to data – internal employees |
If an employee changes the information of users in the admin panel of the website and app. |
Low because a two-step verification reduces the chance of burglary. |
Low because the information is stored encrypted and data is also stored in a fragmented way, so that no coherent information can be extracted and adapted. |
|
Unwanted modification of data – by outsiders |
If the admin panel of the website and app is broken into. |
Low because a two-step verification reduces the chance of burglary. |
Low because the information is stored encrypted and data is also stored in a fragmented way, so that no coherent information can be extracted and adapted. |
|
Disappearance / Loss of data |
When the website or app crashes |
Low because there is a daily backup |
Low because the information is stored encrypted and data is also stored in a fragmented way, so that no coherent information can be extracted and adapted. |
What is the exact impact of data leakage on data subjects?
In the even of a data breach, information from doctors and patients may be extracted. This is data from the last 72 hours. In the case of doctors, this is general contact information.
Does this have any negative consequences for the person?
The information that can be extracted from both the doctors and the patients is not sensitive in nature. If this is extracted, we will report this to the relevant persons so that they can take action.
Is there a risk of financial damage?
With the information that is extracted, the risk of financial damage is relatively small.
Is there a risk of identity theft or fraud?
With the information that is extracted, the risk of identity theft or fraud is relatively small.
Measures
Can you indicate per risk which measures you take to protect the data:
|
Unlawful Access – Internal Employees |
We have two-step verification and a daily backup so that information can be retrieved and the essential parts are always available after a server reset. This allows an intrusion to be resolved and passwords to be reset. |
|
Unlawful access – by outsiders |
We have two-step verification and a daily backup so that information can be retrieved and the essential parts are always available after a server reset. This allows an intrusion to be resolved and passwords to be reset. |
|
Unwanted changes to data – internal employees |
We have two-step verification and a daily backup so that information can be retrieved and the essential parts are always available after a server reset. This allows an intrusion to be resolved and passwords to be reset. |
|
Unwanted modification of data – by outsiders |
We have two-step verification and a daily backup so that information can be retrieved and the essential parts are always available after a server reset. This can prevent a break-in and passwords be reset. |
|
Loss of data |
We have two-step verification and a daily backup so that information can be retrieved and the essential parts are always available after a server reset. This allows an intrusion to be resolved and passwords to be reset. |
Are there any additional organizational measures you are taking?
No, we do not yet have any additional organizational measures that we are taking.
Are there any additional technical measures you are taking?
No, we do not yet have any additional organizational measures that we are taking.
Is it clear who is responsible for maintaining and evaluating the measures taken at the end of the project? Who is this:
This is Guido Terhorst
Advice from the DPO
Have you appointed a Data Protection Officer (DPO)? Then it is mandatory to ask this person for advice. Record the advice of the DPO below:
A DPO has not yet been determined and will be determined in due course.
Name FG:
This should be determined in due course.
Date of advice:
This should be determined in due course.
Answers from FG:
This should be determined in due course.
Are the data processing and purposes clearly described?
This should be determined in due course.
Is the processing of the personal data necessary or proportionate for the purposes?
This should be determined in due course.
Have the privacy risks been sufficiently identified? Which risks are still missing?
This should be determined in due course.
Advice from stakeholders and representatives
Have there been discussions with those involved or representatives for this DPIA? What response did they give? How was this response processed?
This should be determined in due course.
Prior consultation
Does the DPIA indicate that the processing poses a high risk if you do not take risk mitigation measures? Answer and motivation below:
No, because the architecture of our website, cloud services and app is designed in such a way that is not a high risk if risk mitigation measures are not taken.
If yes, you must request a prior consultation with the Dutch Data Protection Authority (AP). You must provide the DPIA to the AP.
Processing register
| Processing activity | Purpose | Legal basis | Category involved | Mandatory part of category data | Recipients (to which information is provided; no processors) | Outside the EU | Retention period | Additional / specific measures |
| Healthcare provision | ||||||||
| Processing physician requests, recipe processing and patient assessment | Providing care | Treatment agreement | Patients | Patient data and medication data | No | No | 15 years | / |
| Send unique login code by email | Ability to provide remote care | Contract | Patients | Contact details (telephone number and email address) | No | No | 2 years | / |
| Processing UUIDs | Delivering online care | Treatment agreement | Patients | Anonymised UUIDs | No | No | 15 years | / |
| Processing online requests | Delivering online care | Treatment agreement | Patients | Patient data and medication data | No | No | 15 years | / |
| Third party consent registration | Sharing medication (data) with third parties | Consent | Visitors | Identification data (NAW and date of birth) | No | No | 2 years after withdrawal | / |
| Review patient requests and initial digitally | Recipe control | Treatment agreement | Patients | Patient data (NAW) | No | No | 15 years | |
| Administration | ||||||||
| Registration UIDs that patient has come into contact with | Check with which UIDs the patient has been in contact and how | Control of infectious disease diseases from the RIVM | Patients | Anonymised UUIDs | GGD and general practitioners | No | 7 years | / |
| Exchange of information with other caregivers | ||||||||
| Availability and retrieval of patient data (pull traffic) | Data exchange between caregivers | Consent (data exchange) | Patients | Patient data and medication data | Other healthcare providers (Caregivers are listed on the VZVZ site) | No | 15 years | / |
| Sending patient data (push traffic) | Data exchange between caregivers | Treatment agreement | Patients | Patient data and medication data | Other healthcare providers (business partners) | No | 15 years | Cooperation arrangements |
| Care research and improvement | ||||||||
| Supply of pseudonimmised data for research | Involving human subjects, scientific research | Consent (data exchange) | Patients | Patient data and medication data | Scientific research offices | No | 15 years | / |
| Analyze patient data | Improving care and Benchmarking | Treatment agreement | Patients | Patient data and medication data | No | No | 15 years | / |
| Query send list based on a query | 1. Calling patients via an in-app notification for a test 2. Setting up a survey to improve care-enhancing 3. Inform patients by email about care and about a test |
Treatment agreement | Patients | Patient data and medication data | No | No | 15 years | / |
| Dealing with complaints and incidents | Handle complaints, incidents and notifications from patients and caregivers | Treatment agreement | Patients | Patient data and medication data | No | No | 15 years | / |
| Others | ||||||||
| Creation of a video consultation for remote care | Protection of patients and contact group | Legitimate interest | Patients and doctors | Visual material (video) | No | No | 4 weeks | Automatically deleted after 4 weeks |
| Send periodic newsletter | News and advertising | Consent | Subscribers | Email address | No | No | 1 year subscription | Possibility to subscribe via the website |
Data Protection Impact Form
Fill in your details
An account will be created for you after registering.
Verifying your data and agreements
We will hold a video conference with you in order to verify your details and generate a contract.
Setting up
A local website, marketing plan, and automated payment gateways will be created for every new location that Touristdoc adds.
Start earning commission
After signing the contract, you will be connected to our local branches and can start earning commission as a partner.
Contact Touristdoc
Not an emergency but a question? Don’t hesitate to contact usCall a doctor: +3120-2624282