Information notice concerning the protection of your personal data

The purpose of this Information Notice is to inform you of the way in which The Institution processes your personal data. 

Your personal data as collected in particular at the time of a consultation, hospitalisation or emergency care relate to your health and are therefore highly sensitive. 

This is why The Institution manages and protects your data as appropriate and always in accordance with the legal provisions.   

You will find hereunder information on the data categories The Institution collects, the purposes for which The Institution processes these data, the entities with which The Institution can share them, the measures The Institution takes to protect your data and the way in which you can exercise your rights regarding your data. 

The essential elements of the data protection policy are as follows:   

• Data are only processed insofar as is necessary for realising The Institution's missions that include the provision of care and the legal obligation to keep an up-to-date Patient File containing information of a medical, administrative, social and financial nature;   
• Your data will only be transferred to third parties in a context corresponding to the hospital's missions and under no circumstances for commercial purposes;   
• Your data are stored/processed principally in Europe. If they are transferred outside the European Economic Area, The Institution puts into place appropriate guarantees to accompany the transfer and to enable you to exercise your rights; 
• The period during which your data are retained complies with the limits imposed by law; 
• For any questions concerning the processing of your data and the exercising of your rights, you can put your request to the data protection officer at the following address:   dpo@bordet.be

The Institution is legally responsible for processing your personal data.   

• Contact :
  • Jules Bordet Institute
  • Rue Meylemeersch 90, B1070 Brussels
  • Contact : +32(0)2 541 31 11
  • Web : http://bordet.be

The Institution has apponted a data protection officer who can be contacted for any question concerning the protection of personal data at the following address: dpo@bordet.be.

General Data Protection Regulation or GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (accessible via the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679 .

The Belgian law on the protection of privacy: Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data (accessible via the following link): https://www.autoriteprotectiondonnees.be/publications/loi-cadre.pdf);  

Personal data: Any information or grouping of information that identifies or renders identifiable a natural person, in particular through reference to an identifier such as a name, an identification number, location data, an online identifier, etc.  It can also be one or more specific elements relating to the health or the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; 

Processing: Any operation or set of operations that is performed, whether or not by automated means, on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; 

Data subject: The natural person identifiable or identified and whose personal data are processed;   

Data controller: The natural or legal person (public authority, company, non-profit organisation, etc.) which determines the purposes and means of the processing, that is, the objective and means of achieving it. In practice and in general, this is the legal person as represented by its legal representative(s);  

Processor: The natural or legal person that processes the personal data on behalf of another body ("the data controller") in the framework of a service. For example, the processor of laboratory analyses, mail dispatch, etc. 

Recipient: A person authorised to obtain data registered in a file or a data processing by virtue of the functions exercised;     

Third party: A natural or legal person, a public authority, agency or body other than the data subject, data controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data. For example, the INAMI [National Institute for Health and Disability Insurance], health mutuals, GP, etc. 

Data concerning health: Data concerning the physical or mental health, whether past, present or future, of a natural person (including the provision of healthcare services) which reveal information about that individual's health status. This can be information concerning a natural person collected at the time of registering to receive healthcare services or when these services are performed, information obtained at the time of a test or examination of a part of the body or of a bodily substance as well as information concerning an illness, handicap, risk of illness, medical history, a clinical treatment or the physiological or biomedical status of the person concerned;

Patients: Any natural person who receives care. Also regarded as a "patient" are donors and recipients in the context of organ transplants, stem cell grafts, insemination, as well as healthy volunteers in the framework of clinical trials; 

Supervisory authority: An independent supervisory authority charged with monitoring the application of the GDPR. In Belgium, this mission is assumed by the Data Protection Authority;

Violation of personal data: Any security incident, whether of malicious origin or otherwise and that, whether intentionally or not, results in the integrity, confidentiality or availability of personal data being compromised; 

Pseudonymisation: A security measure that aims to reduce the identifiable nature of data while retaining a link between the data and the individual they concern. Data pseudonymisation makes it impossible to directly identify a person but does make it possible to identify data subjects on the basis of additional information (for example: a code, identification key) that must be stored in a secure manner; 

Anonymisation: A processing that consists of using a set of techniques so as to render impossible, in practice, any identification of the person  by any means whatsoever and this irreversibly so; 

De-identification : A processing that involves removing enough elements for the data subject to be unidentifiable. The aim is for the data to be processed in such a way that they can no longer be used to identify a natural or legal person by having recourse to "all means that can be reasonably implemented", either by the data controller or by a third party.  

Public health: Notion designating "all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, healthcare needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality."   

The Institution collects pertinent data that are necessary to provide you with healthcare services (medical, nursing, paramedical), to draw up your patient file and to manage your administrative and social file

The Institution manages your medical data (for example: health status, medical examination results, pathologies, medical history, etc.) and your administrative data (or example: identification data such as first name and last name, national register number, invoicing data, etc.). 

The Institution also processes other data necessary for purposes determined or imposed by law (for example: data on lifestyle, on the family or professional situation, on contact or trusted persons or authorised representatives, on philosophical or religious beliefs, on sexual behaviour, on racial or ethnic origin, etc.). 

These data can be collected either directly from you, or indirectly from your representative, your prescribing physician or your GP. 

To find out more

Depending on the purposes of the processing, personal data processed by The Institution can concern the following categories: 

• Personal data:
  • identification data (for example: first name, last name, unique patent number, etc.); 
  • contact details (for example: contact postal address and/or domicile, landline and/or mobile telephone number, etc.);
  • biographical data (for example: age or date of birth, place of birth, gender, nationality, language spoken, etc.); 
  • personal life (for example: civil status; household composition, etc.);
  • lifestyle (for example : dependency - alone, in an institution, autonomous, bedridden;  assistance – home help, family assistance; physical exercise, diet and dietary regime; urban, semi-urban, nomadic, sedentary lifestyle; housing) ;
  • data concerning contact persons (for example: representatives, legal representative, trusted person, care providers, specialist prescribing doctor, primary care physician, etc.); 
  • education level (for example: primary, secondary, higher);
  • professional life (for example: training, experience, CV, etc.); 
  • connection data (for example: IP addresses, logs, terminal identifiers, connection identifiers, timestamp information, etc.);    
  • Images (for example: identity photo, images filmed by surveillance camera, etc.); 
     
• ​​​​​​​Data regarded as "sensitive":
  • financial and administrative data relating to admission and invoicing (for example: bank account number, data concerning membership of health mutuals or insurance companies, etc.); 
  • social data (for example: identification of downstream structures and rehabilitation centres, intervention by the CPAS [Public Centre for Social Welfare], ONE [Employment office] or any other parastatal organizations, etc.);
  • national register number;
    ​​​​​​​
• "Sensitive" data (or "special category personal data" according to GPDR article 9): 
  • health data (for example: weight, height, blood group, diagnoses, results of examinations, personal or family medical history, details of appointments, consultations and hospitalisations, pathology history, list of allergies, care plan, administration of medicines, nutrition and dietary data, neuroimaging results, etc.)
  • biometric data (for example: fingerprints, funduscopic examination results, ocular biometry, etc.); 
  • genetic data; 
  • samples taken;
  • ethnic origin;
  • political opinions; 
  • religious or philosophical beliefs or trade union membership;
  • data concerning sex life or sexual orientation of a natural person. 

The Institution only processes personal data that are necessary to: 

• safeguard the vital interests of the data subject (for example: processing data concerning a person admitted to the Emergency Department); 
• fulfil a contract (for example: processing data concerning the invoicing of services requested and/or provided); 
• carry out a mission of public interest with which The Institution is charged (for example: processing of data for teaching or research purposes); 
• comply with a legal obligation (for example: processing data relating to risk groups or organ donors); 
• achieve The Institution's legitimate interest (for example: recording and management of risks and undesirable events, processing concerning technical management, logistics, property security, access control, improvement and optimisation of processes, comparative evaluation, follow up of legal actions, etc.). 

If the processing of personal data cannot be based on one of these elements, your agreement in writing is required before processing

Your data are processed in the interests of organising your care and completing your patient file, as well as managing your administrative, financial and social follow-up within The Institution and the Care Network of which it is a part.

Your personal data can also be used to permit The Institution to fulfil other missions, namely clinical teaching and scientific research, unless you oppose this. 

The Institution pays particular attention to ensuring that the personal data are processed as appropriate, for the purposes of the data processing only and in line with the applicable legislation. 

The purposes for which The Institution processes personal data are the following: 

• Care activities
  • computerised management of the patient file to permit diagnosis, treatment and communication of information concerning medical, nursing and paramedical care to patients, under conditions of optimal security; 
  • care for patients admitted to the Emergency Department; 
  • social care;
  • management of prescriptions and results of medico-technical examinations; 
  • the prescribing, delivery and administration of healthcare products and requests for interventions; 
  • recording of risk groups, for the purpose of identifying and following up persons presenting a medical risk; 
  • donor registration, with the aim of creating files on persons wishing to be donors, promoting this aim and using these files;    
  • management of births and deaths registrations;
  • registration of screening tests or follow-up results in official registers or with the official bodies (in particular, cancer registration with the Belgian Cancer Registry Foundation, registration of deafness with the ONE [National Employment Office], registration of rare disease monitoring with Sciensano, etc.).
  • blood, stem cell and tissue bank, etc.
     
• Support activities
  • administrative and financial management of patients for the purposes of invoicing and debt collection, this involving the communication of information to authorised third parties (health mutual, insurance, debt collection companies, etc.);
  • management of contacts concerning family, authorised representatives, contact persons and trusted persons appointed by the patient to improve his or her treatment and administrative and social follow-up;
  • management of contacts and directories concerning primary care physicians, prescribers, dispensers and signatories so as to ensure treatment follow-up; 
  • technical management of the information system supporting infrastructures and institutional applications that process personal data; 
  • logistics management for patient care and reception, namely stretcher carrying, reception, appointments, security, dietetics;
  • registration and management of undesirable events relating to patient security;
  • management of requests made by the patient concerning the exercising of his or her rights by virtue of the General Data Protection Regulation and the law of 22 August 2002 concerning patients' rights; 
  • management of complaints and disputes;
  • management of spiritual support and well-being;
  • security of persons and property as assured in particular by video surveillance cameras and access controls; 
     
• Medico-economic management activities
  • registration of patient medical and hospitalisation data for the purposes of The Institution's internal management and for the purposes imposed by the public authorities; 
  • evaluation of care quality, resources management and control of hospital activities. 
     
• Research and teaching activities
  • clinical teaching and the training of doctors and other healthcare professionals; 
  • applied scientific research (retrospective and prospective studies and clinical trials); 
  • development of new technologies;
  • management of human body material and tissue banks; 
  • creation of mono-centric or multi-centric registers; 
    ​​​​​​​
• Data communication
  • communication to healthcare professionals of requests for analyses and medical examinations and of their results; 
  • communication of the necessary information for patient discharge, to organisations in the  social and family assistance, medico-social or  psychopedagogical sectors or to upstream reception structures necessary for the reception of patients coming from a downstream structure; 
  • electronic exchange of health documents (results of examinations, medical reports, mail, appointments and appointment reminders by text message, etc.) to and from the patient and between care providers providing care for the same patient and for patients who so desire; 
  • communication to third parties on the presence and localisation of the patient, unless the patient opposes this or such communication is damaging to the patient's interests. 

Persons involved in ensuring your treatment and related administrative and social support run smoothly process your personal data, within the limits necessary for their missions and for the specific purposes of the treatment.    

When processing your data all these persons undertake to respect the relevant legal and regulatory provisions, notably The Institution's Internal Regulations that include provisions concerning data protection, the obligation to respect professional secrecy or a contractual or statutory confidentiality obligation to similar effect and the code of confidentiality for medical and nursing staff. 

To find out more

Staff of The Institution or members of the Care Network of which The Institution is a part as well as partner institutions have access to your data in the framework of the limits of their missions and tasks and as follows:

• The Supervisor
  This is the supervising practitioner as appointed from among the physicians who are members of The Institution's medical team, the said Supervisor being responsible for supervising all aspects of the care and other services with which the  medical or care team provide the patient. 

• Medical and care team:
  This is a list of the names of doctors, assistant specialist doctors, trainee specialist doctors, staff of the hospital pharmacy, members of the care teams, paramedics and type 1 auxiliary staff, who are involved in the tasks required or performed as part of patient care, under the supervision of the Supervisor. The care is of a medical, nursing, healthcare and social nature.

• The health professionals
  In accordance with the Coordinated Law on the Exercise of Healthcare Professions of 10 May 2015, the term "health professional" refers to persons in charge of patients, that is,  doctors (senior doctors, consultant doctors, assigned doctors), assistant specialist doctors, MACCS [trainee assistant specialist doctors], dentists, hospital pharmacists, other healthcare professionals, that is, nurses, auxiliary nurses,  physiotherapists, midwives, biologist pharmacists, clinical psychologists and any other practitioner who can give orders, give consultations and/or carry out acts and interventions for treatment, pharmaceutical or care purposes.  The term specifically excludes visiting doctors, research doctors and scientific managers. 

• Type 1 auxiliary staff 
  Type 1 auxiliary staff refers to persons who participate, following delegation by a Supervisor, in providing medical and nursing care and social support for patients.  This category of staff forms part of the medical and care team and includes paramedics (hospital dietitians, ergotherapists, acoustic aid specialists, speech therapists,  opticians, orthoptists, prosthetists, chiropodists, bandage and surgical truss makers, medical imaging technicians, laboratory technicians, etc.), trainees (doctors, physiotherapists, midwives, nurses, dieticians, etc.), medical secretaries, social assistants, stretcher bearers, care coordinators. 

• Type 2 auxiliary staff
  Type 2 auxiliary staff refers to any internal or external employee who requires access to information concerning the patient for the purposes of his or her mission. These may be administrative staff (patient reception and administration, consultation, planning, invoicing secretary,  DI-RHM/RCM [nursing information- minimum clinical overview/minimum clinical overview] encoder), patient mediators, archivists, volunteers,  educators/activity leaders, spiritual accompaniers, administrative nursing assistants, researchers (doctors, students), scientific managers, data managers, data protection staff, data protection managers, information security advisors.    

• Type 3 auxiliary staff
  Type 3 auxiliary staff refers to support staff, that is, equipment technicians, data processing staff, staff assigned to logistics services. 

• Other
  Third persons bound by a contract and subject to professional secrecy in the framework of a mission under a control authority.
  Any health professional who has access to documents published on health networks (RSW, AZbrumet, etc.) in the framework of their treatment relationship.

Within the limits of articles 6 and 9 of the GDPR and insofar as is necessary for the purposes referred to in article 7 of this information notice, various categories of recipients can legitimately receive the communication of certain of your data. 

In all cases, the sharing of your data with third parties or with organisations outside The Institution can only take place in the framework of your care and treatment (sharing of information with other hospitals, doctors not practicing within the Institution, etc.), in the framework of a legal obligation to transmit data to which the Institution is subject (for example, by virtue of a law, a regulation or a judicial procedure) or, possibly, following your consent. 

When such data exchange takes place, The Institution guarantees that it shall put into place the appropriate technical and organisational measures, such as concluding a contract and using secure means of communication.   

To find out more

The recipient categories with which The Institution may exchange your data are the following: 

• the patients concerned or their representatives within the limits of the provisions laid down by the law of 22 August 2002 concerning the patient's rights; 
• at the patient's request, after duly notifying the patient and obtaining his or her explicit authorisation, any authorised person;   
• social security organisations, insurance companies and other social assistance bodies provided this is imposed by or pursuant to a law or authorised by the patient. 
  • In this context, when you ask to apply the "tiers payant" [third party payer] with your supplementary hospitalisation insurance, you authorise the hospital to transmit detailed invoices by electronic means to your insurer that include the following elements:  cost of hospital stay with admission and discharge dates, type of stay, admission and transfer departments; various fees and costs with INAMI codes for care that is not reimbursed, fixed fees, implantable medical devices; amounts payable by the insuring body and amounts payable by the patient are also communicated; the provider(s), the prescriber(s), the pharmaceutical specialities administered, communiqués;
• the National Institute of Health Insurance if this is imposed by or pursuant to the law or authorised by the patient   
• the public bodies that are authorised by a decision of the authorities; 
• the patient's external care providers in the framework of patient care (for example:   SMUR [Mobile Emergency and Reanimation Service], ambulance, adapted transport for patients,  bandage companies, pharmacies) ;
• other bodies if imposed by or pursuant to the law (for example for donating an organ) or authorised by the patient;  
• the insurer of the professional liability of the hospital or the practitioner designated by the hospital, through the intermediary of his or her insurance broker, and this without the patient's authorisation, provided this communication is necessary for arriving at an amical agreement, defining a right before the courts or to initiate, exercise or support legal proceedings; 
• external processors or third parties to which The Institution has recourse to process personal data and for which the appropriate guarantees are in place regarding the protection of personal data (for example: transport to home, mail dispatch, text messages confirming appointments, debt collection company, mediation services, etc.); 
• the "Clinical Research Assistants", whose mission is to audit, under the sponsor's authority, the studies or clinical trials carried out using data collected solely on the basis of your consent.  
   
• With the exception of the cases as set out above, only anonymous or coded data without possibility of re-identification can be exchanged with other persons and bodies.

To find out more about the sharing of your data with our Care Network partners

The Institution participates in care networks. Within these networks the partner institutions make the information they possess on you at the disposal of professionals through the shared care file. These institutions that provide healthcare and care services are as follows:  

• List of institutions and partners
  • Brussels University Clinics – Erasmus Hospital;
  • Lothier Polyclinic  (Erasmus);
  • Nivelles Polyclinic
  • Geriatric Rehabilitation Centre (CRG)
  • Centre for Traumatology and Rehabilitation (CTR)
  • Queen Fabiola University Children's Hospital (Huderf)

These networks are subject to the law amending the coordinated law of 10 July 2008 on hospitals and other care establishments in regard to clinical networking between hospitals. 

Networking information is a means to permit health and care professionals involved in your healthcare to consult your files so that they can gain a better understanding of your needs and take the best decisions with you and for you. That means: 

• you will not need to give your details every time you require care;
• clinicians and care and paramedical teams will be able to see what medicines you take and if you have any allergies, thereby making your treatment safer; 
• they will also be able to take the best decisions concerning your care in full knowledge of your recent medical history - elements such as tests, analyses, results and prescriptions; 
• you will not need to explain useful elements for your continued care and social support to healthcare professionals; 
• you will receive more effective treatment as the clinicians and teams treating you will not have to wait for other partner organisations to communicate your information.   

What information will the health and care professionals be able to see? 
The information that our partners' professionals can consult via the shared care file are set out below. We have divided this into "health care" and "social care" to show the type of information that each partner organisation will be able to consult. 

• Medical care and continuity of care
  • identification data and information such as name, photo, address, date of birth and NISS [National Register] number;
  • persons to contact, especially in case of emergency;
  • providers of the care and services received;
  • your medication and care plans;
  • any alert, allergy or risk relevant to your care; 
  • your medical and maternity history;
  • details of birth and neonatology;
  • information concerning any surgery you have undergone;
  • file on care received as hospitalised patient or outpatient;
  • your appointments;
  • documents such as discharge summaries, hospital letters, care plans, risk evaluations and references; 
  • results of investigations, scans and laboratory tests;
  • reports such as on radiology analyses or X-rays;
  • examinations, to check your blood pressure for example;
  • studies or trials in which you could participate;
  • information on evaluations by the social services;
  • details of support care, such as your end-of-life preferences.
     
• Social care
  • identity information and details such as your name, address, date of birth and NIS number;  
  • persons to contact in an emergency;
  • information on the social services assessment; 
  • the care providers and services you have used; 
  • any protection information designed to protect you;
  • your medicines and care plans;
  • your appointments;
  • a summary of the care you have received or are receiving within the partner institutions; 
  • details of support care, such as end-of-life preferences.

Each partner organisation is responsible for the information it consults or makes available for consultation through the shared care file.  This includes the personal files and special category information they hold. All the partners that can consult your information must respect the law and ensure that they always process your personal information lawfully.  The processing they are required to carry out depends on the cares or services you require. For this data sharing, our legal bases are as follows:   

• provision of health/social care (Art 6 (1) and 9 (2) h of the GDPR) when you register within an institution that is a part of the network; 
• vital interests ("life or death" situation) (Art 6(1)d and 9(2)c of the GDPR) when you are taken to the emergency department or are unconscious; 
• protection of vulnerable adults and children (Art 6 (1) c, 9 (2) g of the GDPR) when the situation requires specific care.

The Institution as data controller and processors if applicable implement and maintain adequate technical and organisational measures with a view to securing personal data against access, change, loss or accidental, unauthorised or unlawful destruction

Your data are retained, stored, consulted and communicated in accordance with the good practices and minimum standards imposed on the healthcare sector by the competent authorities. 

The Institution has put into place appropriate procedures so as to manage any presumed violation of personal data. When legally bound to do so, The Institution shall inform you if there is any violation having an impact on your data as will also the Data Protection Authority and any competent organisation.  

To find out more

The principal security measures taken by The Institution are as follows: 

• designation of a data security officer;
• physical security measures to protect sites where data are stored (identified and secured rooms, limited access, devices to protect data processing from physical dangers such as fire, water damage, etc.); 
• restricted access to data and data processing means.    Checks and restrictions are carried out in regard to limited and authorised logical access by Institution staff. Each user has an identifier and password that are personal and confidential (logical access control); 
• application of a password policy with a unique authentication service and obligation to change the password regularly; 
• implementation of traceability mechanisms for identifying, collecting, processing, conserving and deleting information, of a nature to serve as proof; 
• implementation of regular checks on event logs with a view to detecting infractions and violations; 
• use of encryption when using fixed supports (including external hard disks, USB stick) and at the time of electronic communications with a view to protecting confidentiality (encryption);
• reduction or removal of identifying nature of personal data when the processing permits (pseudonymisation or anonymisation). Pseudonymisation is strengthened in development or test environments; 
• protection of data and data processing systems against malicious software (protection against malicious codes); 
• management of security incidents according to a specific procedure; 
• implementation of a data backup and recovery system; 
• implementation of measures designed to protect information on communication networks (securing of networks); 
• implementation of measures aimed at protecting information when it is transferred to an external entity (information transfer); 
• making staff members aware of data protection; 
• restricting access by external recipients that have secure access that permits them to access the data and environments necessary for the purposes of their mission only; 

If your data are transferred outside the European Economic Area (consisting of the European Union, Liechtenstein, Iceland and Norway), The Institution undertakes to put into place all the appropriate guarantees to ensure that this data sharing meets the obligations laid down in the legislation on the protection of personal data.  

Notwithstanding any legal or regulatory provisions, notably relating to data storage, the following data retention periods apply, beginning on the date the patient is discharged or receives his or her last treatment:  

• data included in the Patient File are retained for a minimum of 20 years (nursing file) or 30 years (medical file) and a maximum of 50 years; 
• data concerning the organisation of the hospitalisation are retained for 10 years; 
• data concerning patient administration are retained for 10 years; 
• data concerning clinical trials are kept for at least 25 years after completion of the trial in accordance with the applicable legislation; 
• data held by the mediation service are retained for one year after the file is closed; 
• data concerning complaints and disputes management are retained for one year after the dispute is resolved;   
• data concerning financial and accounting management are retained for seven to 10 years depending on the applicable legal provisions; 
• images filmed by surveillance cameras are retained for one month unless they serve as proof in connection with investigations or for the recognition, defence or exercise of rights in court. 

If the data retention period has expired, the personal data are deleted within one year unless they must be retained by law, unless retention is considered important from a medical point of view or for the defence of the legitimate interests of the hospital or patient or for those of the patient's legal successor, and unless there exists an agreement on data retention between the patient and The Institution on the data retention.     

If the data retained are processed in such a way that it can be reasonably considered to be impossible to identify persons, the data can be retained for an unlimited period in a de-identified form. 

By the terms of the legislation on the protection of personal data, you have various rights concerning your data: right of access, right of correction, right of deletion, right to limit processing, right to data portability, right to oppose, right not to be the subject of an automated decision and right to lodge a complaint with the Data Protection Authority. 

As soon as possible, and in any event within one month of receiving your request, The Institution will provide you with information on measures taken following your request. If necessary, this deadline can be extended by two months due to the complexity and volume of requests, in which case we will inform you of the reason within one month. 

The response period only begins if the request received is complete and identified correctly. It is essential for us to be able to establish your identity in total certainty so as to avoid any risk of communicating data to unauthorised third parties. We may ask you for elements to prove your identity. 

When your request is submitted electronically, the information will be communicated to you through a secure channel. 

When your requests are clearly unfounded or excessive, notably as a result of being repetitive, The Institution can request the payment of reasonable costs that take into account the administrative costs of providing the information, communications or taking the measures requested. It can also refuse to comply with your requests but The Institution will then be required to show the clearly unfounded or excessive nature of the request. 

Right of access to your data
Exercising the right of access makes it possible to stablish whether or not your data are being processed and to obtain them in a comprehensible format. It also makes it possible to check that the data are correct and, if needed, to correct or delete them. 

The patient or the patient's legal representative can thus exercise their right of access in regard to the following information: 

• the categories of data collected;
• the purposes for which these data will be used;
• the categories of recipients who were able to access these data; 
• the period during which the data were retained or the criteria determining this period; 
• the existence of other rights (right to rectify, delete, limit, oppose); 
• any information concerning the source of the data collected if not collected directly from you; 
• the existence of an automated decision-making, including in the case of profiling, and the underlying logic, importance and consequences for you of such a decision; 
• the possible transfer of your data to a third country (outside the EU) or to an international organisation; 
• the possibility of notifying the Data Protection Authority. 

This information notice is designed to provide you with this information. However, additional information may be provided as described below: 

By contacting the Institution management, the hospital mediation service or the data protection officer. 

Right to have your personal data rectified, limited or deleted
You can request the rectification of incorrect or incomplete information about you. The right to rectification makes it possible to correct incorrect data about you (i.e.: incorrect age or address) or to complete data relating to the processing purpose. 

As regards medical data, the correctness of data must be examined. Data must be rectified or completed if the doctor notes that they are incorrect or incomplete. 

As data controller, The Institution must also communicate the correction made to data recipients unless such a communication requires a disproportionate effort. 

The right to limitation regarding your data is laid down by the GDPR. If you contest the correctness of data used by "the Institution" or you oppose having your data processed, the GDPR authorises The Institution to verify or examine your request during a certain period. During this period you can ask The Institution to freeze the use of your data that will no longer be used but that will be retained. 

Conversely, you can request directly the limitation of the processing of certain data in cases where The Institution itself wishes to delete them (for example: images filmed by surveillance camera). This will enable you to retain the data, so as to exercise a right for example. 

In some cases you have the right to obtain from The Institution the deletion of your personal data at the earliest possible date.  

However, the right to deletion does not apply if The Institution is under the legal obligation to retain the data or to the extent that the processing is necessary for reasons of general interest in the area of public health, for the provision of health care and insofar as the data controller is bound to professional secrecy. 

These rights can be exercised as set out below: 

By contacting the Institution's management, the hospital mediation service or the data protection officer.

Right to data portability
You are entitled to receive personal data you have made available to The Institution in a structured format as currently used and legible by machine, and you are entitled to transmit these data when the processing is based on consent and carried out with the aid of automated processes. 

For medical data you may request the transfer of your data at any time as part of your treatment follow-up. 

These rights can be exercised as set out below:

By contacting the Institution's management, the hospital mediation service or the data protection officer. 

Right to oppose the processing of your data
You are entitled to oppose the use of your data at any time, for reasons pertaining to your particular situation, when we use them for our legitimate interests or when the processing is based on the public interest or has recourse to profiling.   We will then cease to process your data unless we are able to demonstrate that there are legitimate and imperious reasons for the processing that take precedence over your interests, rights and freedoms or when these data are necessary to initiate, exercise or support legal proceedings.   

These rights may be exercised as described below: 

By contacting the Institution's management, the hospital mediation service or the data protection officer. 

Right not to be the subject of an automated decision-making
A fully automated decision is a decision taken in regard to a person by means of algorithms applied to personal data, without any human being involved in the process.   

In the healthcare sector, and in particular in the context of your care, every decision concerning you is validated by a healthcare professional. 

Right to submit a complaint to a supervisory authority
If the patient is of the opinion that provisions of this confidentiality policy are not being respected or that there are other reasons to complain for facts relating to personal data protection, the patient may contact directly: 

• the data protection officer by post or email;    
• the Data Protection Authority whose contact data are available on the following website:  https://www.dataprotectionauthority.be/citizen