Privacy Statement
DIA-Solutions BV | Version 2.0 | Last updated: 3 November 2025
________________________________________
Table of Contents
1. Introduction
○ Purpose of This Document
○ Scope
2. Applicable Laws and Regulations
3. Healthcare-Specific Laws and Regulations
○ Dutch Legislation
○ Field Standards
4. Managing Compliance and Deviations
○ Security Incidents
○ Exceptions
○ Sanctions and Consequences of Violations
○ Audit and Compliance Checks
○ Periodic Assessment and Review
________________________________________
Introduction
Purpose of This Document
DIA-Solutions BV is subject to legislation and other requirements that must be met. To monitor the compliance of the organisation, it is important to have a good understanding of the laws and regulations that apply to DIA-Solutions, including those relating to information security and/or privacy.
This document provides a brief overview of the laws and regulations applicable to DIA-Solutions on the basis of which requirements are set for information security (the availability, integrity and confidentiality of information) and privacy (data protection). The purpose of this is to prevent violations of legal, statutory, regulatory or contractual obligations regarding information security and privacy, and to comply with ISO/IEC 27001:2022.
The laws and regulations describe a number of matters that must be done as mandatory compliance ("check box compliance"), but also matters that must be regulated at the discretion of DIA-Solutions, acting in the spirit of the laws or regulations. This document does not contain an exhaustive list of all laws and regulations relating to information security and data protection.
Laws and regulations are subject to change. Through officielebekendmakingen.nl and ondernemersplein.nl/wetswijzigingen, and by maintaining contacts with government agencies, it is possible to stay informed of changes.
The laws and regulations stated in this document are mainly based on Dutch laws and regulations.
Scope
This document is part of DIA-Solutions's information security policy and applies to all employees of DIA-Solutions, including all temporary employees and externals, and to all business processes of DIA-Solutions.
________________________________________
Applicable Laws and Regulations
General Data Protection Regulation (GDPR)
(Uitvoeringswet Algemene Verordening Gegevensbescherming — UAVG)
Description: Regulation on the protection of natural persons regarding the processing of personal data and the free movement of such data. The GDPR is directly applicable in Europe. Where the GDPR leaves room for choice in implementation, the Netherlands has laid down supplementary rules in the UAVG.
Applicability to DIA-Solutions: The entire regulation applies because personal data are processed within DIA-Solutions.
GDPR — EUR-Lex | UAVG — wetten.overheid.nl
________________________________________
General Administrative Law Act
(Algemene wet bestuursrecht — Awb)
Description: General rules on the relationship between government and citizens, including administrative procedural law.
Applicability to DIA-Solutions: In principle, the Awb does not apply to DIA-Solutions, as it is aimed at administrative bodies. However, Articles 5.16 and 5.17 may entail powers that affect DIA-Solutions — for example, the power to demand information, or to demand business data and documents.
Awb — wetten.overheid.nl
________________________________________
General Tax Act
(Algemene wet inzake rijksbelastingen — AWR)
Description: General law regulating a number of taxes.
Applicability to DIA-Solutions: Everyone is obliged, if requested, to provide the inspector with the data and information that may be relevant for taxation (Article 47 AWR). DIA-Solutions cannot invoke professional secrecy to refuse compliance with tax assessment obligations of third parties (Section 53a AWR). The general retention obligation for data carriers is seven years (Section 52 AWR).
AWR — wetten.overheid.nl
________________________________________
Working Conditions Act
(Arbeidsomstandighedenwet)
Description: Provisions to improve working conditions, addressed to all labour organisations in the Netherlands. Conducting a policy on working conditions is the responsibility of the employer in cooperation with employees, with expert support where necessary.
Applicability to DIA-Solutions: The employer shall immediately report occupational accidents resulting in death, permanent injury or hospitalisation to the designated supervisor, and report further upon request. The employer shall keep a list of reported occupational accidents and those that resulted in an absence of more than three working days, recording the nature and date of each accident (Art. 9 paragraphs 1 and 2).
Arbeidsomstandighedenwet — wetten.overheid.nl
________________________________________
eIDAS Regulation
Description: Regulation on electronic identification and trust services for electronic transactions in the internal market, repealing Directive 1999/93/EC.
Applicability to DIA-Solutions: The tokens of digital signatures must comply with the level of reliability set out in the regulation (see Article 26). The electronic signature must be used only under the sole control of the signatory. Qualified means for creating electronic signatures must meet the requirements of Annex II of the Regulation, including the required security level. DIA-Solutions itself does not have to meet those security requirements directly, but the means used must.
eIDAS — EUR-Lex
________________________________________
Dutch Constitution
(Grondwet — Gw)
Description: The Grondwet is the most important state document and supreme national law of the Netherlands. It contains the rules for the state structure and the fundamental rights of citizens.
Applicability to DIA-Solutions: Article 10 GW (paragraph 1) establishes that everyone has the right to respect for their privacy, subject to limitations imposed by law. DIA-Solutions must safeguard the privacy and rights of data subjects by implementing information security and safety requirements. Relevant rights include:
● The right to freedom of expression (Article 7)
● The right to respect for privacy (Article 10)
● The right to confidential communication (Article 13)
Grondwet — wetten.overheid.nl
________________________________________
Commercial Register Decree
(Handelsregisterbesluit)
Description: The Handelsregisterbesluit contains obligations regarding registration in the commercial register at the Chamber of Commerce (Kamer van Koophandel).
Applicability to DIA-Solutions: The register may include data on proxies of a legal entity, including their personal data and the contents of their power of attorney. It also includes personal data on every director and supervisory director of a private or public limited company (NV/BV). Relevant articles: Art. 12, 13, 14, 17, 18, 22, 30.
Handelsregisterbesluit — wetten.overheid.nl
________________________________________
Commercial Register Act
(Handelsregisterwet — Hrw)
Description: This law contains provisions on mandatory registration in the commercial register ("handelsregister") at the Chambers of Commerce (Kamer van Koophandel).
Applicability to DIA-Solutions: DIA-Solutions submits statements via Digipoort to the Chamber of Commerce. The Commercial Register Act requires companies to register with the Chamber of Commerce in the area where the company is established, as well as with all Chambers in the area where they have a branch office, to ensure relevant details of business activities are available in each region.
Handelsregisterwet — wetten.overheid.nl
________________________________________
Dutch Telecommunications Act
(Telecommunicatiewet — Tw)
Description: Sets out the main rules that providers of an electronic communications network must comply with.
Applicability to DIA-Solutions: As of 1 July 2021, key changes to the Telecommunications Act include:
1. Potential customers may only be approached with opt-in consent. Cold acquisition is still permitted towards corporate legal entities if their details were disclosed for that purpose.
2. Customers may be contacted for similar products or services, provided the right to object is offered.
3. The do-not-call register has been removed; there is no more default opt-in until opt-out.
4. Telemarketing with an anonymous number is prohibited.
5. Tracking of opt-ins is mandatory.
Consent is defined as a free, specific, informed and unambiguous expression of will, through which the data subject accepts the processing of their data via a statement or unambiguous active action. Organisations must be able to prove consent was obtained. Withdrawing consent must be as simple as giving it, with no adverse consequences for the person withdrawing.
Telecommunicatiewet — wetten.overheid.nl
________________________________________
Anti-Money Laundering and Anti-Terrorist Financing Act
(Wet ter voorkoming van witwassen en financieren van terrorisme — Wwft)
Description: This law merges the Wet identificatie bij dienstverlening and the Wet melding ongebruikelijke transacties, aimed at preventing the use of the financial system for money laundering and terrorist financing.
Applicability to DIA-Solutions: Retention of supporting documents, including retention periods and system requirements (Art. 33).
Wwft — wetten.overheid.nl
________________________________________
Dutch Criminal Code
(Wetboek van Strafrecht)
Description: The Dutch Criminal Code regulates which offences are considered felonies and which are considered misdemeanours, and the types of penalties that can be imposed for them.
Applicability to DIA-Solutions: Employees could misuse the ICT facilities made available to them. Monitoring of employees to identify misuse is in principle lawful, but employees also have a right to privacy in the workplace. A monitoring policy must be announced and be as specific as possible. The Works Council must give its consent, as monitoring falls under a personnel monitoring system (Art. 27 WOR).
The Dutch Computer Crime Acts II and III amended or introduced several provisions in the Criminal Code, covering crimes:
● Against data availability:
○ Hacking, virus/malware, sniffing (Art. 138a Sr)
○ Spamming, virus/malware (Art. 161 sexies Sr)
○ Web defacing, Denial of Service (Art. 138a, 350a, 350b, 161sexies–septies Sr)
○ Data damage, virus/malware (Art. 350a Sr)
● Against data confidentiality:
○ Eavesdropping and wiretapping, sniffing (Art. 139a–e, 441a Sr)
○ Trade secrets (Art. 273 Sr)
Wetboek van Strafrecht — wetten.overheid.nl
________________________________________
Healthcare-Specific Laws and Regulations
The field standards listed below are not all directly applicable to DIA-Solutions. However, because DIA-Solutions's customers must comply with these laws and may require DIA-Solutions to meet certain requirements from them, it is important to take these into account.
Dutch Legislation
Act on Additional Provisions for Processing Personal Data in Healthcare
(Wet aanvullende bepalingen verwerking persoonsgegevens in de zorg — Wabvpz)
Description: The purpose of this law is to create additional framework conditions for the use of an electronic exchange system by healthcare providers in order to protect client privacy.
Applicability to DIA-Solutions: Key provisions include:
● The client has the right to consent to data being accessed or made available through an electronic exchange system
● Certain categories of healthcare providers can be excluded from this consent
● The client must be able to inspect the file or receive a copy upon request
● The client has the right to see who has made certain information available or consulted it (logging obligation NEN7513)
● The client must be informed about how they can exercise their rights
● Health insurers, company doctors, and insurance doctors are prohibited from accessing electronic exchange systems
Wabvpz — wetten.overheid.nl
________________________________________
Statutory Retention Periods
(Wettelijk voorgeschreven bewaartermijnen)
Description: The GDPR states that personal data should not be kept longer than necessary and does not propose concrete retention periods. However, there are concrete retention periods that organisations must adhere to — for example, under tax laws.
Applicability to DIA-Solutions: Retention periods and their justification must be laid down in the privacy policy or a separate retention policy.
Retention of personal data — Autoriteit Persoonsgegevens
________________________________________
Field Standards
Code of Conduct for Electronic Data Exchange in Healthcare
(Gedragscode Elektronische Gegevensuitwisseling in de Zorg — EGiZ)
Description: The electronic exchange of personal data must comply with European and national legal requirements. The EGiZ provides practical guidelines for healthcare providers and partnerships to comply with applicable regulations.
Applicability to DIA-Solutions: Key obligations from the EGiZ code of conduct:
● Personal data may only be exchanged when necessary for the proper treatment of the client
● The client has the right to be informed about data processing and the right to give (and withdraw) consent when data is exchanged
● DIA-Solutions must establish and publish an authorisation policy
● The treatment relationship must be established and verified
● The exchange of personal data must be adequately secured
● All actions must be logged
EGiZ — KNMG
________________________________________
Electronic Data Interchange in Healthcare Act
(Wet elektronische gegevensuitwisseling in de zorg — Wegiz)
Description: The Wegiz is a framework act with supplementary rules specifying which data exchanges must take place electronically and from when. The act stipulates not only that healthcare providers must exchange data with each other electronically (track 1), but also according to which agreements this must take place (track 2).
Applicability to DIA-Solutions: The Wegiz requires healthcare providers to exchange medical data electronically, making information about a patient's treatment and care more readily available and reducing the risk of errors.
Wegiz — gegevensuitwisselingindezorg.nl
________________________________________
NEN 7510 — Information Security in Healthcare
Description: NEN 7510 is the standard for organising and securing information security in healthcare, applicable to all small and large organisations dealing with health information. NEN 7512 and NEN 7513 elaborate on this standard for specific focus areas.
Applicability to DIA-Solutions: Key commitments:
● Establish and maintain an ISMS (Information Security Management System) with a PDCA (Plan–Do–Check–Act) cycle
● Conduct risk analyses and manage risks adequately
● Ensure continuous employee awareness
● Learn from incidents to prevent recurrence
NEN 7510 — nen.nl
________________________________________
NEN 7512 — Basis of Trust for Data Exchange
Description: NEN 7512 aims to provide assurance to parties exchanging medical data. It complements NEN 7510 with risk classification and elaborated requirements on identification and authentication associated with a risk class (for example, sending a client transfer message).
NEN 7512 — nen.nl
________________________________________
NEN 7513 — Recording Actions in Electronic Patient Records
Description: NEN 7513 sets requirements for healthcare providers' access logging to electronic client records. All actions of healthcare providers must be logged in a system to verify the legitimacy of access to the client file. The standard provides an applicable and uniform interpretation of existing legislation, in particular the WGBO (treatment relationship and professional secrecy).
Applicability to DIA-Solutions: NEN 7513 provides healthcare providers with frameworks for logging and using that logging to comply with legal obligations. It also sets requirements for the record systems used — requirements that are particularly important for software suppliers. The standard stipulates that clients or an (internal) supervisor must be able to request the logging, for instance in case of suspected abuse.
Key provisions:
● Important events must be recorded
● Important events include: accessing, mutating and deleting data; using the 'emergency procedure'; and creating or modifying authorisations
● It must be recorded who performed the action, which client and/or what data was involved
NEN 7513 — nen.nl
________________________________________
Managing Compliance and Deviations
This section sets out how DIA-Solutions handles deviations from policy and incidents.
Security Incidents
All (potential) security incidents must be reported to the HR Manager as soon as possible. Deviations from this policy will also be treated and settled as security incidents.
Exceptions
Temporary deviations from this policy are permitted only after explicit permission from the HR Manager. These temporary deviations are recorded in the Exception Register after conducting an additional risk analysis and determining mitigating measures.
Sanctions and Consequences of Violations
DIA-Solutions attaches great importance to compliance with all the rules and regulations that apply and takes the security of information and other related business assets seriously. Failure to comply with the regulations in this document can have serious consequences for the confidentiality, integrity, and availability of information, as well as the reputation and operational continuity of DIA-Solutions.
Failure to follow this policy may result in sanctions, as stipulated in the Code of Conduct and employment contract.
Audit and Compliance Checks
Compliance with this policy is monitored periodically.
Periodic Assessment and Review
This document is reviewed and updated at least once a year by the HR Manager. The HR Manager owns this policy and is responsible for its implementation. Final responsibility for the policy lies with the Management Team.
Voor meer informatie over ons privacy statement download de PDF file => Privacy Statement