Back

Privacy statement

  1. From whom do we process data?
  2. Who is responsible for my data?
  3. What do we use your data for?
  4. For what reasons do we process your data?
  5. With whom do we share your data?
  6. Processing outside the EEA
  7. How do we obtain your data?
  8. What personal data do we process?
  9. How do we protect your data?
  10. How long do we keep your data?
  11. Scientific research
  12. My UMC Utrecht patient portal
  13. Your rights
  14. Website
  15. Apps for home measurement
  16. Patient experience measurement (PEM)
  17. Webinar
  18. Questions and complaints
  19. Third-party privacy policy

If you are a patient at UMC Utrecht, we process your data. This means that we put your data in our system and use it where necessary. This is mandatory. You will find more information about this in this privacy statement.

From whom do we process data?

  • You as the patient;
  • You as the contact person;
  • You as legal representative;*

*Are you a contact person or legal representative? Then the UMC Utrecht processes a limited number of personal data from you, such as your name, contact details and relationship to the patient. These data are needed to contact you about the patient's treatment.

Who is responsible for my data?

The UMC Utrecht is the so-called data controller in the sense of the General Data Protection Regulation (AVG). This means that UMC Utrecht is responsible for processing your data. The UMC Utrecht decides:

  • Which personal data are processed;
  • Why the data are processed;
  • How the data are processed;

UMC Utrecht bears responsibility for this and is accountable.

What do we use your data for?

Your personal data will be used within UMC Utrecht for:

  • disease diagnosis (performing diagnostics), treatment and aftercare of patients;
  • exchanging data with referrers, GPs and other healthcare providers;
  • handling patient care (e.g. healthcare costs);
  • scientific research;
  • education and (continued) training;
  • accountability;
  • for quality monitoring and quality improvement.

For what reasons do we process your data?

UMC Utrecht processes your personal data on the basis of:

  • the treatment contract you have with UMC Utrecht;
  • your consent;
  • legal obligation;
  • a legitimate interest (quality control and improvement).

With whom do we share your data?

For the above purposes, UMC Utrecht provides your personal data to, among others:

  • Other healthcare providers, healthcare institutions or third parties who are or have been involved in your treatment. This data is about your treatment.
  • Other research institutions or third parties who are or have been involved in scientific research. This data is encrypted to protect your privacy.
  • The GP. The GP receives a letter summarising your treatment at UMC Utrecht;
  • Quality registrations. Only data that cannot be traced back to a person will be shared;
  • The health insurer. Only a DBC (financial codes) will be given to settle healthcare costs;
  • Indication bodies;
  • Other recipients based on your consent or if there is a legal obligation to do so, such as reporting an emergency.
More information Your rights when sharing medical data

Processing outside the EEA

Your data may also (partly) be processed by third parties, for example suppliers of UMC Utrecht or parties involved in a scientific study, in countries outside the European Economic Area (EEA), which may not have the same level of protection of your data, such as the United States. Currently, according to the European Union, there is no adequate level of protection there due to, among other things, the ample possibilities that the US authorities have to intercept or retrieve data and the limited possibilities for non-USAs to oppose this. The UMC Utrecht makes further agreements on this with these parties so that this processing outside the EEA does comply with the requirements of the AVG.

How do we obtain your data?

To provide you with the best possible care, we need the right personal data from you. We receive this data through:

  • what you (or your legal representative) tell the doctor about your health;
  • results based on body material (e.g. blood samples);
  • results based on imaging (e.g. a scan or photograph);
  • determination of clinical picture (diagnostics) and reports by involved healthcare providers;
  • checks of patient;
  • referring healthcare provider.

What personal data do we process?

We do not process more data than we need to provide good care to you, to improve our care and for our administration. Your data may also be used for scientific research under certain conditions.

Personal data we process from you are:

  • First and last name;
  • Date of birth;
  • Gender;
  • Residential address;
  • Nursing address if applicable;
  • Telephone number;
  • Email address;
  • Insurance details;
  • Citizen service number (BSN)*;
  • Legal representative(s) if applicable;
  • History of immediate family if this is important for your treatment and diagnosis.

*It is a legal requirement that we include your BSN in our records and verify it via proof of identity. This is because we want to avoid confusing you with another patient. Other reasons why we use your BSN are:

  • Preventing errors when exchanging financial and medical data;
  • Making it easier to claim expenses from health insurance;
  • Provide better protection against identity fraud.

Special personal data

Sometimes it is necessary to process additional personal data. These are:

  • Health data, including documents containing health and personal data;
  • Data revealing racial or ethnic origin, such as nationality;
  • Data on religious or philosophical beliefs if relevant to treatment;
  • Data on sexual behaviour if relevant to treatment;
  • Genetic data.

How do we protect your data?

Confidentiality

  • All healthcare providers working at UMC Utrecht have a duty of confidentiality. They are not allowed to give any of your details to others without your permission. There are some (legal) exceptions.
  • All other employees (such as support services) also have a duty of confidentiality.

Security

  • It is our job to protect your data. To this end, we take technical and organisational measures. For example, only healthcare providers involved in your treatment are allowed to view your file if this is necessary for your treatment.
  • Other staff may only view your file if this is necessary for their work. For example, the healthcare administration staff responsible for the healthcare account. They are only given access to the data needed for their work.
  • The UMC Utrecht ensures that the computers are properly secured. We work according to nationally established security standards and are certified for this, and we also check which employees have viewed your file.
  • Sometimes it is necessary for the UMC Utrecht to engage a third party to carry out its work. In that case the UMC Utrecht ensures that this third party uses the same level of security and confidentiality as the UMC Utrecht. Sometimes data is sent to third parties in countries outside the European Economic Area. In that case, UMC Utrecht will take the measures necessary to protect your personal data in accordance with the requirements of (European) privacy legislation.

How long do we keep your data?

  • We keep your data for 20 years from the moment our care for you stops.
  • This is mandatory under the WGBO (Medical Treatment Agreement Act) and the Compulsory Mental Health Act.
  • We may keep your data longer if it is necessary to provide you with good care.

Archives Act

We also comply with the Archives Act. This means that we keep some data from your medical record for up to 115 years after your birth (core documents). These records are:

  • discharge letter
  • surgery report
  • anaesthetic report
  • result of pathological examination
  • first aid report
  • emergency data

We do not keep your data longer than necessary.

Scientific research

  • UMC Utrecht is a university hospital and has a statutory duty to conduct scientific research.
  • We ask your permission if we want to use your data for scientific research. You can withdraw this permission at any time.
  • Sometimes we cannot ask for your permission, for example because someone has died or is very difficult to find. UMC Utrecht may then use your medical information for scientific research under strict conditions. You can object to this with your healthcare provider.

My UMC Utrecht patient portal

The UMC Utrecht stores your medical information in an electronic patient file (HiX). Through the My UMC Utrecht patient portal you can view (part of) these data online. The e-consults you receive and share via the patient portal are also recorded in the electronic patient file.

More information about My UMC Utrecht

Your rights

Your medical record: inspection, copy and destruction

  • You may inspect your personal data and your medical record. This can be done online via the My UMC Utrecht patient portal or you can ask your treating physician. In principle, your doctor may not refuse to do so. However, your doctor may block certain parts of your file if it contains information about someone else, such as a family member.
  • You can also request a copy of your file and/or have your file destroyed. There may be reasons to refuse your request for destruction.

Changing data

Are your personal details incorrect? If so, it is important that you have them changed. This concerns only objective data, such as a change of address or if your phone number has changed.

Supplementing data

You may supplement your data. This means that, for example, you can have the opinion of a second doctor (second opinion) added to your record or your own opinion about the care you received. You can ask your treated doctor to do this.

Right to transferability

  • You have the right to obtain your personal data in a structured form, such as in a PDF file.
  • You also have the right to transfer these data to another controller, without UMC Utrecht stopping you from doing so.

Privacy

Through this link you can read more about your privacy rights including the application forms if you want to exercise your rights.

Website

  • Personal data that you enter via our website, such as your name or address, are used by the UMC Utrecht only for the purpose for which you enter them. For example, registration for a meeting or subscription to a newsletter.
  • The UMC Utrecht adheres to the requirements of privacy legislation. The UMC Utrecht never uses your details for other purposes and never gives them to anyone outside the UMC Utrecht, unless you give permission.
  • We do not keep your data longer than necessary.

Cookies

Do you visit our website? Then we use cookies.

  • The UMC Utrecht uses cookies to collect and analyse information about the use of the website and to display videos from YouTube and Vimeo.
  • We use anonymous data to improve and adapt the website.
Read more about our Cookie Policy

Apps for home measurement

Terms of use & privacy home measurement apps

Patient experience measurement (PEM)

  • The Dutch Federation of University Medical Centres (NFU) has been measuring patient experiences annually since 2013.
  • The measurement of patient experience in the NFU context allows UMC Utrecht to compare its own results with those of other UMCs.
  • By learning from good examples both inside and outside the hospital, UMC Utrecht can improve care for its patients.

Patient data

UMC Utrecht uses the following data from you to send an invitation to the patient experience:

  • First and last name;
  • E-mail address;
  • Gender;
  • The last specialty you visited at UMC Utrecht.

We share this data, under strict security conditions, with measurement agency Expoints B.V., which performs the measurement for us.

  • The data are stored on Expoints B.V.'s own secure server and are deleted as soon as possible. This takes place no later than 3 weeks after completing the questionnaire or after you have indicated that you no longer wish to receive the questionnaire.
  • Expoints B.V. sends out the invitations and has a website on which the questionnaire can be completed. This site is owned by Expoints B.V.
  • Expoints B.V. sends the results to UMC Utrecht. The results are anonymous. This means that data cannot be linked to patients.
  • Expoints B.V. does not keep your data longer than necessary

Webinar

UMC Utrecht organises webinars to share knowledge and experiences about care and research with interested parties. We organise these together with OnlineSeminar B.V.

Participate in a webinar

  • You can register for a webinar via the UMC Utrecht website.
  • For participation we ask for your first name, last name and e-mail address.
  • We share your data with OnlineSeminar. Here you can use the site on which the webinar is broadcast. This site is owned by OnlineSeminar.
  • OnlineSeminar uses your information to send a maximum of four e-mail messages: the invitation, a confirmation, a reminder and a calendar invitation.

UMC Utrecht has agreed with OnlineSeminar that the data remain property of UMC Utrecht. With your information the UMC Utrecht notifies you of a next webinar by e-mail. Do you want to view, change or delete this data? Please send an e-mail to info@umcutrecht.nl.

Questions and complaints

We do our best to handle your data with care. But you may have questions or be dissatisfied with how UMC Utrecht handles your privacy.

  • You can discuss your questions and/or dissatisfaction with your treating physician. He will look for possible solutions together with you.
  • You can also contact the Data Protection Officer. This is someone who supervises the application of and compliance with privacy legislation within UMC Utrecht. The contact details can be found below.
  • Hopefully, you will be able to submit your questions and/or comments through these channels. But you also always have the right to submit a complaint to UMC Utrecht via this link.
  • It is also possible to report a complaint to the privacy regulator, the Personal Data Authority.
Share your experiences and comments

Contact details of the data protection officer

Postal address:
UMC Utrecht
T.a.v. Data Protection Officer
House mailbox number D.01.343
PO Box 85500
3508 GA Utrecht

T. 088-75 555 55
E. functionaris.gegevensbescherming@umcutrecht.nl

Third-party privacy policy

This privacy statement does not apply to third-party websites referred to from our website. The UMC Utrecht is not liable for the content of these other websites nor for the processing of personal data, cookies and other data by the operators of these websites. For questions about these other websites, please contact the website administrator directly.

Last modified: 04-03-2025

Thank you for your review!

Has this information helped you?
Please tell us why, so that we can improve our website.

In the hospital

More

References

Education

Expertise

More

Research

Strategic Themes

More

About UMC Utrecht

 

Working at UMC Utrecht

Contact

Emergency?

  • Call 112 or your general practitioner
  • Emergency?

Directions

Get in touch

  • 088 75 555 55

Appointments

Appointments and waiting times

Appointment preparation

Practical

Route to UMC Utrecht

At the hospital

More

umcutrecht.nl uses cookies

This website uses cookies This website displays videos from, among others, YouTube. Such parties place cookies (third-party cookies). If you do not want these cookies, you can indicate that here. We also place cookies ourselves to improve our site.

Read more about the cookie policy

Agree No, rather not