Personal data that we process

MedSpace processes your personal data because you use our services and/or because you provide them to us yourself. Below you will find an overview of the personal data that we process at least:

– First and last name;
– Email address;
– Internet browser and platform;
– Type of device.

Additional personal data can be recorded within the user profiles if desired, for example gender, function, date of birth, telephone number, etc. MedSpace does not process any personal data of patients.

Purpose of processing personal data

MedSpace processes personal data for the following purposes:

– To offer you the possibility to create an account;
– To be able to identify you as a user of the application;
– To be able to call or email you if this is necessary to be able to perform our services;
– To inform you about changes to our services;
– To process your payment;
– To send our newsletter and update information;
– To deliver products and/or services to you.

Automated decision-making

MedSpace does not make decisions based on automated processing on matters that can have (significant) consequences for people. This concerns decisions that are made by computer programs or systems, without a human being (for example an employee of MedSpace) in between.

MedSpace can use the following (sub)domains for its computer programs and systems:

*.medspace.com
*.medspace.nl

Retention period personal data

MedSpace does not store your personal data for longer than is strictly necessary to achieve the purposes for which your data is collected. We use the following retention periods:

– Personal data in the MedSpace roster application are retained for as long as a customer uses the application;
– Upon termination of the agreement, all data including all personal data will be deleted after 6 weeks at the latest. This can be done sooner if the party that terminated the agreement submits a written request to that effect;
– The retention period for personal data that is stored encrypted in backups is seven days.

Sharing personal data with third parties

MedSpace only provides personal data to third parties if this is strictly necessary for the execution of our agreement with you or to comply with a legal obligation.

Cookie policy

The application only uses functional and technical cookies. Cookies are therefore not used for other purposes, such as marketing or tracking.

Functional cookies are used, among other things, to save the schedule settings made by the user. The saved schedule settings are loaded during a subsequent visit by this user. This promotes ease of use. No history is kept of these settings.

Technical cookies are used, among other things, to ensure that a user remains logged in during his session.

MedSpace does not collect personal data via cookies. Furthermore, the data in cookies is never provided to third parties. Cookies that are necessary for the functioning of the website (functional and technical cookies) may legally be used without the visitor’s consent. For this reason, MedSpace does not request permission from the user to use cookies.

View, modify or delete data

The personal data is recorded by the designated administrator of your MedSpace roster. When an employee’s work period expires, they are given the status ‘Out of service’. However, the employee remains registered, but is no longer shown in the roster. The administrator has the option to permanently delete the user, including all history that belongs to the user. You therefore have the right to view, correct or delete your personal data.

In addition, you have the right to withdraw your consent for the data processing or to object to the processing of your personal data by MedSpace and you have the right to data portability. This means that you can submit a request to us to send the personal data that we have about you in a computer file to you or another organization named by you. You can send a request for access, correction, deletion, data transfer of your personal data or request for withdrawal of your consent or objection to the processing of your personal data to [email protected].

To ensure that the request for access has been made by you, we ask you to send a copy of your ID with the request. In this copy, black out your passport photo, MRZ (machine readable zone, the strip with numbers at the bottom of the passport), passport number and Citizen Service Number (BSN). This is to protect your privacy. We will respond to your request as soon as possible, but within four weeks. MedSpace would also like to point out that you have the option to file a complaint with the national supervisory authority, the Dutch Data Protection Authority. You can do this via the following link: (website is in Dutch).

How we protect personal data

MedSpace takes the protection of your data seriously and takes appropriate measures to prevent misuse, loss, unauthorized access, unwanted disclosure

and unauthorized modification. It is good to know that Performation Healthcare Intelligence BV is NEN 7510 and ISO/IEC 27001 certified. This means that we meet the requirements in the field of information security and that we have good systems, agreements and processes for this.

If you have the impression that your data is not properly secured or there are indications of misuse, please contact our consultants, +31(0)356211211, or via [email protected].

Personal data incident notification (data leak)

A data leak occurs when there is a breach of the security of personal data. This involves access to – or destruction, modification or release of – personal data without this being the intention. A data leak therefore not only includes the release (leak) of data, but also the unlawful processing of data. In the event of a data leak, the personal data is exposed to loss or unlawful processing – in other words, to that which the security measures should have provided protection against. Examples of data leaks include: a lost USB stick with personal data, a stolen laptop or a hacker breaking into a database. But also an e-mail to the wrong person, or an e-mail to a group of people, where the addressees are incorrectly included (i.e. not in the BCC field).

The seriousness of a data leak depends on:

– The size of the leak (the number of people involved and/or the amount of data);
– The nature of the data involved (an age is usually less serious than, for example, an email address);
– The chance that a leak will actually lead to damage.

A data leak must be reported to the Dutch Data Protection Authority in certain cases. This is the case when the leak leads or could lead to significant (chance of) serious adverse consequences for the protection of personal data. The data leak must also be reported to the person concerned if it is likely to have adverse consequences for his or her personal privacy.

The Data Leak Reporting Procedure is the guideline for handling the incident.

ICT and security

The workplaces of MedSpace employees and the network infrastructure are maintained proactively. The systems are secured by means of anti-virus software, anti-malware software and EDR.

Each employee has a personal login profile with a login name and password. We work with 2-step authentication up to business services. Security awareness among employees is part of our security awareness program.

All MedSpace employees have a duty of confidentiality and have submitted a Certificate of Conduct (in Dutch named VOG).

Datacenter

MedSpace’s servers and data are located in the Netherlands.

Our hosting partner meets the following certifications:

– ISO/IEC 27001:2022 (international Norm for IMS)
– ISAE3402
– SOC Type II

A backup of the files is made every night, which is stored encrypted at multiple locations.

Certification

Performance Healthcare Intelligence BV is NEN 7510 and ISO/IEC 27001 certified.

Questions?

If you have any questions and/or comments regarding the processing of your personal data or the security of MedSpace, please contact us.

Performation Healthcare Intelligence BV, BA MedSpace
Nieuweroordweg 1
3704 EC Zeist
The Netherlands

Phone: +31(0)356211211
E-mail: [email protected]

Martijn van Eldijk – Data Protection Officer MedSpace
[email protected]