Privacy Statement

CortoClinics is a center for orthopedics and mobility. It is dedicated exclusively to hip and knee care. This specialization creates focus and experience, producing leading expertise. CortoClinics develops customized care plans, with diagnosis, advice, treatment, and support, for clients with hip and knee osteoarthritis.

Personal information refers to all the forms of data that provide information about you as an identifiable person; it tells us something about who you are. We “process” these data whenever we store, access, share, send, delete, or otherwise interact with them. When you enter into an agreement with CortoClinics and/or sign up for e-mailings or request a quote or other information on the website or by telephone, we ask you to fill in or give us your company and/or personal contact information. In addition to the information you provide through our website or by telephone, we can obtain other information by combining this with data previously acquired and with data automatically generated through the use of cookies and other technological means, as long as you have given permission. For instance, we can trace your IP address, track your movements on the website and what you download from the site, and identify the operating system you use. A separate Cookie Policy applies for cookies: www.cortoclinics.nl/cookie-verklaring. In other words, this pertains to all of the data we can connect to you, including indirectly.

The specific personal information that we collect is:

• Name, address, city
• E-mail address
• Gender
• Company & position
• Contact history
• If you receive newsletters from us, we track your interactions (open and click actions)
• Invoice and payment information when you are a client of ours
• BSN (“citizen service number,” Dutch equivalent of a social security or national insurance number)
• Health information

We only process special identity information such as the BSN and health information, and only when necessary. We will not process such demographic information as your religious affiliation, race, political or sexual preference, criminal record, religion, or trade union membership without your express permission.

Our objective is to provide your with products and/or services, so in the first instance, we use your personal information to identify you and communicate with you. That means we use these data to execute an agreement you make with us, such as by processing your financial data when you pay for a product or creating and administering an account for you, or when you have a question about the services we provide and we need to call you back. The legal basis for this is set out in Section 6 (1) (b) of the General Data Protection Regulation (GDPR, AVG in Dutch).

In addition, we may also use your personal information for marketing activities when we think it might be relevant for you as our client. This might include advertisements for things we know to be of interest to you or offers to participate in studies, campaigns, or events. The legal basis for this is Section 6 (1) (f) of the GDPR.

Finally, it can occur that we are required by law to collect certain personal information as part of our legal obligations. For instance, we must in any event collect financial data for our own accounting obligations. The legal basis for this is Section 6 (1) (c) of the GDPR.

We are permitted to send you newsletters by e-mail about the products and services you already receive from us. In cases where we want to inform you about other products or services, we must first ask your permission. This permission can always be withdrawn by clicking on the opt-out button at the bottom of the newsletter. Your e-mail address will then be placed on a separate list so that we know you prefer not to be contacted for such matters by e-mail.

Whenever we ask you for personal information, we will tell you per situation whether the provision of said information is necessary or required and what the potential consequences are of not providing the information. The basic premise in this is always that CortoClinics will not process more personal information than strictly necessary for the purposes described.

We will never furnish, sell, rent, or lease your personal information to third parties, except in cases where we are legally obligated to furnish data or you have given permission to do so. In providing our services, we contract outside service providers. These are not “third party recipients,” but “processors.” These processors do not use the data for their own purposes and process the personal information provided solely in accordance with the task assigned by CortoClinics.

The processors we employ are:

Your personal data can be processed both within and outside the EEA by us or by the service providers we work with. At present, this occurs in the following countries: the Netherlands and the United States. We have agreed to separate security measures for these countries, so as to ensure that your personal information is also safe in those places.

CortoClinics does not used automated decision-making and/or profiling.

The underlying premise for storing data is that we do not retain these for any longer than necessary for achieving the objective for which the data were originally collected. For instance, if you end your partnership with CortoClinics, then we will delete your data once the contractual agreement has ended. In certain cases, we are bound by legally mandated retention periods that oblige us to retain the data for a given number of years. For many cases, that period is 7 years, but in terms of storing personal data, the set period is 15 years. Even when we no longer need the data to achieve the objective for which they were originally collected, we may still retain them for archiving purposes. To every extent possible, this will occur on an anonymized basis, and the personal data concerned will then be deleted.

CortoClinics has implemented appropriate technical and organizational measures to protect the security of all personal information against loss or any other form of unlawful processing, including the following:

• We have an SSL certificate for our website and software that guarantees visitors and users that all data (personal or otherwise) are transmitted between servers and browsers using HTTPS, which encrypts and secures the information. SSL (Secure Sockets Layer) is also used, among other things, for online transactions (with credit cards).
• CortoClinics has adopted comprehensive measures outlining the procedure to be followed in the event of a data breach. But more importantly, we have taken a host of technical and organizational measures to prevent data leaks. We use reliable systems that comply with privacy legislation to send our e-mailings. We have also concluded processor agreements with all of our suppliers. The CRM system we use to store our clients’ personal information also complies with privacy legislation, and we never store any more information than necessary. Our website is managed by Morres & Company, a reliable hosting service, and we see to it that we regularly update the CMS system we use. This includes monitoring and blocking IP addresses considered unsecure to protect against hackers.
• CortoClinics has appointed a data protection officer whose job is to oversee the processing of personal information in our organization.

When we process personal information about you, you have the right to exercise control over how that is done to protect your privacy. For instance, you may submit a request for access to your personal information, and we can rectify any inaccurate information we may have on you that you find. We can also act on any request you might have in terms of lodging an objection or pointing out negligence if it should emerge that the data processing is no longer warranted, or at least not in the manner in which we are doing it.

Whatever request you might have, simply contact us, and we will help you free of charge. You can contact us using the contact information listed below. Bear in mind that in some cases, we may not be able to comply with your request because it is still necessary for us to process your personal information, for example, in cases where we have not fully completed the terms of our agreement or are obliged to store financial information according to law. In such cases, the burden of proof is on CortoClinics, and we will lay out the reasoning and explain it to you. When the withdrawal of consent or lodging of an objection pertains to direct marketing activities, we will always comply with your request.

Finally, you also have the right to data portability, to the extent this is technically feasible and we do not have to incur disproportionate costs.

We would also like to point out, in conclusion, that it is our responsibility, as the so-called controller, to properly identify anyone submitting any such requests, and we will thus need to ask for additional information. We will in any event respond to your request within 4 weeks.

CortoClinics reserves the right to amend this statement from time to time. Any changes will be reflected on this page. The most recent changes date to 10-09-2019 (European dating system). These changes will also be announced on our website. CortoClinics can process your personal data for new purposes that you have not previously been informed of. In such cases, we will contact you before using your personal information for these new purposes to keep you informed of the changes in protecting the personal data and to give you the option of refusing.