Privacy statement

What data do we use?

We usually ask for your name, address, email address and phone number. The data we require depends on the product in question. Sometimes, we also ask for other information, such as your bank account number, if you wish to pay your premium by direct debit. We also need medical information to determine whether you are entitled to compensation, for example. We take extra care when processing this medical data. The Zilveren Kruis medical advisor oversees this. We do not use medical records for commercial purposes unless we have your explicit permission. Generally, you provide us with your data yourself. In some cases, we may receive your data through other channels. For example, we receive data directly from the Personal Records Database and healthcare providers. We register your Citizen Service Number (BSN) in our records to identify you.

We also use cookies

We use cookies on our website. Cookies allow us to provide appropriate information or show or send you offers and advertisements. You can read about cookies and how we deal with them in our cookie policy.

If you receive emails from Zilveren Kruis, we may use a technique (pixel) to record click behaviour in emails, for example, to see if an email was opened and which items were clicked on. We use this data to improve our communications with you. This does not involve the use of medical data.

If you wish to block pixels, you can set your email service (e.g., Gmail or Hotmail) to not automatically download images. How you do this varies by email service. If you use Outlook, images are automatically blocked.

We also use a technique in our apps to collect visitor information such as click behaviour, visit time and visit frequency. When you install the app, you can read more about this in the terms and conditions.

Automated decision making

Your data will be processed automatically when you take out a basic, supplemental or dental health insurance policy. This is done using the information you entered on the application form.

Authorisation requests and claims may also be processed automatically.

You can always contact Zilveren Kruis and submit a question or complaint regarding the automated processing of your request. A Zilveren Kruis employee will review your question or complaint.

What do we use your data for? 1

We use your data to:

• enter into a contract with you and execute it;
• check whether you are required to have basic insurance;
• assess whether certain supplemental dental policies can be taken out;
• prepare management and policy information, including for product and service development;
• provide you with good advice, such as on limiting the cost of claims and managing claims and care mediation;
• provide relevant information to groups of insured people;
• determine whether you are entitled to reimbursement for care;
• provide service;
• manage the cost of claims;
• share with care providers;
• share with representatives such as administrators and trustees;
• acquire insurance and related products;
• sell WIA and Verzuim products and support the Schade & Inkomen administration (filling out forms);
• combat fraud to ensure safety and integrity as a health insurer and monitor the safety and integrity of the financial sector, such as combatting or preventing criminal or reprehensible conduct (e.g., terrorism, money laundering and fraud);
• conduct scientific, statistical and market research;
• keep track of how and when we contact you;
• perform material and formal controls;
• adhere to the law (exercising rights of recourse; implementing the duty of care and risk equalisation);
• conduct surveys of insured people on the quality of care;
• support our business operations;
• determine personal contributions and mandatory and voluntary excess;
• calculate, record and debit premiums;
• transfer the debit of payments to third parties such as a collection agency;
• reduce late payments and ensure that the customer no longer owes an administrative premium;
• pay and document reimbursements to you or to the care provider;
• set the overall strategy and policy;
• train, coach and assess our employees;
• handle complaints and disputes;
• conduct audits or them conducted;
• manage, administer and develop IT systems.

1 The following list contains all the data we may use for insurance activities. For a full overview of the data, please see Achmea B.V..

What interactions do we record?

We record the agreements we have made with you. We also use these interactions to improve our communication. We record the following interactions, among others:

• letters and emails we send and receive from you;
• phone calls and chats;
• what you do and view on our websites;
• what you do and view in our apps;
• our contact through the Community and social media such as Facebook, Twitter and WhatsApp;
• concluding agreements with care providers (healthcare purchasing agreements).
• We may also use data from camera images, data we find about you on the Internet and data from telephone or chat conversations with our staff as part of a personal investigation.

Achmea B.V. is responsible

Zilveren Kruis is an Achmea brand. Achmea B.V. is responsible for properly processing your personal data by all Achmea brands.

Who do we get your information from and who do we share it with? 2

We may share your data or verify it with other companies. We do not sell your data. We may exchange data with or receive data from:

• our suppliers and business partners, such as care providers and healthcare institutions;
• Zilveren Kruis employees who are responsible for processing data;
• VECOZO (including claims data from care providers); for example, VECOZO enables care providers to submit digital claims to the correct healthcare insurer. VECOZO does this with the COV (verification of insurance data) service. COV provides information to care providers regarding where and how an insured person is insured (basic and supplementary package, etc.). The information may only be requested to correctly claim healthcare expenses.
• contracted care providers you use; they will bill the costs of care directly to Zilveren Kruis;
• Vektis; Vektis supports healthcare professionals, patient organisations and government parties in improving healthcare and keeping good healthcare accessible and affordable in the Netherlands. Vektis analyses claims data for health insurers. Sometimes, Vektis provides this data to third parties on behalf of health insurers, often for scientific research or to meet a legal obligation.
• CAK; Zilveren Kruis provides your BSN and your bank account number to the CAK if you are eligible for compensation of the excess or to sign you up or deregister you for the defaulter’s scheme if you are six months behind on your premium payments.
• EVR (CIS): EVR records personal data of people whose conduct has been adequately identified as being potentially detrimental to Zilveren Kruis’ financial interests;
• Board of Mayor and Aldermen; for debt prevention and reduction. This is a legal requirement;
• Care administration offices; to avoid care being paid for under both the Wlz and the basic insurance and to coordinate care insured under the healthcare insurance and the Wlz;
• Social Insurance Bank: to determine insurance eligibility and personal budget drawing right;
• Personal Records Database;
• supervisors and other third parties under legal obligations (e.g. Public Prosecutor) or to whom the responsible party has outsourced tasks, such as data processors and collection agencies;
• companies affiliated with the responsible party (for purposes of recruitment for similar or related products);
• agencies for scientific or statistical research; this data will only be provided insofar as anonymous data is insufficient, the research is in the public interest and obtaining permission was not possible;
• other organisations cooperating with the responsible party for the purpose of implementing insurance agreements, such as foreign health insurers for the purpose of purchasing care, cross-border workers or emergency response centers.
• other insurers: we sometimes exchange information to recover damages or costs which we have reimbursed (e.g., from your travel insurer) if it also provides cover in addition to your basic or supplemental insurance, or from the liability insurer of another person who caused the damage or costs.
• The National Government's National Terrorism Sanctions List: Health insurance companies must check to see if you are on this list. If you are on the list, it will be reported to De Nederlandsche Bank.
• other Achmea business units to the extent permitted by law or after obtaining explicit permission.

2 For a full overview of the data, please see Achmea B.V..

If it is necessary to transfer data to recipients outside the European Economic Area (EEA), we do so very carefully. The same privacy rules apply within the EEA.

or the protection of Zilveren Kruis’ interests, employees and customers, as well as those of other financial institutions, we process your personal data (including criminal data, in some cases) for risk management and to prevent and combat fraud. Zilveren Kruis maintains an incident record to that end. The Special Affairs Department may decide to include personal data from the incident record in an Internal Reference Register (IVR). If an incident meets the criteria in the Financial Institutions Incident Warning System Protocol (PIFI), Zilveren Kruis will record the relevant personal data in an Incident Register (I.R.) and, if appropriate, the External Referral Register (EVR). The above registers are not limited to personal data. Data on care providers are also included in these registers. By including your information in the above registers, we can test whether you have ever committed or attempted to commit fraud. You or, if you are a care provider, your organisation will be notified of registration in one of these registers. This is usually done before your information is entered into the registers unless disclosure would harm the investigation. In this case, you will be notified after the investigation is concluded—if your registration in the IVR, I.R. or EVR is continued.

How do we ensure that your data is safe with us?

Our websites, apps and IT systems are well secured, and we always take extra measures to prevent the abuse of your data. Our staff have received clear instructions on how to handle your data.

We are extra careful with sensitive data

By sensitive data, we mean:

• your citizen service number (BSN) and bank details;
• your medical details.

Our medical advisors are responsible for the correct processing of your medical records. Employees can only access your medical records if they have permission from the medical advisors. The medical advisors and staff have a duty of confidentiality. The medical advisor is a registered physician, dentist, physiotherapist, obstetrician, nurse, health care psychologist, psychotherapist or pharmacist in the Register of Individual Healthcare Professions (BIG). The medical advisors are responsible for the use of medical data. Any employee who uses medical data falls under the responsibility of the medical advisors. The group of employees under the medical advisors’ responsibility is called the 'functional unit'. Staff in the functional unit have the same duty of confidentiality as the medical advisors..

How long do we store your data?

We will store your data for as long as we need it. This means that most data is kept for 7 years, or as long as required by law. Exceptions to this include fraud investigations—in which case we will retain the data for 8 years after the investigation is closed—or scientific research. If you do not take out insurance with us, we will retain your information for one year after your application. After one year, we will delete your data or anonymise your data.

When we anonymise your data, we delete anything that refers to you. The data can no longer be linked to you. The anonymous data helps us better understand our risks, products and services.

Privacy rules and laws

We comply with the prevailing privacy laws and regulations. This includes:

• the General Data Protection Regulation (GDPR);
• the GDPR Implementation Act;
• the Code of Conduct for the Processing of Personal Data by Healthcare Insurers; 3
• the Incident Alert System Protocol for Financial Institutions;
• The Code of Conduct for Personal Investigations;
• the Telecommunications Act.

Your rights

Your rights are also regulated by law. You may:

• request your information from us;
• have your information changed if it is inaccurate;
• have your data deleted;
  • In many cases, we are unable to delete your data. This could be because we still need your information or to comply with the law.
• object to certain uses of your data;
  • For example, if you no longer want to receive emails with offers or surveys from us. Our emails contain a link you can use to unsubscribe, or you can contact us by phone. In other instances, you will need to specify why you are lodging an objection for us to assess it properly.
  • You can object if you do not want us to use your data to create profiles to improve our service to you, e.g. by giving you personalised cost-saving tips.
  • In other instances, you will need to specify why you are lodging an objection for us to assess it properly.
• withdraw your consent;
  • If you consent to our use of your data, you can withdraw that consent later. From that moment on, we will no longer use your data.
• transfer your data;
  • For example, when you have provided data to us with your consent or based on our agreement. You can transfer data to another party or to yourself.
  • We may also send the data directly to another health insurer if it concerns data needed to switch to another health insurer or authorisations issued for care reimbursement.
• temporarily restrict the use of your data;
• request reassessment of automatically processed data;
  • Online applications for basic or supplemental are often processed automatically. This may result in the insurance being taken out or your application being rejected. You can always submit a question or complaint regarding the automated processing of your request.
  • Claims or authorisation requests submitted to us are usually processed automatically using review criteria based on your insurance terms and conditions. You always have the right to submit a question or complaint regarding the automated processing of your claim or application.

If you are a policy holder and have taken out basic insurance for a child, you can invoke the above rights for the insured child as well. Special rules apply if the child is 12 or older, because, as the policyholder, you are only entitled to access the data needed to take out the basic insurance and to gain sufficient insight into the bills you have to pay. If you request access to the medical details of a child who is 12 or older for whom you are a policyholder, we can only provide the information listed above.

3 In principle, Zilveren Kruis applies the Z.N. Code of Conduct for the Processing of Personal Data by Health Insurers, but it follows developments in relevant case law and adjusts its working methods accordingly, if necessary.

Please let us know if you wish to exercise your rights

Send us a letter including a copy of your passport or ID card (please obscure your citizen service number (BSN) and passport photo). We will respond within one month of receiving your letter, including a copy of your passport or I.D. card.

You can view or change a lot of your information on our website.

If you have a privacy question, tip or complaint,

please email Achmea's Data Protection Officer at privacymanager@achmea.nl. You can also send a letter to:

If we cannot reach an agreement together you can, without prejudice to your right to complain to the Dutch Data Protection Authority, submit your complaint to: 4

You can file a complaint with the Autoriteit Persoonsgegevens.

We may change this privacy statement

We are allowed to do so in the event of changes to the rules or regulations, or if we develop new products or services, for example. The latest privacy statement can always be found on our website. This version is from 17 May 2022.

4 An exception applies if you usually reside or work in an E.U. Member State other than the Netherlands or if the complaint was caused in another E.U. Member State. You may also contact that country’s data protection authority in such cases.