Menu
I'm a patient

Rosa Privacy Policy

V2.1 27 April 2022

What we do with your data is your matter

This document explains why and how Rosa processes personal data of data subjects. Please note that this document is available in Dutch, English and French. The English PDF version of this Privacy Policy shall prevail in case of conflicts between the different versions.

Rosa cares about the protection of your personal data and undertakes to comply with the provisions relating to the protection of personal data in force in Belgium, including the General Data Protection Regulation, 2016/679 (hereinafter GDPR).

To communicate with Rosa about this Privacy Policy (including to provide feedback or ask questions), to discuss Rosa’s processing of your personal data, to notify Rosa of an actual or suspected data breach, or to exercise your rights concerning personal data, please send an email to our Data Protection Officer (DPO) at gdpr@rosa.be.

These are our core principles with regard to your privacy:

Rosa helps health professionals and their patients to exchange information in a confidential, secure and trusted environment. We have no other ambitions, and we do not use personal data for other purposes.

Rosa has the ambition to give its users control over their information. Over time, we will add functionalities to our applications to let you access more information and decide what to do with it, with whom you want to share it, etc.

Rosa describes everything it does with personal data of health professionals, their patients and visitors of Rosa’s website in this document.

Rosa has identified six different categories of data subjects:

  • Patients*;
  • Health professionals;
  • Research participants;
  • Prospective staff;
  • Visitors and users of Rosa’s website and applications; and
  • All other individuals dealing with Rosa in the course of its business.

This Privacy Policy is organised in a way that makes it easier for each of those categories to access the information that’s most relevant to them:

*In this Privacy Policy, unless the context requires otherwise, “patient" refers to both the individual making the appointment through Rosa (the “user" of Rosa’s application) and the individual for whom the appointment is made (the actual patient, seeing the health professional). In most instances, the user is also the patient. In some instances, however, a user can make an appointment on behalf of a patient (for instance, a parent making an appointment for their child; where the parent is the user and the child is the patient).

For patients

Data we process on behalf of health professionals

This section covers personal data that Rosa processes as a data processor on behalf, and under the instructions of, the health professional

What is it?

Each time an appointment at a specific health professional is created for a new patient, Rosa creates a “patient record" in relation to that patient for the benefit of the relevant health professional.

What personal data does Rosa process?

Patient personal data:

  1. First name
  2. Last name;
  3. Date of birth;
  4. National registration number;
  5. Phone numbers;
  6. E-mail addresses;
  7. Postal addresses;
  8. Gender;
  9. Contact details of the person(s) of contact;
  10. First name and last name of family members;
  11. History of the appointments (see ‘Appointments information’ section); and
  12. Any other information about the patient that the health professional might have referred to in a note.

Where the appointment is made on behalf of the patient, by an individual who is not the patient (referred to as a “user"), patient records may also contain the following personal data of a user:

  • First name
  • Last name;
  • Date of birth;
  • Phone number; and
  • E-mail addresses.

About whom?

Patient records information contains personal data about patients and, where the appointment was made by another individual on behalf of the patient (referred to as the ‘user’), about that user.

Who has access to the patient records information?

Patient record information is sensitive data that is only accessible to the relevant health professional and, where relevant, to their organisation.

How can a patient exercise their rights in relation to this data processing?

Patients can exercise their rights by contacting the relevant health professional.

How long does Rosa keep that information?

Rosa will follow the instructions of the relevant health professional.

Purposes

This is a data processing by Rosa on behalf, and under the instructions, of the health professional for the purpose of providing health services to their patients.

Legal Bases

  1. Consent (i.e. the patient’s consent to allow the user making an appointment on their behalf) (art. 6.1(a) GDPR); ;
  2. Performance of a contract (i.e. - the contract the health professional has entered into with a patient) (art. 6.1(b) GDPR);
  3. Compliance with a legal obligation (such as social security laws) (art. 6.1(c) GDPR);
  4. Protection of a patient’s vital interests or those of another person (in case of an emergency for instance) (art. 6.1 (d) GDPR);
  5. Where the personal data processed includes special categories of personal data, such as data concerning health, the health professional relies on the following bases:
    1. the protection of the patient’s vital interests (art. 9.2 (c) GDPR); or
    2. the provision of health or social care (art. 9.2 (h) GDPR).
  6. Health professionals do usually not rely on consent to process patients’ personal data (art. 6.1 (a) and 9.2 (a) GDPR) because they can generally rely on another legal basis and consent is then sometimes used only as an additional safeguard). If a health professional does process a patient’s personal data solely based on their consent, it will inform the patient thereof beforehand and the patient will have the right to withdraw their consent at any time.

What is it?

Each time an appointment is booked through Rosa, Rosa collects and processes some information about that booking.

What personal data does Rosa process?

Rosa processes personal data related to appointments when a patient books an appointment online or when a health professional creates an appointment in their calendar. For each appointment, Rosa may process the following personal data:

  • First name and last name of the patient;
  • First name and last name of the health professional;
  • Contact details of the patient;
  • Contact details of the health professional;
  • Date and place of the appointment;
  • Motive for the appointment (as defined by the relevant health professional);
  • The status of the appointment and, when cancelled, who cancelled and when;
  • A note left by the patient at the time they completed their booking;
  • A note added by the health professional.

About whom?

Appointment information contains personal data about health professionals and their patients.

Purposes

This is a data processing by Rosa on behalf, and under the instructions, of the health professional for the purpose of providing health services to their patients.

Who has access to the appointment information?

Appointment information is only accessible to the relevant health professional and, where relevant, to their organization, as well as to the patients themselves: part, or all, of the appointment information will be made available on the confirmation page when completing a booking, and in the confirmation and reminder emails, and in the reminder SMS (if any).

How can a patient or health professional exercise their rights in relation to this data processing?

Patients can exercise their rights by contacting the relevant health professional.

How long does Rosa keep that information?

Rosa will follow the instructions of the relevant health professional.

Legal Bases

  1. Consent (i.e. the patient’s consent to allow the user making an appointment on their behalf) (art. 6.1(a) GDPR);
  2. Performance of a contract (i.e. - the contract the health professional has entered into with a patient) (art. 6.1(b) GDPR);
  3. Where the personal data processed includes special categories of personal data, such as data concerning health, the health professional relies on the following bases:
    1. the provision of health or social care (art. 9.2 (h) GDPR).

What is it?

Each time a patient books an appointment through Rosa, Rosa will send a confirmation email to that patient. Upon the health professionals’ request, Rosa might also send to the patient (i) a confirmation email when a health professional makes or modifies a booking with that patient; and/or (ii) a reminder email 7 days and/or 1 day prior to the appointment.

What personal data does Rosa process?

When a confirmation or a reminder email is sent, Rosa processes the following personal data:

  • Email address of the patient;
  • First name and last name and contact details of the health professional; and
  • Date, time, and place of the appointment.

About whom?

Confirmation and reminder emails contain personal data about the relevant health professional and the patient involved.

Who has access to the confirmation and reminder emails?

The content of confirmation and reminder emails is only accessible to the patient involved. The content of the confirmation and reminder emails will also be transmitted to, and processed by, Rosa’s email service provider. You can find more information about Rosa’s service providers on the page Data processors.

How can a patient exercise their rights in relation to this data processing?

Patients can exercise their rights by contacting the relevant health professional.

How long does Rosa keep that information?

Rosa will follow the instructions of the relevant health professional.

Purposes

This is a data processing by Rosa on behalf, and under the instructions, of the health professional for the purpose of providing health services to their patients.

Legal Bases

  1. Consent (i.e. the patient’s consent to allow the user receiving the appointment-related communication on their behalf) (art. 6.1(a) GDPR);
  2. Performance of a contract (i.e. - the contract the health professional has entered into with a patient) (art. 6.1(b) GDPR);
  3. Where the personal data processed includes special categories of personal data, such as data concerning health, the health professional relies on the following bases:
    1. The provision of health or social care (art. 9.2 (h) GDPR).
  4. Health professionals do usually not rely on consent to process patients’ personal data (art. 6.1 (a) and 9.2 (a) GDPR) because they can generally rely on another legal basis and consent is then sometimes used only as an additional safeguard). If a health professional does process a patient’s personal data solely based on their consent, it will inform the patient thereof beforehand and the patient will have the right to withdraw their consent at any time.

What is it?

Health professionals have the option to ask Rosa to send SMS reminders to their patient prior to the appointment.

What personal data does Rosa process?

When a health professional activates the option to send SMS reminders, Rosa processes the following personal data:

  • Mobile phone number of the patient;
  • First name and last name of the health professional;
  • Date, time, and place of the appointment;
  • Any additional personal data contained in the SMS.

About whom?

SMS reminders might contain personal data about the relevant health professional and the patient involved.

Who has access to the SMS reminder information?

SMS reminder information is only accessible to the patient receiving the SMS. The SMS reminder information will also be transmitted to, and processed by, Rosa’s SMS service provider. You can find more information about Rosa’s service providers on the page Data processors.

How can a patient exercise their rights in relation to this data processing?

Patients can exercise their rights by contacting the relevant health professional.

How long does Rosa keep that information?

Rosa will follow the instructions of the relevant health professional.

Purposes

This is a data processing by Rosa on behalf, and under the instructions, of the health professional for the purpose of providing health services to their patients.

Legal Bases

  1. Consent (i.e. the patient’s consent to allow the user receiving the appointment-related communication on their behalf) (art. 6.1(a) GDPR);
  2. Performance of a contract (i.e. - the contract the health professional has entered into with a patient) (art. 6.1(b) GDPR);
  3. Where the personal data processed includes special categories of personal data, such as data concerning health, the health professional relies on the following bases:
    1. The provision of health or social care (art. 9.2 (h) GDPR).
  4. Health professionals do usually not rely on consent to process patients’ personal data (art. 6.1 (a) and 9.2 (a) GDPR) because they can generally rely on another legal basis and consent is then sometimes used only as an additional safeguard). If a health professional does process a patient’s personal data solely based on their consent, it will inform the patient thereof beforehand and the patient will have the right to withdraw their consent at any time.

Data we process for our own needs

This section covers personal data that Rosa processes for its own needs, as a data controller.

What is it?

Health professionals have the option to receive a notification email from Rosa when (i) an existing and/or new patient makes a booking; and/or (ii) a patient leaves a note at the time of the booking; and/or (iii) a patient cancels a booking.

What personal data does Rosa process?

When a notification email is sent, Rosa processes the following personal data:

  • First name and last name of the patient and whether it is a new patient;
  • Contact details of the patient;
  • Email address of the health professional; and
  • Date, time, and place of the appointment.

About whom?

Notification emails contain personal data about the relevant health professional and the patient involved (where the appointment has been taken by a user who is not the patient, no personal data about the user is shared with the health professional in that notification email).

Who has access to the notification emails?

The content of notification emails is only accessible to the health professional involved. The content of the notification emails will also be transmitted to, and processed by, Rosa’s email service provider. You can find more information about Rosa’s service providers on the page Data processors.

How can a health professional exercise their rights in relation to this data processing?

Health professionals can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.

How long does Rosa keep that information?

Rosa keeps that information for 30 days after the end of the agreement between Rosa and the health professional.

Purposes

To fulfil its obligations under the contract between Rosa and the health professional.

Legal bases

Performance of a contract (i.e. - the contract the health professional has entered into with Rosa) (art. 6.1(b) GDPR).

What is it?

When an individual wishes to use Rosa to book an appointment with a health professional, Rosa will automatically create an account for that individual.

What personal data does Rosa process?

When creating an account for an individual, Rosa may collect or generate the following personal data in relation to that individual:

  • First name and last name;
  • Mobile phone number;
  • Email address;
  • Spoken language; and
  • Date of birth.

Where the individual creating the account is not the patient, Rosa may also collect the following personal data in relation to the patient:

  • First name and last name; and
  • Date of birth.

About whom?

Patient account management information contains personal data about all individuals who have made a booking on Rosa and, where relevant, about patients for whom an appointment is made by the account holder. .

Who has access to the user and account management information?

Patient account management information is accessible to the individual creating the account, the health professional with whom they have booked an appointment, and/or Rosa.

How can a patient exercise their rights in relation to their patient account management information?

Patients can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be. Where the individual creating the account is not the patient, the patient can exercise their rights by contacting the user who made the appointment on their behalf.

How long does Rosa keep the patient account management information?

Rosa keeps that information for 5 years after the patient has last interacted with Rosa.

Purposes

To provide the booking services to the individual.

Legal bases

  1. Consent (i.e. the patient’s consent to allow the user making an appointment on their behalf) (art. 6.1(a) GDPR);
  2. Performance of a contract (art. 6.1(b) GDPR).

For health professionals

Data we process on your behalf

This section covers personal data that Rosa processes as a data processor on behalf, and under the instructions of, the health professional

What is it?

Each time an appointment is booked through Rosa, Rosa collects and processes some information about that booking.

What personal data does Rosa process?

Rosa processes personal data related to appointments when a patient books an appointment online or when a health professional creates an appointment in their calendar. For each appointment, Rosa may process the following personal data:

  • First name and last name of the patient;
  • First name and last name of the health professional;
  • Contact details of the patient;
  • Contact details of the health professional;
  • Date and place of the appointment;
  • Motive for the appointment (as defined by the relevant health professional);
  • The status of the appointment and, when cancelled, who cancelled and when;
  • A note left by the patient at the time they completed their booking;
  • A note added by the health professional.

About whom?

Appointment information contains personal data about health professionals and their patients.

Purposes

This is a data processing by Rosa on behalf, and under the instructions, of the health professional for the purpose of providing health services to their patients.

Who has access to the appointment information?

Appointment information is only accessible to the relevant health professional and, where relevant, to their organization, as well as to the patients themselves: part, or all, of the appointment information will be made available on the confirmation page when completing a booking, and in the confirmation and reminder emails, and in the reminder SMS (if any).

How can a patient or health professional exercise their rights in relation to this data processing?

Patients can exercise their rights by contacting the relevant health professional.

How long does Rosa keep that information?

Rosa will follow the instructions of the relevant health professional.

Legal Bases

  1. Consent (i.e. the patient’s consent to allow the user making an appointment on their behalf) (art. 6.1(a) GDPR);
  2. Performance of a contract (i.e. - the contract the health professional has entered into with a patient) (art. 6.1(b) GDPR);
  3. Where the personal data processed includes special categories of personal data, such as data concerning health, the health professional relies on the following bases:
    1. the provision of health or social care (art. 9.2 (h) GDPR).

What is it?

Each time a patient books an appointment through Rosa, Rosa will send a confirmation email to that patient. Upon the health professionals’ request, Rosa might also send to the patient (i) a confirmation email when a health professional makes or modifies a booking with that patient; and/or (ii) a reminder email 7 days and/or 1 day prior to the appointment.

What personal data does Rosa process?

When a confirmation or a reminder email is sent, Rosa processes the following personal data:

  • Email address of the patient;
  • First name and last name and contact details of the health professional; and
  • Date, time, and place of the appointment.

About whom?

Confirmation and reminder emails contain personal data about the relevant health professional and the patient involved.

Who has access to the confirmation and reminder emails?

The content of confirmation and reminder emails is only accessible to the patient involved. The content of the confirmation and reminder emails will also be transmitted to, and processed by, Rosa’s email service provider. You can find more information about Rosa’s service providers on the page Data processors.

How can a patient exercise their rights in relation to this data processing?

Patients can exercise their rights by contacting the relevant health professional.

How long does Rosa keep that information?

Rosa will follow the instructions of the relevant health professional.

Purposes

This is a data processing by Rosa on behalf, and under the instructions, of the health professional for the purpose of providing health services to their patients.

Legal Bases

  1. Consent (i.e. the patient’s consent to allow the user receiving the appointment-related communication on their behalf) (art. 6.1(a) GDPR);
  2. Performance of a contract (i.e. - the contract the health professional has entered into with a patient) (art. 6.1(b) GDPR);
  3. Where the personal data processed includes special categories of personal data, such as data concerning health, the health professional relies on the following bases:
    1. The provision of health or social care (art. 9.2 (h) GDPR).
  4. Health professionals do usually not rely on consent to process patients’ personal data (art. 6.1 (a) and 9.2 (a) GDPR) because they can generally rely on another legal basis and consent is then sometimes used only as an additional safeguard). If a health professional does process a patient’s personal data solely based on their consent, it will inform the patient thereof beforehand and the patient will have the right to withdraw their consent at any time.

What is it?

Health professionals have the option to ask Rosa to send SMS reminders to their patient prior to the appointment.

What personal data does Rosa process?

When a health professional activates the option to send SMS reminders, Rosa processes the following personal data:

  • Mobile phone number of the patient;
  • First name and last name of the health professional;
  • Date, time, and place of the appointment;
  • Any additional personal data contained in the SMS.

About whom?

SMS reminders might contain personal data about the relevant health professional and the patient involved.

Who has access to the SMS reminder information?

SMS reminder information is only accessible to the patient receiving the SMS. The SMS reminder information will also be transmitted to, and processed by, Rosa’s SMS service provider. You can find more information about Rosa’s service providers on the page Data processors.

How can a patient exercise their rights in relation to this data processing?

Patients can exercise their rights by contacting the relevant health professional.

How long does Rosa keep that information?

Rosa will follow the instructions of the relevant health professional.

Purposes

This is a data processing by Rosa on behalf, and under the instructions, of the health professional for the purpose of providing health services to their patients.

Legal Bases

  1. Consent (i.e. the patient’s consent to allow the user receiving the appointment-related communication on their behalf) (art. 6.1(a) GDPR);
  2. Performance of a contract (i.e. - the contract the health professional has entered into with a patient) (art. 6.1(b) GDPR);
  3. Where the personal data processed includes special categories of personal data, such as data concerning health, the health professional relies on the following bases:
    1. The provision of health or social care (art. 9.2 (h) GDPR).
  4. Health professionals do usually not rely on consent to process patients’ personal data (art. 6.1 (a) and 9.2 (a) GDPR) because they can generally rely on another legal basis and consent is then sometimes used only as an additional safeguard). If a health professional does process a patient’s personal data solely based on their consent, it will inform the patient thereof beforehand and the patient will have the right to withdraw their consent at any time.

Data we process for our own needs

This section covers personal data that Rosa processes for its own needs, as a data controller.

What is it?

Rosa offers health professionals using its online calendar and/or booking application the possibility to publish some information about themselves and the services they offer.

What personal data does Rosa process?

When a health professional chooses to create, fill in and publish a public profile, Rosa may process the following personal data about that health professional:

  • Photo;
  • First and last name;
  • Gender;
  • Spoken language;
  • Specialities;
  • Professional address(es);
  • Contact details;
  • Education and background;
  • Availabilities for appointments; and
  • Any other personal information that the health professional wishes to publicly share on their profile.

About whom?

Public profile information contains personal data about health professionals.

Who has access to the public profile information?

Public profile information is accessible to anyone online and may appear in search engine results.

How can a health professional exercise their rights in relation to their public profile information?

Health professionals can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.

How long does Rosa keep the public profile information?

Rosa keeps that information for 30 days after the end of the agreement between Rosa and the health professional.

Purposes

This is a data processing by Rosa to enable health professionals to communicate their professional details and allow current or new patients to book appointments.

Legal bases

Performance of a contract (i.e. - the contract the health professional has entered into with Rosa) (art. 6.1(b) GDPR).

What is it?

When a health professional wishes to use Rosa, they need to create an account. They will need to connect to their account to access and manage their calendar and bookings or to get technical support from Rosa.

What personal data does Rosa process?

When a health professional creates an account or wishes to get Rosa’s support in relation to their account, Rosa may collect or generate the following personal data in relation to that health professional:

  • First name and last name;
  • Mobile phone number;
  • Email address;
  • Password created by the user to set up their account;
  • Postal address;
  • Spoken language;
  • INAMI/RIZIV number;
  • Enterprise/VAT number;
  • Electronic payment details;
  • Payment history; and
  • Any other information that the health professional may send to Rosa for support purposes.

About whom?

Customer account management information contains personal data about all health professionals who have created an account with Rosa.

Who has access to the user and account management information?

Customer account management information is only accessible to the relevant customer and/or Rosa.

How can a health professional exercise their rights in relation to their account management information?

Health professionals can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.

How long does Rosa keep the account management information?

Rosa keeps that information for 30 days after the end of the agreement between Rosa and the health professional.

Purposes

  1. To fulfil its obligations under the contract between Rosa and the health professional;
  2. To process payments (if applicable); and
  3. To offer support to, and communicate with, the health professional.

Legal Bases

  1. Performance of a contract (art. 6.1(b) GDPR);
  2. and Compliance with a legal obligation (such as tax laws) (art. 6.1(c) GDPR).

What is it?

Health professionals have the option to receive a notification email from Rosa when (i) an existing and/or new patient makes a booking; and/or (ii) a patient leaves a note at the time of the booking; and/or (iii) a patient cancels a booking.

What personal data does Rosa process?

When a notification email is sent, Rosa processes the following personal data:

  • First name and last name of the patient and whether it is a new patient;
  • Contact details of the patient;
  • Email address of the health professional; and
  • Date, time, and place of the appointment.

About whom?

Notification emails contain personal data about the relevant health professional and the patient involved (where the appointment has been taken by a user who is not the patient, no personal data about the user is shared with the health professional in that notification email).

Who has access to the notification emails?

The content of notification emails is only accessible to the health professional involved. The content of the notification emails will also be transmitted to, and processed by, Rosa’s email service provider. You can find more information about Rosa’s service providers on the page Data processors.

How can a health professional exercise their rights in relation to this data processing?

Health professionals can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.

How long does Rosa keep that information?

Rosa keeps that information for 30 days after the end of the agreement between Rosa and the health professional.

Purposes

To fulfil its obligations under the contract between Rosa and the health professional.

Legal bases

Performance of a contract (i.e. - the contract the health professional has entered into with Rosa) (art. 6.1(b) GDPR).

For Research participants

This section covers personal data that Rosa processes for its own needs, as a data controller.

What is it?

Rosa conducts research continuously in order to improve its existing product and services and create new ones. Rosa might collect or process additional personal data for this purpose that are not described in this Privacy Policy. For instance, Rosa might collect feedback from (potential) customers or other individuals. In those instances, Rosa will always ask for your consent prior to collecting and processing data that could identify you.

What personal data does Rosa process?

Rosa might collect personal data such as your name, email address and/or feedback, or any other personal data as described in the consent form.

About whom?

This information is collected about any research participant as explicitly set out in the consent form.

Who has access to that information?

That information is only accessed by Rosa, or as otherwise stated in the relevant consent form.

How can an individual exercise their rights in relation to this data processing?

Individuals can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.

How long does Rosa keep the individual’s information in relation to this data processing?

The retention period will depend on the specific data processing and will be as set out in the specific consent form.

Purposes

  1. To improve Rosa’s products and/or services; or
  2. As otherwise described in the specific consent form

Legal bases

Consent (art. 6.1 (a) GDPR).

For Prospective staff

This section covers personal data that Rosa processes for its own needs, as a data controller.

What is it?

This section refers to all the personal data that Rosa collects and processes as part of considering an individual for a role or position at Rosa.

What information does Rosa process?

Rosa may collect and process the following personal data in relation to a prospective staff:

  • Personal contact details, including name, postal address, email address, and phone number;
  • Date of birth and gender;
  • Employment and education history and qualifications;
  • Details relating to the right to work in Belgium (where applicable);
  • Any other information provided to Rosa (as part of a curriculum vitae, letter of support, during an interview or otherwise) or that Rosa receives from a referee.

About whom?

This personal data is about prospective staff (such as prospective employees, contractors, volunteers or students).

With whom does Rosa share that personal data?

Rosa mainly processes such personal data internally but it may also share part of that information with referees, legal representatives, consultants and professional advisers.

How can a prospective staff exercise their rights in relation to this data processing?

Prospective staff can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.

How long does Rosa keep that information?

If the applicant is successful, Rosa will keep that information for 5 years after termination of the employment agreement with Rosa. If the applicant is not successful, Rosa will keep that information until completion of the recruitment process and a further 3 years if the applicant gives their consent.

Purposes

  1. To process an application for a position at Rosa;
  2. To assess a candidate’s suitability for a specific role or position and to decide whether to hire that candidate;
  3. To communicate with candidates about their application and the application process; and
  4. To check that the candidate is legally entitled to work in Belgium.

Legal bases

  1. Compliance with a legal obligation (such as immigration laws) (art. 6.1(c) GDPR); and
  2. Performance of a contract (i.e. - the contract Rosa will enter into with the candidate as a staff member) (art. 6.1(b) GDPR).
  3. Where the personal data processed includes special categories of personal data, such as information on racial or ethnic origin, or data concerning a disability, the processing either relates to personal data which is made public by the candidate (art. 9.2 (e) GDPR) or is necessary for the assessment of the working capacity of the candidate (art. 9.2 (h) GDPR).
  4. If the applicant is unsuccessful, Rosa may keep a copy of the application data with the applicant consent (art. 6.1 (a) GDPR).

For visitors to our website and users of our applications

Data we process for our own needs

What is it?

Each time someone visits Rosa’s website, creates an account with Rosa, or otherwise uses Rosa’s services, Rosa collects personal data using cookies and+or other technologies..

What personal data does Rosa process?

Rosa may collect technical data which may include personal data, such as your IP address, OS and browser version, basic user details about usage of Rosa’s website or application. To find out more about how Rosa collects personal data on its website and applications, and how to manage your cookie preferences, please read the page Data processors as well as our Cookie Policy.

About whom?

This information is collected about visitors to our website or applications.

Who has access to that information?

That information might be accessed by Rosa and its data processors, as described on the Data processors page and in our Cookie Policy.

How can a visitor to our website or applications exercise their rights?

Visitors can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.

How long does Rosa keep the website and application visitors' information?

This depends on the type of information collected. Please read our Data processors page and our Cookie Policy for more information.

Purposes

  1. To operate Rosa’s website and applications and enable visitors and/or users to use their features;
  2. For statistical and analytical purposes;
  3. To check if cookies can be placed;
  4. To improve Rosa’s services and enhance the visitors’ and/or users’ experience on Rosa’s website and applications.

Legal bases

  1. Consent of the website visitor and/or application user (art. 6.1 (a) GDPR);
  2. Legitimate interest of Rosa (art. 6.1 (f) GDPR).

What is it?

This section refers to the personal data that Rosa collects and processes as part of running its business, including when prospecting for, or communicating with, potential new customers, partners, collaborators, and/or vendors.

What information does Rosa process?

Rosa may collect and process the following personal data:

  • Personal contact details, including name, postal address, email address, and phone number;
  • Occupation or job title;
  • Any other information sent or disclosed to Rosa, including Rosa’s records of any communications or interactions with you.

About whom?

This personal data is about any individual Rosa deals with in the course of running its business, including potential new customers, partners, collaborators, and/or vendors.

With whom does Rosa share that personal data?

Rosa mainly processes such personal data internally but it may also share part of that information with referees, legal representatives, consultants and professional advisers.

How can those individuals exercise their rights in relation to this data processing?

You can exercise your rights by contacting Rosa’s DPO at gdpr@rosa.be.

How long does Rosa keep the website visitors’ information?

Correspondence for prospection, sales and support and commercial agreements, including negotiation documents and relevant correspondence, are kept permanently..

Purposes

  1. To communicate with individuals in the course of running Rosa’s business;
  2. To identify and assess potential new customers, partners, collaborators, and/or vendors and to decide whether to further collaborate with them.
  3. For statistical and analytical purposes.

Legal bases

  1. Consent (art. 6.1 (a) GDPR);
  2. Performance of a contract (i.e. - the contract Rosa will enter into with the potential new customer, partner, collaborator, and/or vendor) (art. 6.1(b) GDPR).
  3. Legitimate interest of Rosa (art. 6.1 (f) GDPR).

Definition of categories of Personal Data Processing Activities

For the activities in this category, Rosa provides the tools and stores personal data on behalf of the health professionals who use the applications. Rosa does not determine the content of the information nor the purpose and the essential means of the processing. The health professionals are in control and the role and obligations of Rosa are strictly defined in the data processing agreement between them as data controller and Rosa as data processor.

The activities in this category are determined by Rosa and undertaken to fulfil its own objectives or obligations. Rosa takes full responsibility for these activities and is acting as a data controller.

Other important information

All individuals have the right to:

  • know if Rosa processes personal data about them, what categories of personal data are being processed and for what purpose;
  • request the rectification of inaccurate personal data about them;
  • request the erasure of personal data about them, or oppose the further processing of personal data about them, for a legitimate reason;
  • for certain personal data and in certain circumstances, obtain a copy of the personal data about them in a structured and interoperable format.

To exercise these rights,

the individuals should contact the following person(s):

  • The relevant health professional, if the request concerns personal data that Rosa processes on behalf of that health professional;
  • Rosa (at gdpr@rosa.be) if the request concerns personal data that Rosa processes for its own needs.

Please refer to each category of data processing to know who to contact to exercise your rights.

The Belgian Data Protection Authority is the regulatory agency in charge of data protection in Belgium. It is competent to handle individual complaints about the processing of personal data. More information about data protection regulations and how to file a complaint can be found on their website.

Rosa relies on services provided by other companies to perform its data processing activities. These companies may be considered as data processor under the applicable privacy laws.

You can find more information about these companies on the page Data processors.

Rosa must implement appropriate security measures to protect the personal data it processes against unauthorized access, modification, or destruction. Rosa relies on technologies or services of its subcontractors for parts of these measures.

Rosa must evaluate these security measures regularly and adapt them if required, to take into account the evolutions of the risks, the technology, and the costs associated with these measures.

You can find more information about the security measures currently in place on the page Technical and Organisational Security measures.

Rosa does not retain your personal data longer than strictly necessary for the purposes for which the personal data was collected or otherwise processed, or for the execution of a contract or for fulfilling a legal obligation, always in accordance with applicable laws and as set out in this privacy policy (for more details, please refer to each category of processing activity).

In all cases, Rosa may retain your personal data for a longer period if there is a legal or regulatory reason to do so, or for a shorter period if you object to the processing of your personal data and if there is no other legitimate reason to retain that personal data.

This is version 2.1 of our privacy policy and it is current as of 27 April 2022. We keep this privacy policy under regular review to ensure it is current and we may change this privacy policy over time to reflect the changes in our services and data processing activities. If we do so, we will post the updated privacy policy on this webpage. Please refer back to this privacy policy to review any amendments as any revised privacy policy will apply to all personal data we process.

Changes that we have made since the previous version (v 2.0): we haven’t changed the way we process your personal data but we have reworded the purpose of processing data for statistical and analytical purposes.

Rosa" is Rosa ASBL, a non-profit organization established at Cantersteen 10, 1000 Brussels, with enterprise number 0745.832.604.