V2.1 27 April 2022
This document explains why and how Rosa processes personal data of data subjects. Please note that this document is available in Dutch, English and French. The English PDF version of this Privacy Policy shall prevail in case of conflicts between the different versions.
Rosa cares about the protection of your personal data and undertakes to comply with the provisions relating to the protection of personal data in force in Belgium, including the General Data Protection Regulation, 2016/679 (hereinafter GDPR).
To communicate with Rosa about this Privacy Policy (including to provide feedback or ask questions), to discuss Rosa’s processing of your personal data, to notify Rosa of an actual or suspected data breach, or to exercise your rights concerning personal data, please send an email to our Data Protection Officer (DPO) at gdpr@rosa.be.
These are our core principles with regard to your privacy:
Rosa helps health professionals and their patients to exchange information in a confidential, secure and trusted environment. We have no other ambitions, and we do not use personal data for other purposes.
Rosa has the ambition to give its users control over their information. Over time, we will add functionalities to our applications to let you access more information and decide what to do with it, with whom you want to share it, etc.
Rosa describes everything it does with personal data of health professionals, their patients and visitors of Rosa’s website in this document.
Rosa has identified six different categories of data subjects:
This Privacy Policy is organised in a way that makes it easier for each of those categories to access the information that’s most relevant to them:
*In this Privacy Policy, unless the context requires otherwise, “patient" refers to both the individual making the appointment through Rosa (the “user" of Rosa’s application) and the individual for whom the appointment is made (the actual patient, seeing the health professional). In most instances, the user is also the patient. In some instances, however, a user can make an appointment on behalf of a patient (for instance, a parent making an appointment for their child; where the parent is the user and the child is the patient).
This section covers personal data that Rosa processes as a data processor on behalf, and under the instructions of, the health professional
Each time an appointment at a specific health professional is created for a new patient, Rosa creates a “patient record" in relation to that patient for the benefit of the relevant health professional.
Patient personal data:
Where the appointment is made on behalf of the patient, by an individual who is not the patient (referred to as a “user"), patient records may also contain the following personal data of a user:
Patient records information contains personal data about patients and, where the appointment was made by another individual on behalf of the patient (referred to as the ‘user’), about that user.
Patient record information is sensitive data that is only accessible to the relevant health professional and, where relevant, to their organisation.
Patients can exercise their rights by contacting the relevant health professional.
Rosa will follow the instructions of the relevant health professional.
This is a data processing by Rosa on behalf, and under the instructions, of the health professional for the purpose of providing health services to their patients.
Each time an appointment is booked through Rosa, Rosa collects and processes some information about that booking.
Rosa processes personal data related to appointments when a patient books an appointment online or when a health professional creates an appointment in their calendar. For each appointment, Rosa may process the following personal data:
Appointment information contains personal data about health professionals and their patients.
This is a data processing by Rosa on behalf, and under the instructions, of the health professional for the purpose of providing health services to their patients.
Appointment information is only accessible to the relevant health professional and, where relevant, to their organization, as well as to the patients themselves: part, or all, of the appointment information will be made available on the confirmation page when completing a booking, and in the confirmation and reminder emails, and in the reminder SMS (if any).
Patients can exercise their rights by contacting the relevant health professional.
Rosa will follow the instructions of the relevant health professional.
Each time a patient books an appointment through Rosa, Rosa will send a confirmation email to that patient. Upon the health professionals’ request, Rosa might also send to the patient (i) a confirmation email when a health professional makes or modifies a booking with that patient; and/or (ii) a reminder email 7 days and/or 1 day prior to the appointment.
When a confirmation or a reminder email is sent, Rosa processes the following personal data:
Confirmation and reminder emails contain personal data about the relevant health professional and the patient involved.
The content of confirmation and reminder emails is only accessible to the patient involved. The content of the confirmation and reminder emails will also be transmitted to, and processed by, Rosa’s email service provider. You can find more information about Rosa’s service providers on the page Data processors.
Patients can exercise their rights by contacting the relevant health professional.
Rosa will follow the instructions of the relevant health professional.
This is a data processing by Rosa on behalf, and under the instructions, of the health professional for the purpose of providing health services to their patients.
Health professionals have the option to ask Rosa to send SMS reminders to their patient prior to the appointment.
When a health professional activates the option to send SMS reminders, Rosa processes the following personal data:
SMS reminders might contain personal data about the relevant health professional and the patient involved.
SMS reminder information is only accessible to the patient receiving the SMS. The SMS reminder information will also be transmitted to, and processed by, Rosa’s SMS service provider. You can find more information about Rosa’s service providers on the page Data processors.
Patients can exercise their rights by contacting the relevant health professional.
Rosa will follow the instructions of the relevant health professional.
This is a data processing by Rosa on behalf, and under the instructions, of the health professional for the purpose of providing health services to their patients.
This section covers personal data that Rosa processes for its own needs, as a data controller.
Health professionals have the option to receive a notification email from Rosa when (i) an existing and/or new patient makes a booking; and/or (ii) a patient leaves a note at the time of the booking; and/or (iii) a patient cancels a booking.
When a notification email is sent, Rosa processes the following personal data:
Notification emails contain personal data about the relevant health professional and the patient involved (where the appointment has been taken by a user who is not the patient, no personal data about the user is shared with the health professional in that notification email).
The content of notification emails is only accessible to the health professional involved. The content of the notification emails will also be transmitted to, and processed by, Rosa’s email service provider. You can find more information about Rosa’s service providers on the page Data processors.
Health professionals can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.
Rosa keeps that information for 30 days after the end of the agreement between Rosa and the health professional.
To fulfil its obligations under the contract between Rosa and the health professional.
Performance of a contract (i.e. - the contract the health professional has entered into with Rosa) (art. 6.1(b) GDPR).
When an individual wishes to use Rosa to book an appointment with a health professional, Rosa will automatically create an account for that individual.
When creating an account for an individual, Rosa may collect or generate the following personal data in relation to that individual:
Where the individual creating the account is not the patient, Rosa may also collect the following personal data in relation to the patient:
Patient account management information contains personal data about all individuals who have made a booking on Rosa and, where relevant, about patients for whom an appointment is made by the account holder. .
Patient account management information is accessible to the individual creating the account, the health professional with whom they have booked an appointment, and/or Rosa.
Patients can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be. Where the individual creating the account is not the patient, the patient can exercise their rights by contacting the user who made the appointment on their behalf.
Rosa keeps that information for 5 years after the patient has last interacted with Rosa.
To provide the booking services to the individual.
This section covers personal data that Rosa processes as a data processor on behalf, and under the instructions of, the health professional
Each time an appointment is booked through Rosa, Rosa collects and processes some information about that booking.
Rosa processes personal data related to appointments when a patient books an appointment online or when a health professional creates an appointment in their calendar. For each appointment, Rosa may process the following personal data:
Appointment information contains personal data about health professionals and their patients.
This is a data processing by Rosa on behalf, and under the instructions, of the health professional for the purpose of providing health services to their patients.
Appointment information is only accessible to the relevant health professional and, where relevant, to their organization, as well as to the patients themselves: part, or all, of the appointment information will be made available on the confirmation page when completing a booking, and in the confirmation and reminder emails, and in the reminder SMS (if any).
Patients can exercise their rights by contacting the relevant health professional.
Rosa will follow the instructions of the relevant health professional.
Each time a patient books an appointment through Rosa, Rosa will send a confirmation email to that patient. Upon the health professionals’ request, Rosa might also send to the patient (i) a confirmation email when a health professional makes or modifies a booking with that patient; and/or (ii) a reminder email 7 days and/or 1 day prior to the appointment.
When a confirmation or a reminder email is sent, Rosa processes the following personal data:
Confirmation and reminder emails contain personal data about the relevant health professional and the patient involved.
The content of confirmation and reminder emails is only accessible to the patient involved. The content of the confirmation and reminder emails will also be transmitted to, and processed by, Rosa’s email service provider. You can find more information about Rosa’s service providers on the page Data processors.
Patients can exercise their rights by contacting the relevant health professional.
Rosa will follow the instructions of the relevant health professional.
This is a data processing by Rosa on behalf, and under the instructions, of the health professional for the purpose of providing health services to their patients.
Health professionals have the option to ask Rosa to send SMS reminders to their patient prior to the appointment.
When a health professional activates the option to send SMS reminders, Rosa processes the following personal data:
SMS reminders might contain personal data about the relevant health professional and the patient involved.
SMS reminder information is only accessible to the patient receiving the SMS. The SMS reminder information will also be transmitted to, and processed by, Rosa’s SMS service provider. You can find more information about Rosa’s service providers on the page Data processors.
Patients can exercise their rights by contacting the relevant health professional.
Rosa will follow the instructions of the relevant health professional.
This is a data processing by Rosa on behalf, and under the instructions, of the health professional for the purpose of providing health services to their patients.
This section covers personal data that Rosa processes for its own needs, as a data controller.
Rosa offers health professionals using its online calendar and/or booking application the possibility to publish some information about themselves and the services they offer.
When a health professional chooses to create, fill in and publish a public profile, Rosa may process the following personal data about that health professional:
Public profile information contains personal data about health professionals.
Public profile information is accessible to anyone online and may appear in search engine results.
Health professionals can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.
Rosa keeps that information for 30 days after the end of the agreement between Rosa and the health professional.
This is a data processing by Rosa to enable health professionals to communicate their professional details and allow current or new patients to book appointments.
Performance of a contract (i.e. - the contract the health professional has entered into with Rosa) (art. 6.1(b) GDPR).
When a health professional wishes to use Rosa, they need to create an account. They will need to connect to their account to access and manage their calendar and bookings or to get technical support from Rosa.
When a health professional creates an account or wishes to get Rosa’s support in relation to their account, Rosa may collect or generate the following personal data in relation to that health professional:
Customer account management information contains personal data about all health professionals who have created an account with Rosa.
Customer account management information is only accessible to the relevant customer and/or Rosa.
Health professionals can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.
Rosa keeps that information for 30 days after the end of the agreement between Rosa and the health professional.
Health professionals have the option to receive a notification email from Rosa when (i) an existing and/or new patient makes a booking; and/or (ii) a patient leaves a note at the time of the booking; and/or (iii) a patient cancels a booking.
When a notification email is sent, Rosa processes the following personal data:
Notification emails contain personal data about the relevant health professional and the patient involved (where the appointment has been taken by a user who is not the patient, no personal data about the user is shared with the health professional in that notification email).
The content of notification emails is only accessible to the health professional involved. The content of the notification emails will also be transmitted to, and processed by, Rosa’s email service provider. You can find more information about Rosa’s service providers on the page Data processors.
Health professionals can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.
Rosa keeps that information for 30 days after the end of the agreement between Rosa and the health professional.
To fulfil its obligations under the contract between Rosa and the health professional.
Performance of a contract (i.e. - the contract the health professional has entered into with Rosa) (art. 6.1(b) GDPR).
This section covers personal data that Rosa processes for its own needs, as a data controller.
Rosa conducts research continuously in order to improve its existing product and services and create new ones. Rosa might collect or process additional personal data for this purpose that are not described in this Privacy Policy. For instance, Rosa might collect feedback from (potential) customers or other individuals. In those instances, Rosa will always ask for your consent prior to collecting and processing data that could identify you.
Rosa might collect personal data such as your name, email address and/or feedback, or any other personal data as described in the consent form.
This information is collected about any research participant as explicitly set out in the consent form.
That information is only accessed by Rosa, or as otherwise stated in the relevant consent form.
Individuals can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.
The retention period will depend on the specific data processing and will be as set out in the specific consent form.
Consent (art. 6.1 (a) GDPR).
This section covers personal data that Rosa processes for its own needs, as a data controller.
This section refers to all the personal data that Rosa collects and processes as part of considering an individual for a role or position at Rosa.
Rosa may collect and process the following personal data in relation to a prospective staff:
This personal data is about prospective staff (such as prospective employees, contractors, volunteers or students).
Rosa mainly processes such personal data internally but it may also share part of that information with referees, legal representatives, consultants and professional advisers.
Prospective staff can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.
If the applicant is successful, Rosa will keep that information for 5 years after termination of the employment agreement with Rosa. If the applicant is not successful, Rosa will keep that information until completion of the recruitment process and a further 3 years if the applicant gives their consent.
Each time someone visits Rosa’s website, creates an account with Rosa, or otherwise uses Rosa’s services, Rosa collects personal data using cookies and+or other technologies..
Rosa may collect technical data which may include personal data, such as your IP address, OS and browser version, basic user details about usage of Rosa’s website or application. To find out more about how Rosa collects personal data on its website and applications, and how to manage your cookie preferences, please read the page Data processors as well as our Cookie Policy.
This information is collected about visitors to our website or applications.
That information might be accessed by Rosa and its data processors, as described on the Data processors page and in our Cookie Policy.
Visitors can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.
This depends on the type of information collected. Please read our Data processors page and our Cookie Policy for more information.
This section refers to the personal data that Rosa collects and processes as part of running its business, including when prospecting for, or communicating with, potential new customers, partners, collaborators, and/or vendors.
Rosa may collect and process the following personal data:
This personal data is about any individual Rosa deals with in the course of running its business, including potential new customers, partners, collaborators, and/or vendors.
Rosa mainly processes such personal data internally but it may also share part of that information with referees, legal representatives, consultants and professional advisers.
You can exercise your rights by contacting Rosa’s DPO at gdpr@rosa.be.
Correspondence for prospection, sales and support and commercial agreements, including negotiation documents and relevant correspondence, are kept permanently..
For the activities in this category, Rosa provides the tools and stores personal data on behalf of the health professionals who use the applications. Rosa does not determine the content of the information nor the purpose and the essential means of the processing. The health professionals are in control and the role and obligations of Rosa are strictly defined in the data processing agreement between them as data controller and Rosa as data processor.
The activities in this category are determined by Rosa and undertaken to fulfil its own objectives or obligations. Rosa takes full responsibility for these activities and is acting as a data controller.
To exercise these rights,
the individuals should contact the following person(s):
Please refer to each category of data processing to know who to contact to exercise your rights.
The Belgian Data Protection Authority is the regulatory agency in charge of data protection in Belgium. It is competent to handle individual complaints about the processing of personal data. More information about data protection regulations and how to file a complaint can be found on their website.
Rosa relies on services provided by other companies to perform its data processing activities. These companies may be considered as data processor under the applicable privacy laws.
You can find more information about these companies on the page Data processors.
Rosa must implement appropriate security measures to protect the personal data it processes against unauthorized access, modification, or destruction. Rosa relies on technologies or services of its subcontractors for parts of these measures.
Rosa must evaluate these security measures regularly and adapt them if required, to take into account the evolutions of the risks, the technology, and the costs associated with these measures.
You can find more information about the security measures currently in place on the page Technical and Organisational Security measures.
Rosa does not retain your personal data longer than strictly necessary for the purposes for which the personal data was collected or otherwise processed, or for the execution of a contract or for fulfilling a legal obligation, always in accordance with applicable laws and as set out in this privacy policy (for more details, please refer to each category of processing activity).
In all cases, Rosa may retain your personal data for a longer period if there is a legal or regulatory reason to do so, or for a shorter period if you object to the processing of your personal data and if there is no other legitimate reason to retain that personal data.
This is version 2.1 of our privacy policy and it is current as of 27 April 2022. We keep this privacy policy under regular review to ensure it is current and we may change this privacy policy over time to reflect the changes in our services and data processing activities. If we do so, we will post the updated privacy policy on this webpage. Please refer back to this privacy policy to review any amendments as any revised privacy policy will apply to all personal data we process.
Changes that we have made since the previous version (v 2.0): we haven’t changed the way we process your personal data but we have reworded the purpose of processing data for statistical and analytical purposes.
Rosa" is Rosa ASBL, a non-profit organization established at Cantersteen 10, 1000 Brussels, with enterprise number 0745.832.604.