Rosa Privacy Policy

Rosa helps health professionals and their patients to exchange information in a confidential, secure and trusted environment. We have no other ambitions, and we do not use personal data for other purposes.

Rosa has the ambition to give its users control over their information. Over time, we will add functionalities to our applications to let you access more information and decide what to do with it, with whom you want to share it, etc.

This document describes everything Rosa does with the personal data it processes as part of its activities

Rosa has identified six different categories of data subjects:

• Patients*;
• Health professionals;
• Research participants;
• Prospective staff;
• Visitors and users of Rosa’s website and applications; and
• All other individuals dealing with Rosa in the course of its business.

This Privacy Policy is organized in a way that makes it easier for each of those categories to access the information that’s most relevant to them:

*In this Privacy Policy, unless the context requires otherwise, “patient" refers to both the individual making the appointment through Rosa (the “user" of Rosa’s application) and the individual for whom the appointment is made (the actual patient, seeing the health professional). In most instances, the user is also the patient. In some instances, however, a user can make an appointment on behalf of a patient (for instance, a parent making an appointment for their child; where the parent is the user and the child is the patient).

You must be over the age of thirteen (13) to book an appointment on Rosa, insofar as You are authorized to do so by applicable law, or, where applicable, with the authorization of Your legal representatives. If You are under the age of thirteen (13) only an adult with parental authority may make an online appointment for You. If You make a booking for a minor, You guarantee that the minor has been provided with information relating to the processing of his/her Personal Data, according to his/her level of maturity.

What is it?

Each time an appointment at a specific health professional is created for a new patient, Rosa creates a “patient record" in relation to that patient for the benefit of the relevant health professional.

What personal data does Rosa process?

Patient personal data:

1. First name
2. Last name;
3. Date of birth;
4. National registration number;
5. Phone numbers;
6. E-mail addresses;
7. Postal addresses;
8. Gender;
9. Contact details of the person(s) of contact;
10. First name and last name of family members;
11. History of the appointments (see ‘Appointments information’ section); and
12. Any other information about the patient that the health professional might have referred to in a note.

Where the appointment is made on behalf of the patient, by an individual who is not the patient (referred to as a “user"), patient records may also contain the following personal data of a user:

• First name
• Last name;
• Date of birth;
• Phone number; and
• E-mail addresses.

About whom?

Patient records information contains personal data about patients and, where the appointment was made by another individual on behalf of the patient (referred to as the ‘user’), about that user.

Who has access to the patient records information?

Patient record information is sensitive data that is only accessible to the relevant health professional  and, where the health professional is part of a group practice or is acting as a member of a hospital, the data may also be accessible to the health professionals of their group practice or hospital for care continuity.

How can a patient exercise their rights in relation to this data processing?

Patients can exercise their rights by contacting the relevant health professional.

How long does Rosa keep that information?

Rosa will follow the instructions of the relevant health professional.

Purposes

This is a data processing by Rosa on behalf, and under the instructions, of the health professional for the purpose of providing health services to their patients.

Legal Bases

It is up to the data controller (i.e. the relevant health professional) to determine the legal basis for this purpose with regard to its specific situation and context. The legal basis generally chosen by the relevant health professional is:

1. Consent (i.e. the patient’s consent to allow the user making an appointment on their behalf) (art. 6.1(a) GDPR); ;
2. Performance of a contract (i.e. - the contract the health professional has entered into with a patient) (art. 6.1(b) GDPR);
3. Compliance with a legal obligation (such as social security laws) (art. 6.1(c) GDPR);
4. Protection of a patient’s vital interests or those of another person (in case of an emergency for instance) (art. 6.1 (d) GDPR);
5. Where the personal data processed includes special categories of personal data, such as data concerning health, the health professional relies on the following bases:
   1. the protection of the patient’s vital interests (art. 9.2 (c) GDPR); or
   2. the provision of health or social care (art. 9.2 (h) GDPR).
6. Health professionals do usually not rely on consent to process patients’ personal data (art. 6.1 (a) and 9.2 (a) GDPR) because they can generally rely on another legal basis and consent is then sometimes used only as an additional safeguard). If a health professional does process a patient’s personal data solely based on their consent, it will inform the patient thereof beforehand and the patient will have the right to withdraw their consent at any time.

What is it?

Each time an appointment is booked through Rosa, Rosa collects and processes some information about that booking.

What personal data does Rosa process?

Rosa processes personal data related to appointments when a patient books an appointment online or when a health professional creates an appointment in their calendar. For each appointment, Rosa may process the following personal data:

• First name and last name of the patient;
• First name and last name of the health professional;
• Contact details of the patient;
• Contact details of the health professional;
• Date and place of the appointment;
• Motive for the appointment (as defined by the relevant health professional);
• The status of the appointment and, when canceled, who canceled and when;
• A note left by the patient at the time they completed their booking;
• A note added by the health professional.

About whom?

Appointment information contains personal data about health professionals and their patients.

Purposes

This is a data processing by Rosa on behalf, and under the instructions, of the health professional for the purpose of providing health services to their patients.

Who has access to the appointment information?

Appointment information is only accessible to the relevant health professional and, where relevant, to their organization, as well as to the patients themselves: part, or all, of the appointment information will be made available on the confirmation page when completing a booking, and in the confirmation and reminder emails, and in the reminder SMS (if any). Rosa may also display within a patient account the list of past and upcoming appointments linked to that patient account.

How can a patient or health professional exercise their rights in relation to this data processing?

Patients can exercise their rights by contacting the relevant health professional.

How long does Rosa keep that information?

Rosa will follow the instructions of the relevant health professional.

Legal Bases

It is up to the data controller (i.e. the relevant health professional) to determine the legal basis for this purpose with regard to its specific situation and context. The legal basis generally chosen by the relevant health professional is:

1. Consent (i.e. the patient’s consent to allow the user making an appointment on their behalf) (art. 6.1(a) GDPR);
2. Performance of a contract (i.e. - the contract the health professional has entered into with a patient) (art. 6.1(b) GDPR);
3. Where the personal data processed includes special categories of personal data, such as data concerning health, the health professional relies on the following bases:
   1. the provision of health or social care (art. 9.2 (h) GDPR).

What is it?

Each time a patient books, modifies or cancels an appointment through Rosa, Rosa will send a confirmation email to that patient. Upon the health professionals’ request, Rosa might also send to the patient (i) a confirmation email when a health professional makes, modifies or cancels a booking with that patient; and/or (ii) a reminder email(s) prior to the appointment

What personal data does Rosa process?

When a confirmation or a reminder email is sent, Rosa processes the following personal data:

• Email address of the patient;
• First name and last name and contact details of the health professional; and
• Details of the appointment (which may include motive, date, time, and place of the appointment, as well as specific instructions from the relevant health professional).

About whom?

Confirmation and reminder emails contain personal data about the relevant health professional and the patient involved.

Who has access to the confirmation and reminder emails?

The content of confirmation and reminder emails is only accessible to the patient involved. The content of the confirmation and reminder emails will also be transmitted to, and processed by, Rosa’s email service provider. You can find more information about Rosa’s service providers on the page Data processors.

How can a patient exercise their rights in relation to this data processing?

Patients can exercise their rights by contacting the relevant health professional.

How long does Rosa keep that information?

Rosa will follow the instructions of the relevant health professional.

Purposes

This is a data processing by Rosa on behalf, and under the instructions, of the health professional for the purpose of providing health services to their patients.

Legal Bases

It is up to the data controller (i.e. the relevant health professional) to determine the legal basis for this purpose with regard to its specific situation and context. The legal basis generally chosen by the relevant health professional is:

1. Consent (i.e. the patient’s consent to allow the user receiving the appointment-related communication on their behalf) (art. 6.1(a) GDPR);
2. Performance of a contract (i.e. - the contract the health professional has entered into with a patient) (art. 6.1(b) GDPR);
3. Where the personal data processed includes special categories of personal data, such as data concerning health, the health professional relies on the following bases:
   1. The provision of health or social care (art. 9.2 (h) GDPR).
4. Health professionals do usually not rely on consent to process patients’ personal data (art. 6.1 (a) and 9.2 (a) GDPR) because they can generally rely on another legal basis and consent is then sometimes used only as an additional safeguard). If a health professional does process a patient’s personal data solely based on their consent, it will inform the patient thereof beforehand and the patient will have the right to withdraw their consent at any time.

What is it?

Health professionals have the option to ask Rosa to send SMS reminders to their patient prior to the appointment.

What personal data does Rosa process?

When a health professional activates the option to send SMS reminders, Rosa may process the following personal data:

• Mobile phone number of the patient;
• First name and last name of the health professional;
• Date, time, and place of the appointment;
• Any additional personal data contained in the SMS.

About whom?

SMS reminders might contain personal data about the relevant health professional and the patient involved.

Who has access to the SMS reminder information?

SMS reminder information is only accessible to the patient receiving the SMS. The SMS reminder information will also be transmitted to, and processed by, Rosa’s SMS service provider. You can find more information about Rosa’s service providers on the page Data processors.

How can a patient exercise their rights in relation to this data processing?

Patients can exercise their rights by contacting the relevant health professional.

How long does Rosa keep that information?

Rosa will follow the instructions of the relevant health professional.

Purposes

This is a data processing by Rosa on behalf, and under the instructions, of the health professional for the purpose of providing health services to their patients.

Legal Bases

It is up to the data controller (i.e. the relevant health professional) to determine the legal basis for this purpose with regard to its specific situation and context. The legal basis generally chosen by the relevant health professional is:

1. Consent (i.e. the patient’s consent to allow the user receiving the appointment-related communication on their behalf) (art. 6.1(a) GDPR);
2. Performance of a contract (i.e. - the contract the health professional has entered into with a patient) (art. 6.1(b) GDPR);
3. Where the personal data processed includes special categories of personal data, such as data concerning health, the health professional relies on the following bases:
   1. The provision of health or social care (art. 9.2 (h) GDPR).
4. Health professionals do usually not rely on consent to process patients’ personal data (art. 6.1 (a) and 9.2 (a) GDPR) because they can generally rely on another legal basis and consent is then sometimes used only as an additional safeguard). If a health professional does process a patient’s personal data solely based on their consent, it will inform the patient thereof beforehand and the patient will have the right to withdraw their consent at any time.

What is it?

Health professionals have the option to receive a notification email from Rosa when (i) an existing and/or new patient makes a booking; and/or (ii) a patient leaves a note at the time of the booking; and/or (iii) a patient cancels a booking.

What personal data does Rosa process?

When a notification email is sent, Rosa processes the following personal data:

• First name and last name of the patient and whether it is a new patient;
• Contact details of the patient;
• Email address of the health professional; and
• Date, time, and place of the appointment.

About whom?

Notification emails contain personal data about the relevant health professional and the patient involved (where the appointment has been taken by a user who is not the patient, no personal data about the user is shared with the health professional in that notification email).

Who has access to the notification emails?

The content of notification emails is only accessible to the health professional involved. The content of the notification emails will also be transmitted to, and processed by, Rosa’s email service provider. You can find more information about Rosa’s service providers on the page Data processors.

How can a health professional exercise their rights in relation to this data processing?

Health professionals can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.

How long does Rosa keep that information?

Rosa keeps that information for 30 days after the end of the agreement between Rosa and the health professional.

Purposes

To fulfil its obligations under the contract between Rosa and the health professional.

Legal bases

Performance of a contract (i.e. - the contract the health professional has entered into with Rosa) (art. 6.1(b) GDPR).

What is it?

Individuals may create a patient account on Rosa to access certain services (for instance to be able to book an appointment with a health professional).

What personal data does Rosa process?

When creating an account for an individual, Rosa may collect or generate the following personal data in relation to that individual:

• First name and last name;
• Mobile phone number;
• Email address;
• Spoken language; and
• Date of birth.

Where the individual creating the account is not the patient, Rosa may also collect the following personal data in relation to the patient:

• First name and last name; and
• Date of birth.

About whom?

Patient account management information contains personal data about all individuals who have made a booking on Rosa and, where relevant, about patients for whom an appointment is made by the account holder. .

Who has access to the user and account management information?

Patient account management information is accessible to the individual creating the account, the health professional with whom they have booked an appointment, and/or Rosa.

How can a patient exercise their rights in relation to their patient account management information?

Patients can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be. Where the individual creating the account is not the patient, the patient can exercise their rights by contacting the user who made the appointment on their behalf.

How long does Rosa keep the patient account management information?

Rosa keeps that information for 5 years after the patient has last interacted with Rosa.

Purposes

1. To provide the booking services to the individual;
2. To send marketing communications.

Legal bases

1. Consent (i.e. the patient’s consent to allow the user making an appointment on their behalf) (art. 6.1(a) GDPR);
2. Performance of a contract (art. 6.1(b) GDPR);
3. For the sending of marketing communications: legitimate interest  (art. 6.1(f) GDPR) or consent (art. 6.1(a) GDPR) when the conditions to rely on the legitimate interest are not met.

What is it?

Each time an appointment is booked through Rosa, Rosa collects and processes some information about that booking.

What personal data does Rosa process?

Rosa processes personal data related to appointments when a patient books an appointment online or when a health professional creates an appointment in their calendar. For each appointment, Rosa may process the following personal data:

• First name and last name of the patient;
• First name and last name of the health professional;
• Contact details of the patient;
• Contact details of the health professional;
• Date and place of the appointment;
• Motive for the appointment (as defined by the relevant health professional);
• The status of the appointment and, when cancelled, who cancelled and when;
• A note left by the patient at the time they completed their booking;
• A note added by the health professional.

About whom?

Appointment information contains personal data about health professionals and their patients.

Purposes

This is a data processing by Rosa on behalf, and under the instructions, of the health professional for the purpose of providing health services to their patients.

Who has access to the appointment information?

Appointment information is only accessible to the relevant health professional and, where relevant, to their organization, as well as to the patients themselves: part, or all, of the appointment information will be made available on the confirmation page when completing a booking, and in the confirmation and reminder emails, and in the reminder SMS (if any).

How can a patient or health professional exercise their rights in relation to this data processing?

Patients can exercise their rights by contacting the relevant health professional.

How long does Rosa keep that information?

Rosa will follow the instructions of the relevant health professional.

Legal Bases

1. Consent (i.e. the patient’s consent to allow the user making an appointment on their behalf) (art. 6.1(a) GDPR);
2. Performance of a contract (i.e. - the contract the health professional has entered into with a patient) (art. 6.1(b) GDPR);
3. Where the personal data processed includes special categories of personal data, such as data concerning health, the health professional relies on the following bases:
   1. the provision of health or social care (art. 9.2 (h) GDPR).

What is it?

Each time a patient books an appointment through Rosa, Rosa will send a confirmation email to that patient. Upon the health professionals’ request, Rosa might also send to the patient (i) a confirmation email when a health professional makes or modifies a booking with that patient; and/or (ii) a reminder email 7 days and/or 1 day prior to the appointment.

What personal data does Rosa process?

When a confirmation or a reminder email is sent, Rosa processes the following personal data:

• Email address of the patient;
• First name and last name and contact details of the health professional; and
• Date, time, and place of the appointment.

About whom?

Confirmation and reminder emails contain personal data about the relevant health professional and the patient involved.

Who has access to the confirmation and reminder emails?

The content of confirmation and reminder emails is only accessible to the patient involved. The content of the confirmation and reminder emails will also be transmitted to, and processed by, Rosa’s email service provider. You can find more information about Rosa’s service providers on the page Data processors.

How can a patient exercise their rights in relation to this data processing?

Patients can exercise their rights by contacting the relevant health professional.

How long does Rosa keep that information?

Rosa will follow the instructions of the relevant health professional.

Purposes

This is a data processing by Rosa on behalf, and under the instructions, of the health professional for the purpose of providing health services to their patients.

Legal Bases

1. Consent (i.e. the patient’s consent to allow the user receiving the appointment-related communication on their behalf) (art. 6.1(a) GDPR);
2. Performance of a contract (i.e. - the contract the health professional has entered into with a patient) (art. 6.1(b) GDPR);
3. Where the personal data processed includes special categories of personal data, such as data concerning health, the health professional relies on the following bases:
   1. The provision of health or social care (art. 9.2 (h) GDPR).
4. Health professionals do usually not rely on consent to process patients’ personal data (art. 6.1 (a) and 9.2 (a) GDPR) because they can generally rely on another legal basis and consent is then sometimes used only as an additional safeguard). If a health professional does process a patient’s personal data solely based on their consent, it will inform the patient thereof beforehand and the patient will have the right to withdraw their consent at any time.

What is it?

Health professionals have the option to ask Rosa to send SMS reminders to their patient prior to the appointment.

What personal data does Rosa process?

When a health professional activates the option to send SMS reminders, Rosa processes the following personal data:

• Mobile phone number of the patient;
• First name and last name of the health professional;
• Date, time, and place of the appointment;
• Any additional personal data contained in the SMS.

About whom?

SMS reminders might contain personal data about the relevant health professional and the patient involved.

Who has access to the SMS reminder information?

SMS reminder information is only accessible to the patient receiving the SMS. The SMS reminder information will also be transmitted to, and processed by, Rosa’s SMS service provider. You can find more information about Rosa’s service providers on the page Data processors.

How can a patient exercise their rights in relation to this data processing?

Patients can exercise their rights by contacting the relevant health professional.

How long does Rosa keep that information?

Rosa will follow the instructions of the relevant health professional.

Purposes

This is a data processing by Rosa on behalf, and under the instructions, of the health professional for the purpose of providing health services to their patients.

Legal Bases

1. Consent (i.e. the patient’s consent to allow the user receiving the appointment-related communication on their behalf) (art. 6.1(a) GDPR);
2. Performance of a contract (i.e. - the contract the health professional has entered into with a patient) (art. 6.1(b) GDPR);
3. Where the personal data processed includes special categories of personal data, such as data concerning health, the health professional relies on the following bases:
   1. The provision of health or social care (art. 9.2 (h) GDPR).
4. Health professionals do usually not rely on consent to process patients’ personal data (art. 6.1 (a) and 9.2 (a) GDPR) because they can generally rely on another legal basis and consent is then sometimes used only as an additional safeguard). If a health professional does process a patient’s personal data solely based on their consent, it will inform the patient thereof beforehand and the patient will have the right to withdraw their consent at any time.

What is it?

Health professionals have the option to use Rosa to (i) consult information about the insurability (and derived rights) of a patient in order to carry out an invoice or to deliver products or services; (ii) generate an electronic attestation or an electronic invoice; and (iii) encode payment methods and track payments.

These features are referred to as ‘eBilling’. 

What personal data does Rosa process?

When a health professional uses eBilling, they need to log in to their Rosa account and they need to authenticate with their eHealth certificate. Rosa may therefore process the health professional account management data and data from the eHealth certificate. 

The health professional shall process patient data, including  relevant appointment information, patient record information, payment information (whether the payment has been made or not and the payment method), and patient data made available to them by, or on behalf of, the NIHII (INAMI/RIZIV) (such as, for example, the nomenclature of health services performed by the health professional for that patient).

About whom?

eBilling processes data about the relevant health professional and the patient involved. 

Who has access to the eBilling information?

eBilling information is only accessible to the relevant health professional, the patient involved and their Mutuality, the inter-mutuality (CIN-NIC) and social security services.

How can a patient exercise their rights in relation to this data processing?

Patients can exercise their rights by contacting the relevant health professional.

How long does Rosa keep that information?

Rosa will follow the instructions of the relevant health professional.

Purposes

This is a data processing by Rosa on behalf, and under the instructions, of the health professional, for billing purposes.

Legal Bases

It is up to the data controller (i.e. the relevant health professional) to determine the legal basis for this purpose with regard to its specific situation and context. The legal basis generally chosen by the relevant health professional is:

1. The provision of health or social care (art. 9.2 (h) GDPR).

What is it?

Rosa offers health professionals using its online calendar and/or booking application the possibility to publish some information about themselves and the services they offer.

What personal data does Rosa process?

When a health professional chooses to create, fill in and publish their Rosa Profile, Rosa may process the following personal data about that health professional:

• Photo;
• First and last name;
• INAMI/RIZIV number;
• Gender;
• Spoken language;
• Specialities;
• Professional address(es);
• Contact details;
• Education and background;
• Availabilities for appointments; and
• Any other personal information that the health professional wishes to publicly share on their profile.

About whom?

Rosa Profile contains personal data about health professionals.

Who has access to your Rosa Profile?

Once activated, Rosa Profile is accessible to anyone online and may appear in search engine results. To increase health professionals’ online visibility and facilitate online booking appointments, Rosa may communicate limited information from a Rosa Profile (e.g. the URL of your Rosa Profile page) to its partners (e.g. online medical registries) to allow them to create a referral link from their platform or website to your Rosa Profile page on Rosa. For the sake of clarity, Rosa will always ensure that its partners guarantee that they already have information about you in compliance with applicable laws, including GDPR, and Rosa will only allow them to create a referral link to your existing Rosa Profile (not to create a new profile on their platform without your consent). 

How can a health professional exercise their rights in relation to their Rosa Profile?

Health professionals can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be. Health professionals working for a hospital that has entered into an agreement with Rosa shall contact their hospital to exercise their right in relation to their hospital-related Rosa Profile. 

How long does Rosa keep the Rosa Profile?

Upon termination of the agreement between you (or the relevant hospital) and Rosa, Rosa will remove your Rosa Profile from its online applications. Rosa will delete your Rosa Profile within 30 days from the end of the agreement between Rosa and the health professional or the relevant hospital.

Purposes

This is a data processing by Rosa to enable health professionals to communicate their professional details and allow current or new patients to book appointments.

Legal bases

Performance of a contract (i.e. - the contract the health professional has entered into with Rosa) (art. 6.1(b) GDPR).

Health professionals working for a hospital that has entered into an agreement with Rosa will have a Rosa profile on the following legal basis:

• Performance of a contract (i.e. - the contract between the health professional and the hospital) (art. 6.1(b) GDPR); or
• Consent (art. 6.1(a) GDPR).

What is it?

When a health professional wishes to use Rosa, they need to create an account. They will need to connect to their account to access and manage their calendar and bookings or to get technical support from Rosa.

Rosa may also temporarily log in to a health professional’s account to provide support and assistance with technical issues.

What personal data does Rosa process?

When a health professional creates an account or wishes to get Rosa’s support in relation to their account, Rosa may collect  access, use or generate the following personal data in relation to that health professional:

• First name and last name;
• Mobile phone number;
• Email address;
• Password created by the user to set up their account;
• Postal address;
• Spoken language;
• INAMI/RIZIV number;
• Enterprise/VAT number;
• Electronic payment details;
• Payment history; and
• Any other information from, or related to, a health professional’s account or that the health professional may share with, or send to Rosa for support purposes

About whom?

Customer account management information contains personal data about all health professionals who have created an account with Rosa.

Who has access to the user and account management information?

Customer account management information is only accessible to the relevant customer and/or Rosa. Rosa uses the services of Mollie B.V. (Mollie), a regulated payment service provider located in The Netherlands, to manage online payments. Payments methods available include Bancontact. You can find more information on how Mollie and its affiliates process your personal data and how to exercise your personal data protection rights here.

How can a health professional exercise their rights in relation to their account management information?

Health professionals can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be. You can find more information on how Mollie and its affiliates process your personal data and how to exercise your personal data protection rights here.

How long does Rosa keep the account management information?

Rosa keeps that information for 30 days after the end of the agreement between Rosa and the health professional.  To protect against litigation or comply with its legal obligations, Rosa might keep some data for up to 10 years after the end of the agreement. 

Purposes

1. To fulfill its obligations under the contract between Rosa and the health professional;
2. To process payments, including invoices (if applicable); and
3. To offer support to, and communicate with, the health professional; and
4. To send marketing communications. 

Legal Bases

1. Performance of a contract (art. 6.1(b) GDPR); and
2. Compliance with a legal obligation (such as tax laws) (art. 6.1(c) GDPR).
3. For the sending of marketing communications: legitimate interest  (art. 6.1(f) GDPR) or consent (art. 6.1(a) GDPR) when the conditions to rely on the legitimate interest are not met.

What is it?

Health professionals have the option to receive a notification email from Rosa when (i) an existing and/or new patient makes a booking; and/or (ii) a patient leaves a note at the time of the booking; and/or (iii) a patient cancels a booking.

What personal data does Rosa process?

When a notification email is sent, Rosa processes the following personal data:

• First name and last name of the patient and whether it is a new patient;
• Contact details of the patient;
• Email address of the health professional; and
• Date, time, and place of the appointment.

About whom?

Notification emails contain personal data about the relevant health professional and the patient involved (where the appointment has been taken by a user who is not the patient, no personal data about the user is shared with the health professional in that notification email).

Who has access to the notification emails?

The content of notification emails is only accessible to the health professional involved. The content of the notification emails will also be transmitted to, and processed by, Rosa’s email service provider. You can find more information about Rosa’s service providers on the page Data processors.

How can a health professional exercise their rights in relation to this data processing?

Health professionals can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.

How long does Rosa keep that information?

Rosa keeps that information for 30 days after the end of the agreement between Rosa and the health professional.

Purposes

To fulfill its obligations under the contract between Rosa and the health professional.

Legal bases

Performance of a contract (i.e. - the contract the health professional has entered into with Rosa) (art. 6.1(b) GDPR).

What is it?

Rosa conducts research and collects feedback in order to improve its existing product and services and create new ones. For instance,  Rosa might collect feedback from (potential) customers or other individuals. 

What personal data does Rosa process?

Rosa might collect personal data such as your name, email address and/or feedback, or any other personal data, as explained by Rosa at the time of collection. Whenever possible, Rosa will collect pseudonymized or anonymized data. 

About whom?

This information is collected about any research participant.

Who has access to that information?

That information is only accessed by Rosa, or as otherwise explained by Rosa at the time of collection.

How can an individual exercise their rights in relation to this data processing?

Individuals can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.

How long does Rosa keep the individual’s information in relation to this data processing?

Rosa keeps the data for 3 months from the time of collection, unless otherwise explained by Rosa at the time of collection.

Purposes

1. To improve Rosa’s products and/or services (including analytics and security purposes); or
2. As otherwise explained by Rosa at the time of collection.

Legal bases

1. Legitimate interest (art. 6.1 (f) GDPR)
2. Where the conditions to rely on legitimate interest are not met, Rosa relies on consent (art. 6.1 (a) GDPR)

What is it?

This section refers to all the personal data that Rosa collects and processes as part of considering an individual for a role or position at Rosa.

What information does Rosa process?

Rosa may collect and process the following personal data in relation to a prospective staff:

• Personal contact details, including name, postal address, email address, and phone number;
• Date of birth and gender;
• Employment and education history and qualifications;
• Details relating to the right to work in Belgium (where applicable);
• Any other information provided to Rosa (as part of a curriculum vitae, letter of support, during an interview or otherwise) or that Rosa receives from a referee.

About whom?

This personal data is about prospective staff (such as prospective employees, contractors, volunteers or students).

With whom does Rosa share that personal data?

Rosa mainly processes such personal data internally but it may also share part of that information with referees, legal representatives, consultants and professional advisers.

How can a prospective staff exercise their rights in relation to this data processing?

Prospective staff can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.

How long does Rosa keep that information?

If the applicant is successful, Rosa will keep that information for 5 years after termination of the employment agreement with Rosa. If the applicant is not successful, Rosa will keep that information until completion of the recruitment process and a further 3 years if the applicant gives their consent.

Purposes

1. To process an application for a position at Rosa;
2. To assess a candidate’s suitability for a specific role or position and to decide whether to hire that candidate;
3. To communicate with candidates about their application and the application process; and
4. To check that the candidate is legally entitled to work in Belgium.

Legal bases

1. Compliance with a legal obligation (such as immigration laws) (art. 6.1(c) GDPR); and
2. Performance of a contract (i.e. - the contract Rosa will enter into with the candidate as a staff member) (art. 6.1(b) GDPR).
3. Where the personal data processed includes special categories of personal data, such as information on racial or ethnic origin, or data concerning a disability, the processing either relates to personal data which is made public by the candidate (art. 9.2 (e) GDPR) or is necessary for the assessment of the working capacity of the candidate (art. 9.2 (h) GDPR).
4. If the applicant is unsuccessful, Rosa may keep a copy of the application data with the applicant consent (art. 6.1 (a) GDPR).

What is it?

Each time someone visits Rosa’s website, downloads and uses Rosa’s mobile application, creates an account with Rosa, searches for a health professional, books an appointment or otherwise uses Rosa’s services, Rosa may process your personal data, including using cookies and/or other technologies. 

Rosa may use social media services such as Facebook, Instagram, LinkedIn and Twitter. If you use these services, you should review their privacy policy for more information on how they deal with your personal data.

Visitors and users can also contact us spontaneously (for instance via our ‘Contact Us’ online form). 

What personal data does Rosa process?

When you visit or otherwise use our website and applications, we may process the following data: 

• Usage and connection data relating to your use of our website, applications or services, including 
  
  • technical data which may include personal data, such as your IP address, OS and browser version;
  • your preferences (e.g. language preferences);
  • data about your usage of Rosa’s website or application(s) (as a health professional or as a patient) (including data about the searches made and the appointments booked - with your consent, such data is linked to a UserID which does not allow us to identify you by your name or email address but it allows us to better understand how you use our services, how a feature is used, and to measure the impact of (new) features).
• User (patient or health professional) account data;
• Data from a Rosa Profile.

When you make a search and/or book an appointment at a hospital using Rosa, on the hospital website, Rosa may collect the following data:

• technical data which may include personal data, such as your IP address, OS and browser version;
• your preferences (e.g. language preferences);
• data about your usage of the Rosa embedded booking flow (including data about the searches made and the appointments booked - with your consent, such data is linked to a UserID which does not allow us to identify you by your name or email address but it allows us to better understand how you use our services, how a feature is used, and to measure the impact of (new) features).

When you get in touch with us via our website or applications (including via email), we may collect the following data:

• your first name and last name,
• your email address,
• the reason why you contact us,
• the content of your message, as well as
• technical data which may include personal data, such as your IP address, OS and browser version, basic user details about usage of Rosa’s website or application(s). 

To find out more about how Rosa collects personal data on its website and applications, and how to manage your cookie preferences, please read the page Data processors as well as our Cookie Policy.

About whom?

This information is collected about visitors to our website or applications.

Who has access to that information?

That information might be accessed by Rosa and its data processors, as described on the Data processors page and in our Cookie Policy. 

f you download Rosa’s mobile application from an app store (such as Apple’s App Store or Google Play store), your data might be collected and processed by that online mobile app store for their own purposes. For more information, we encourage you to read their Privacy Policy. 

How can a visitor to our website or applications exercise their rights?

Visitors can exercise their rights by contacting Rosa’s DPO at gdpr@rosa.be.

How long does Rosa keep the website and application visitors' information?

This depends on the type of information collected. Data received via the ‘Contact Us’ form is kept 12 months from the date the last correspondence was sent or received by Rosa, unless the data is from a customer, in which case the data is kept for 10 years following termination of their agreement with Rosa.  For technical data (including those collected via cookies or similar technologies), please read our Data processors page and our Cookie Policy for more information.

Purposes

1. To operate Rosa’s website and applications and enable visitors and/or users to use their features;
2. For statistical and analytical purposes;
3. To check if cookies can be placed;
4. To improve Rosa’s services, ensure the security of Rosa’s website and applications and enhance the visitors’ and/or users’ experience on Rosa’s website and applications; and
5. To respond to questions or feedback voluntarily provided

Legal bases

1. Consent of the website visitor and/or application user (art. 6.1 (a) GDPR);
2. Legitimate interest of Rosa (art. 6.1 (f) GDPR).

What is it?

This section refers to the personal data that Rosa collects and processes as part of running its business, including when prospecting for, or communicating with, potential new customers, partners, collaborators, and/or vendors.

What information does Rosa process?

Rosa may collect and process the following personal data:

• Personal contact details, including name, postal address, email address, and phone number;
• Occupation or job title;
• Any other information sent or disclosed to Rosa, including Rosa’s records of any communications or interactions with you.

About whom?

This personal data is about any individual Rosa deals with in the course of running its business, including potential new customers, partners, collaborators, and/or vendors.

With whom does Rosa share that personal data?

Rosa mainly processes such personal data internally but it may also share part of that information with referees, legal representatives, consultants and professional advisers.

How can those individuals exercise their rights in relation to this data processing?

You can exercise your rights by contacting Rosa’s DPO at gdpr@rosa.be.

How long does Rosa keep the information?

Correspondence for prospection, sales and support and commercial agreements, including negotiation documents and relevant correspondence, are kept permanently..

Purposes

1. To communicate with individuals in the course of running Rosa’s business;
2. To identify and assess potential new customers, partners, collaborators, and/or vendors and to decide whether to further collaborate with them.
3. For statistical and analytical purposes.

Legal bases

1. Consent (art. 6.1 (a) GDPR);
2. Performance of a contract (i.e. - the contract Rosa will enter into with the potential new customer, partner, collaborator, and/or vendor) (art. 6.1(b) GDPR);
3. Legitimate interest of Rosa (art. 6.1 (f) GDPR).

For the activities in this category, Rosa provides the tools and stores personal data on behalf of the health professionals who use the applications. Rosa does not determine the content of the information nor the purpose and the essential means of the processing. The health professionals are in control and the role and obligations of Rosa are strictly defined in the data processing agreement between them as data controller and Rosa as data processor. Health professionals working for a hospital can only use Rosa in relation to their hospital practice if that hospital has entered into an agreement with Rosa. In that case, where Rosa acts as a data processor, it is on behalf, and under the instructions, of the relevant hospital. That hospital is in control and the role and obligations of Rosa are strictly defined in the agreement between the hospital as data controller and Rosa as data processor. Unless the context requires otherwise, “health professional” refers to both the health professional working solo or in group practice and the hospital that entered into an agreement with Rosa.

The activities in this category are determined by Rosa and undertaken to fulfill its own objectives or obligations. Rosa takes full responsibility for these activities and is acting as a data controller.

All individuals have the right to:

• know if Rosa processes personal data about them, what categories of personal data are being processed and for what purpose;
• request the rectification of inaccurate personal data about them;
• request the erasure of personal data about them, or oppose the further processing of personal data about them, for a legitimate reason;
• object at any time to the use of their personal data for marketing purposes;
• for certain personal data and in certain circumstances, obtain a copy of the personal data about them in a structured and interoperable format.

To exercise these rights,

the individuals should contact the following person(s):

• The relevant health professional, if the request concerns personal data that Rosa processes on behalf of that health professional;
• Rosa (at gdpr@rosa.be) if the request concerns personal data that Rosa processes for its own needs.

Please refer to each category of data processing to know who to contact to exercise your rights.

The Belgian Data Protection Authority is the regulatory agency in charge of data protection in Belgium. It is competent to handle individual complaints about the processing of personal data. More information about data protection regulations and how to file a complaint can be found on their website.

Rosa relies on services provided by other companies to perform its activities. In that context, Rosa may share personal data with service providers, including hosting and other information technology service providers, email communication software providers, customer relationship management services, web analytics services, etc. These companies may be considered as “data processors” under the applicable privacy laws. 

You can find more information about these companies on the page Data processors.

In addition, Rosa may have to share your personal data with limited third-parties if required to do so by law or in the good faith belief that such action is necessary to (i) comply with a judicial or regulatory request, (ii) protect and defend our rights or property, or (iii) prevent fraud and address security risks.

Cross-border transfers: In order to provide its services, Rosa may use service providers located outside the European Economic Area. If the transfer takes place to a third country which has not been recognized as offering an adequate level of protection for personal data by the Commission, Rosa ensures that the necessary measures are put in place in accordance with Articles 46 and 49 of the GDPR, and in particular, where necessary, that (i) the recipient is covered by a suitable framework recognized by the Commission as providing an adequate level of protection for personal data, including the EU-US Data Privacy Framework; or (ii) that the European Union standard contractual clauses or equivalent ad hoc clauses are incorporated into the contract concluded between Rosa and those service providers.

Rosa must implement appropriate security measures to protect the personal data it processes against unauthorized access, modification, or destruction. Rosa relies on technologies or services of its subcontractors for parts of these measures.

Rosa must evaluate these security measures regularly and adapt them if required, to take into account the evolutions of the risks, the technology, and the costs associated with these measures.

You can find more information about the security measures currently in place on the page Technical and Organisational Security measures.

Rosa does not retain your personal data longer than strictly necessary for the purposes for which the personal data was collected or otherwise processed, or for the execution of a contract or for fulfilling a legal obligation, always in accordance with applicable laws and as set out in this privacy policy (for more details, please refer to each category of processing activity).

In all cases, Rosa may retain your personal data for a longer period if there is a legal or regulatory reason to do so, or for a shorter period if you object to the processing of your personal data and if there is no other legitimate reason to retain that personal data.

This is version 2.7 of our privacy policy and it is current as of 8 October 2024. We keep this privacy policy under regular review to ensure it is current and we may change this privacy policy over time to reflect the changes in our services and data processing activities. If we do so, we will post the updated privacy policy on this webpage. Please refer back to this privacy policy to review any amendments as any revised privacy policy will apply to all personal data we process. 

Changes that we have made since the previous version (v 2.6): we have updated this Policy to include age restrictions for using Rosa as a patient and to clarify provisions for cross-border data transfers in compliance with the GDPR. We have also clarified the data processing activities undertaken to send emails and/or SMS under the instructions of a health professional as well as the data we process when anyone visits or uses one of our websites or applications. 
 

"Rosa" is Rosa ASBL, a non-profit organization established at Cantersteen 10, 1000 Brussels, with enterprise number 0745.832.604.