Privacy Policy and Whistleblower Scheme and Integrity Policy

Integrity Policy Medical Examination

Part 1: Privacy Policy

This Privacy Policy has been drawn up in accordance with the European Regulation on Data Protection (the "GDPR: General Data Protection Regulation") – Regulation 2016/679 of 27 April 2016. This Regulation will be directly applicable in Belgium as of 25 May 2018.

1. General

Premed VZW with registered office at Tiensevest 61 – Unit 2, 3010 Leuven, with company registration number 0410.064.629 respects the privacy of all affiliated employers and their employees, as well as the users of our website and ensures that the personal information provided to us by the employer and/or employee is treated confidentially. This data is processed with the aim of guaranteeing optimal service provision in the areas of health, safety, occupational hygiene, ergonomics and psychosocial aspects.

In the context of GDPR legislation, we wish to inform, respect and give our customers and website users as much control as possible over what happens to their data. Below you will find information about what data we collect, why, how long we keep it and how you can control it.

This Privacy Policy applies as an annex to the Main Agreement between Premed and the customer. Deviations from this Privacy Policy are only valid if both parties have given their written consent.

In the relationship with the customer's employees, Premed should be considered as a data controller in accordance with the advice of COPREV of 26/01/2018. This means that Premed itself is responsible for complying with the obligations of the GDPR (art. 5, 2° GDPR) in the relationship with the employees of its customers.

2. Who is protected by this Privacy Policy?

This Privacy Policy applies to all our current and former customers; that is to all employers established in the EU for whom Premed holds a signed membership contract and their current and former employees (natural persons).

3. What does 'data processing' mean and who is responsible for it?

By 'data processing' we mean the collection, recording, organising, storing, updating, supplementing, modifying, requesting, consulting, using, combining, archiving, erasing or ultimately destroying of personal data.

Premed VZW is responsible for the processing of personal data of employees of affiliated employers. Our employees are required to respect the confidentiality of your data.

Sub-processors:

  • The affiliated employer and its designated staff members have access via the extranet to general data (i.e. no medical/psychological/personal confidential information) of their own staff, in compliance with the European Regulation on Data Protection (the "GDPR; General Data Protection Regulation") of 27 April 2016.
  • The authorities
    • FEDRIS: personal data in the context of occupational disease reports, reimbursement of medical examinations for trainees, reimbursement of vaccines
    • Vaccinnet: personal data in the context of vaccinations
    • The supervisory authority
    • Public prosecutor
  • Laboratory analyses
  • Treating physicians and the advisor physician of the mutual insurance fund in the context of a rehabilitation file

4. What data do we process?

  • General personal data:
    • as stated on the identity card: name, first name, address, nationality, date of birth, photo, place of birth, national registration number
    • additional personal data: employer, telephone number, language, email address, seniority in the company, seniority in the position, workplace, race, marital status, where applicable: type of driving licence
  • Medical data in the broadest sense including: data concerning physical and mental health, laboratory analyses, vaccinations, occupational diseases, weight, BMI, lifestyle,...
  • Photos and/or video images of work situations or training events and personal data of participants in training events.

5. How long do we retain your personal data?

In the interests of employees, all data is retained until 30 years after reaching normal retirement age. Personal data may be retained even longer for statistical purposes or in the context of scientific or historical research, in which case the data will be anonymised as much as possible.

6. What do we use this data for?

6.1. Carrying out company services

The sensitive personal data (more explicitly: "Data on health") is processed lawfully by the controller on the basis of articles 9(b) and 9(h) of the GDPR;

b) processing is necessary for the performance of obligations and the exercise of specific rights of the controller or the data subject in the field of employment law and social security and social protection law, to the extent permitted by Union law or national law or by a collective agreement under national law providing appropriate safeguards for the fundamental rights and freedoms of the data subject.

Service provision is mainly legally determined by the Code on Well-being at Work.

h) processing is necessary for occupational or preventive health purposes, for the assessment of the working capacity of the employee, medical diagnoses, the provision of health care or social services or treatment or the management of health care systems and services or social systems and services, on the basis of Union law or national law, or on the basis of a contract with a health care provider and subject to the conditions and safeguards referred to in paragraph 3. The sensitive personal data processed by the controller relates to data on health; in other words, weight, BMI, work (in)capacity as stated on the Health Assessment Form (HAS) or the Re-integration Assessment Form (RAF), medical data, psychological data, injuries following a serious work accident, the lifestyle of the data subject, ...

Premed guarantees that your personal data:

  1. is processed in a manner that is lawful, fair and transparent
  2. is collected for specific, explicitly defined and justified purposes
  3. is sufficient and relevant and limited to what is necessary for the purposes for which it is processed
  4. is accurate and updated as necessary
  5. in the case of scientific research: is kept in a form that makes it impossible to identify the data subject

6.2. Marketing purposes

With regard to the processing of personal data for marketing purposes, the controller may rely on a legal basis (recital 47 GDPR). At the bottom of each mailing you will find the option to unsubscribe.

6.3. Scientific research

Premed guarantees that group reports including scientific, historical or statistical research are conducted anonymously through pseudonymisation and encryption of personal data (art. 89 GDPR).

7. How do we secure your data?

Premed guarantees that appropriate technical or organisational measures have been implemented to ensure adequate protection of personal data. Personal data is protected against unlawful or unlawful processing and against accidental loss, destruction or damage.

8. What are your rights and how can you exercise them?

8.1. Right of access

Every natural person has the right to view his/her personal data. You can contact Premed for this purpose.

Please note! Access to medical records is not given directly to the employee, but to his/her treating physician. This is in accordance with the advice of the Medical Association dated 07/09/1996.

8.2. Right to rectification

Every natural person has the right to have his/her data in our systems amended.

8.3. Right to erasure

The right to erasure cannot be exercised in most cases, as processing is based on a legal basis.

8.4. Right to object to processing of your data for direct marketing

At the bottom of each mailing you will find the option to update your data or unsubscribe.

8.5. How can you contact Premed to exercise these rights?

  • Tel: 016308111
  • Fax: 016308110
  • Email: info@premed.be
  • Address: Tiensevest 61-unit 2, 3010 LEUVEN

9. Portability of personal data if the customer changes External Service

9.1. Medical Supervision Department

The transfer of health records is governed by the Code on Well-being at Work, Book I, Title 4, Section 4.

The health record consists of four different parts:

  • the socio-administrative data concerning the identification of the employee and his employer
  • the occupational history and the objective medical personal data, which have been established on the basis of the mandatory actions carried out during preventive medical examinations. This personal data is related to the employee's workplace or activity
  • the specific personal data established by the occupational physician during preventive medical examinations and reserved to the latter physician
  • the exposure data of each employee who is employed at a workplace or in an activity where he is exposed to biological, physical or chemical agents.

The health record contains no information about participation in public health programmes that are not work-related.

The transfer of medical data is carried out under the responsibility of the physician in charge of the department responsible for medical supervision (director of medical supervision).

For transfer of medical records, the director of medical supervision of the new external service must write to the director of medical supervision of the controller, requesting data transfer. Only after receipt of the request are the requested files actually transferred.

9.2. Psychosocial Risks Department (Risk Management)

The transfer of this personal data is governed by article 34 of the Code on Well-being at Work, Book I Title 3 Prevention of psychosocial risks at work.

When the customer changes external service for prevention and protection at work, the transfer of the individual file is arranged as follows:

When the formal psychosocial intervention request is being processed at the time of change:

  • the prevention advisor for psychosocial aspects informs the requester and any other directly affected person as soon as possible of the fact that the external service for which he performs his duties will no longer be competent to handle the request
  • the customer provides the prevention advisor for psychosocial aspects to whom the request was submitted, at his request, the contact details of the new external service
  • the prevention advisor for psychosocial aspects to whom the request was submitted provides the individual file to the prevention advisor for psychosocial aspects of the new external service
  • the prevention advisor for psychosocial aspects of the new external service informs the requester and any other directly affected person of the fact that he is taking over the handling of the request.

When the handling of the formal psychosocial intervention request is completed at the time of change of external service for prevention and protection at work:

The prevention advisor for psychosocial aspects of the new external service may, when necessary to carry out his duties, obtain a copy of the individual file from the prevention advisor for psychosocial aspects to whom the request was submitted.

The transfer of the individual file is carried out under conditions that safeguard professional secrecy.

10. What about our website & cookies?

To make our website work properly, we sometimes need to put small files on your computer, called cookies. Most large websites do this.

A cookie is a small text file that a website stores on your computer or mobile device when you visit the site. This allows the website to remember the pages you have visited and your preferences so you don't have to enter this again each time you visit the site.

What we store in cookies:

  • display preferences, such as contrast colour and font size
  • whether you have answered a survey about our site (so we don't ask again)
  • whether or not you agree to the use of cookies on our site
  • to keep statistics on website usage
  • whether or not you agree with our privacy policy

The cookies on our site also use components to create anonymous statistics on how you found our website and which pages you viewed.

This website also works without cookies, but is less user-friendly. You can therefore delete or block cookies, but some parts of the site will not work (properly).

The information collected by cookies is not used to identify you and we do not share statistical data with third parties. These cookies are also not used for purposes other than those described above.

How can you find out more and what can you do with cookies?

You can always control and/or delete cookies. You can find more about this at aboutcookies.org. You can delete all cookies on your computer and you can set your browser to block cookies. This does mean that you will have to reset your preferences on each visit and that some parts of the website will not work (properly).

11. Measures if there is a breach of personal data

The controller (Premed) is obliged to report breaches concerning the security of personal data to the competent Belgian supervisory authority within 72 hours. This unless it is unlikely that the breach of personal data presents a risk to the rights and freedoms of the data subject(s).

The above obligation also applies if the controller, for example by submitting a complaint by a data subject, becomes aware of a breach of personal data at a designated processor or a third party.

If the breach of personal data is likely to present a high risk to the rights and freedoms of natural persons, the customer informs the data subject(s) of the breach of personal data without undue delay in accordance with article 34 of the GDPR.
Both the customer and the controller work together with the competent Belgian supervisory authority to provide the necessary information and limit the consequences of the breach.

For more information about our privacy policy or for complaints regarding your privacy, including the exercise of your right of access, you can contact our Data Protection Officer (DPO) at dpo@premed.be.

Part 2: Whistleblower Scheme

In accordance with the Belgian whistleblower scheme, Premed has established the necessary reporting channels to expose wrongdoing within the (former) organisation. In this way, these can be detected and addressed at an early stage.
At the same time, effective protection is provided to whistleblowers.

Who can file a report

Any person who obtained information about wrongdoing in the context of an employment relationship can file a report. The whistleblower may be a (former) employee, applicant, volunteer, trainee or self-employed person working in the company, shareholder, director, but also someone who works under the supervision and direction of (sub-)contractors and suppliers, etc.
Persons who have no employment relationship with Premed cannot file a report. They can submit a complaint, which is not the same as a report. Customers of Premed or their employees cannot therefore file a report via this whistleblower scheme. They can submit their complaint about Premed's service provision to the general email address info@premed.be Premed is ISO-certified (ISO 9001) and will handle this complaint appropriately.

Procedure at Premed VZW

If a whistleblower wishes to use the whistleblower scheme, he/she can make his/her concern known in one of the following ways:
- Formal or anonymous letter to:
Premed Whistleblower
Tiensevest 61 / 2
3010 Leuven;
- Via email to whistleblower@premed.be;
- Via the external reporting channel established by the government, directly or in parallel with reporting to Premed: www.federalombudsman.be/en/whistleblowers.

Concerns are best presented with the necessary background of the concerns, the reason(s) why the whistleblower is concerned and with appropriate data or evidence if available.
The whistleblower receives proof of the report within seven days in accordance with the legal obligation.

Protection for whistleblower

Premed VZW has a duty to protect the whistleblower adequately. Therefore, reprisals against an employee who in good faith reports a breach are not tolerated.
Premed VZW is also committed to maintaining confidentiality as much as possible and provides assurance that all reports are subjected to appropriate investigation and an appropriate conclusion through an efficient process.

Cookies