Digitale Balie

Data Processing Addendum

This is a draft Data Processing Addendum for GP practices. It should be legally reviewed before signing or production use with real patient data.

Last updated: 2026-06-24 · Version: 2026-06-24

NederlandsEnglish

1. Parties and subject matter

The GP practice is controller. Digitale Balie is processor for patient requests processed through the practice's digital frontdesk.

The subject matter is hosting, storing, routing, displaying, managing, and supporting structured patient requests.

2. Duration, nature, and purpose

Processing lasts for the duration of the trial or agreement, including the agreed retention/deletion period. The purpose is request intake and follow-up by practice staff.

3. Data subjects and data categories

  • Data subjects: patients, GP staff users, and practice contact persons.
  • Patient data: name, date of birth, contact details, language, request type, details/short note, status, history, and internal notes.
  • Staff data: name, email, role, login and audit events.
  • No BSN by design.

4. Special category data

Patient requests may contain health-related information. Digitale Balie does not perform triage, diagnosis, medical advice, or urgency assessment.

5. Processor obligations

  • Process only on documented instructions from the practice.
  • Ensure confidentiality.
  • Apply appropriate technical and organizational measures.
  • Assist the practice with data subject rights and breach notifications.
  • Delete or return data after termination according to agreed terms.
  • Provide reasonable audit information.

6. Subprocessors

Digitale Balie uses subprocessors to deliver the service. The current list is on the subprocessors page. The practice will be informed of material changes.

7. Security measures

  • TLS, password hashing, role-based access, tenant isolation, and audit logging.
  • Backups, logging minimization, access limitation, security updates, and rate limiting.
  • No BSN and no file upload by default.

8. Breaches and requests

Digitale Balie will notify the practice without undue delay after becoming aware of a personal data breach affecting practice data. The practice is responsible for supervisory authority or patient notifications where required.

The practice handles data subject requests; Digitale Balie assists where required.

9. Deletion, transfers, and audit

After termination, data is deleted or exported according to retention policy and the DPA. Hosting is preferably EU/EEA; safeguards are used for transfers outside the EEA. Audits must be reasonable and non-disruptive.

10. Order of precedence

For processing patient data, this DPA prevails over conflicting Terms. This document is a draft and should be reviewed before signing.

Contact

Questions about this page: office@thepadel.pl