Data protection policy


Stichting mirro is committed to carefully handling all (personal) data received and respects the privacy of all the information you provide about yourself through the foundation’s website. Therefore, we do not collect any personal data – such as names, addresses, telephone numbers or email addresses – via our website, unless you, as a user, provide us with this data voluntarily by registering for the mirro modules.
Once you have given our foundation permission to process your (personal) data, this data is processed in accordance with this data protection policy.

Article 1 – Definitions

In this data protection policy we use the following definitions:
Policy: this data protection policy
Data: all of a user’s personal data
User: the person who registered for (one of) the mirro modules; the modules call for data collection and/or processing
Stichting mirro: Stichting mirro, based at Grebbeberglaan 15 (3527 VX) in Utrecht (the Netherlands), registered in the trade register of the Chamber of Commerce with number 55160069 and responsible for processing (personal) data in accordance with the General Data Protection Regulation.
Processing: a single processing effort or a series of processing efforts of personal data, possibly through automated processes, such as the collection, recording, ordering, structuring, storing, editing or reviewing, requesting, consulting, using, sending or making available in any other way, aligning or combining, protecting, cancelling or destroying of data (article 4 paragraph 2 of the General Data Protection Regulation)

Article 2 – Applicability

This policy applies to the processing of data by Stichting mirro.

Article 3 – Purpose of the data processing

The data is processed for the following purposes:
(A) to allow the user to use the mirro modules and all its technical and functional features
(b) to (further) develop and/or improve the mirro modules
(c) to achieve the statutory mission of Stichting mirro, namely to contribute to a mentally fitter country and to provide persons with mental issues in the Netherlands with better care, in a timely manner. To this end, Stichting mirro develops web-based applications and other activities that are linked to the above, in the broadest sense, or that may be beneficial.

Article 4 – Consent

1. Data can only be processed with prior consent from the user. Consent must be given during the registration process, and subsequently users must create an account.
2. Users have the right to revoke their consent at any time. If a user revokes their consent, Stichting mirro shall immediately terminate the user’s account and destroy all data linked to that account.
3. Stichting mirro keeps a record of its processing activities in accordance with article 30 of the General Data Protection Regulation. A register is also kept of the consent given by users based on the date, time and a personal identification code.

Article 5 – Which data is processed?

1. Upon registration for the mirro modules the following user data is collected: name, user name, email address and password. This data is necessary to provide the user with a personal account.
2. If the user uses the mirro modules, the user’s personal answers are also recorded, in addition to the data mentioned in the previous article.
3. Stichting mirro does not process more data than necessary for the purposes for which it was collected. If data can be processed anonymously or by means of pseudonyms for the intended purposes, Stichting mirro shall follow this approach.

Article 6 – User rights

1. If the user has an active internet connection, he or she can get access to the data by logging in to their personal account.
2. The user can edit and/or add data in the personal account, and make a copy of this data. Editing data also includes (partial) destruction of this data.
3. The user has the right to obtain confirmation from Stichting mirro on whether or not their personal data is being processed and if so, to get access to this personal data. Stichting mirro will then provide access to the data by creating a personal account for the user to manage their data.
4. The user has the right to request immediate rectification of any incorrect personal data in accordance with article 16 of the General Data Protection Regulation.
5. The user has the right to object to Stichting mirro processing the data. In that case, Stichting mirro will immediately stop processing the data by cancelling the user’s account, destroying all the data linked to the account in question.
6. If Stichting mirro receives a request as described in paragraph 3, 4 and 5 of this article, the person submitting the request must identify themselves with a valid identification document.
7. The user has the right to request the deletion of all their data (“the right to be forgotten”). If the user withdraws authorisation for the data to be processed as described in article 4 of this policy, the data will be deleted immediately, as well as the user’s account.

Article 7 – Storage period

1. The data is stored for as long as the user’s account remains active.
2. The user obtains an account for a one-year period. Following this year, the account and all the data linked to it is deleted, unless the user has requested that the account remain active for an additional year.

Article 8 – Confidentiality

1. Stichting mirro is committed to keeping the user’s data confidential.
2. Exceptions to this confidentiality obligation can only be made if Stichting mirro has explicitly received written authorisation from the user or if Stichting mirro is legally obliged to do so, e.g. based on a final binding court decision.
3. The confidentiality obligation is imposed to all third parties that Stichting mirro relies upon to carry out its activities.

Article 9 – Data security

1. Stichting mirro takes all suitable and feasible technical and organisational measures to guarantee data security. This includes:
(a) securing connections with SSL certificates
(b) meeting the NEN 7510, NEN 7512 and NEN 7513 standards on the technical log-in requirements
(c) signing processing agreements with the relevant suppliers/partners for data security.
2. The data may include medical details. Therefore, Stichting mirro regularly carries out a Data Protection Impact Assessment (DPIA).

Article 10 – Data protection officer

Stichting mirro has an in-house data protection officer.

Article 11 – Other provisions

1. Stichting mirro reserves the right to change its policy unilaterally. If Stichting mirro decides to do so, the user will be informed in writing. If the user disagrees with the changes, the consent described in article 4 paragraph 2 of the policy can be revoked and the data processing will cease immediately.
2. Stichting mirro can delete an account and the linked data if the user has not used it for longer than one (1) month following the expiry of the account. In order for Stichting mirro to delete a “dormant” account, the user will first be informed in writing that the account will be deleted and they will be offered a reasonable timeframe to reactivate the dormant account.

Article 12 – Questions and/or complaints

1. If you have any questions, you can contact the Stichting mirro service desk every weekday from 09:00 to 17:00 by telephone on (+31) (0)85 4898999 or by email at info@mirro.nl.
2. If you have any complaints, you can contact our service desk.
3. Users have the right to lodge a complaint with the Dutch Data Protection Authority.