Privacy Policy

Date: 5 January 2024

Version: v1.0

Who we are

The digi.me service is owned by World Data Exchange B.V., Kvk No 88297772, Zuid-Hollandlaan 72596 ALs-Gravenhage (we, our, us).

We can be contacted in several ways:

By email to: privacy@worlddataexchange.com

In writing to:

Privacy Manager
World Data Exchange B.V.
C/- Spaces Rode Olifant
Zuid Hollandlaan 7
2596 AL Den Haag 
Netherlands 

Or contact us at www.digi.me

What is the digi.me service? Overview, background and context

The digi.me App and associated technology platform (together referred to as the digi.me service) is designed to operate within and support the MedMij digital health framework.

MedMij is the standard for the secure exchange of health data between healthcare providers and healthcare users in the Netherlands. The digi.me service has been purpose-built to constitute a personal health environment (PGO) that operates within the MedMij framework.

The MedMij framework consists of technical, regulatory and standards-based requirements and safeguards to achieve MedMij’s objective of enabling individuals to securely and reliably exchange health data. Compliance with these, together with the sophisticated functionalities of the digi.me service, enables that exchange of data. It also enables these participants to use the MedMij label referred to later in this section.

As a PGO within the MedMij framework, the digi.me service enables you to securely and privately connect to, access and obtain your personal health data from the health service providers who participate in the MedMij framework and to download these to your individual encrypted cloud-based data vault.

Another of the digi.me service’s functionalities is that it enables personal health data from all of your participating health service providers to be viewed and managed in the one location, in near or real time, on your own personal computer or device.

All organisations that provide technologies and services that comply with MedMij’s high standards are permitted to use the MedMij label, thus providing healthcare providers and users with the assurance that the service is reliable, safe and secure. Having passed all relevant MedMij functional accreditation, ISO and NEN security certification requirements, the digi.me service has the right to use the MedMij label:



The MedMij framework  operates against a legal and regulatory background that includes the General Data Protection Regulation (GDPR) which requires organisations to provide individuals  with information about the control, processing, collection, use, disclosure and other handling of their personal data. This Privacy Policy is designed to comply with these requirements.

Our approach to data protection

Our approach to data protection is consistent with the requirements of Article 25 of the GDPR which requires that organisations that control and process personal data adopt a ‘data protection by design and by default’ approach. This includes technical and organisational measures that support this methodology.

These requirements are supplemented by the specific rules and norms established by MedMij under the MedMij Framework. These can be located at medmij.nl.

What personal data do we collect?

Essentially, the personal data collected by the digi.me service falls into two broad categories:

  • personal data we collect through or as part of the sign-up process; and

  • the personal data (including sensitive health data) that you choose to download to digi.me service from the MedMij system

Creating an account and signing in

The first step in using the digi.me service is to establish an account and to sign in to the service.

The digi.me service can be accessed via two separate pathways – either through a personal computer-based web browser or (from early 2024) through the digi.me App downloaded onto your personal device such as a smart phone or tablet. The sign in process is initiated exclusively through a computer-based web browser at digi.me.

When you visit app.digi.me directly or select ‘Launch app’ on the digi.me web service you will have the option to find and select your first healthcare provider or, if you already have a digi.me account, to login.

If you are a new user, after you select one of the healthcare providers, the digi.me service automatically directs you to MedMij. MedMij will then request you to authenticate yourself by providing your DigiD and to consent to the digi.me service accessing your personal and health data. This verification process is operated and managed by MedMij.

Once verified and connected you will create your digi.me account. You will need to provide:

  • your name;

  • your email address; and

  • a mobile or other phone number capable of receiving an SMS message which is used to provide you with the one time, duration-limited, verification code required to complete the account creation and log in process.

The following is indicative but not exclusive of the types of health data sources that are be available through the digi.me service:


  • Allergy Intolerances

  • Appointments

  • Diagnosis

  • Documents

  • Encounters

  • GP Records

  • Measurements

  • Medical Aids

  • Medication

  • Procedures

  • Results

  • Vaccinations

How the digi.me service collects personal and sensitive data

The personal and health data that is collected in the digi.me service is governed by:

  • the rules and functionalities established for the MedMij system by the MedMij foundation; and

  • the functionalities established by the digi.me service.

These rules and functionalities enable you to select the sources of your health data that you wish to access and to download these through the digi.me service to a unique and encrypted data vault to which you hold the master access 256 bit encryption key that is linked to your account sign-in ID.

The decision about what types of personal and heath data is collected by the digi.me service is determined by you. Personal and health data that is accessed, downloaded and stored in your own encrypted data vault is actioned at your direction and with your informed consent following verification of your account by the Netherlands DigID service. 

We port and translate your personal and health data for you as part of the automated process of establishing your account.

Although the digi.me service collects your personal and health data, as determined by you, we do not have access to it. Your data is encrypted in transit and at rest. We do not hold, maintain or have access to the decryption keys required to decrypt your data: only you hold the decryption keys.

Processing: use and disclosure of personal data

The digi.me service uses your log in details to establish, maintain and service your digi.me account.

The digi.me service does not disclose or access any of the personal and health data you choose to download to your encrypted data vault using the digi.me service.

If a competent, legally authorised agency, such as a law enforcement or regulatory agency requires us to provide access to your digi.me service account we will comply with that requirement as required by law. To the extent that we are permitted to do so we will take reasonable steps to notify you of any such requirement to enable you to contest or otherwise dispute such a requirement.

Your personal data vault is provided by a third party cloud service provider, Microsoft Azure cloud services, under a service arrangement with us. Your personal and health data is encrypted in transit to it, within it and when accessed by you using your individual encryption/decryption key.

How does the digi.me service store your personal and sensitive data?

As part of our privacy by design approach, we have adopted security by design to safeguard  the security and integrity of your personal and health data. We, and our service providers, take all reasonable steps to protect your personal and health data from misuse, unauthorised access or disclosure. As required under the MedMij framework, the digi.me service has been certified to comply with the NEN 7510-1:2017 security standard.

When you choose to download your health data it is automatically encrypted in transit.  The data that you download or upload to the digi.me service is encrypted using SSL (Secure Socket Layer) technology and in your personal digital data vault.

Other security measures that we employ include access controls, regular security audits and ongoing staff security training.

Data Localisation

The digi.me service locates all your personal and health data on computing facilities and infrastructure situated in the Netherlands.

Age restrictions

Under the rules adopted by the MedMij foundation, you must be sixteen years of age or older to participate in the PGO framework. This means that you must not use the digi.me service unless you are sixteen or older.

Cookies

We only use cookies that enable us to ensure the functionality of the digi.me service, including to enable you to sign-in correctly.

We do not use or deploy performance, functionality, targeting or advertising cookies.

What are your data protection rights?

Your data access rights

You may request that we provide you with access to the personal information we hold about you. To do so please contact us by email at privacy@worlddataexchange.com

Your right to rectification

You have the right to request us to rectify personal data we hold about you.

To do so please contact us by email at privacy@worlddataexchange.com

If you wish to rectify personal or health data you download from the health providers who participate in and hold your personal or health data under the MedMij framework, you must contact the health service provider to amend, correct, annotate or rectify the data in question in accordance with the relevant laws and regulatory processes of the Netherlands and any applicable clinical rules and norms. 

Your right to erasure

The digi.me service includes functionality that enables you to erase your personal data by deleting your account. You can delete your account by selecting “Delete my account” from the digi.me main menu icon and following the instructions.

Your right to restriction of processing

We do not use, disclose or provide your personal data to any third party for reward or otherwise. We do not access your personal and health data for any purpose or reason unless we are compelled to do so by a law enforcement agency, regulatory authority or otherwise by a person or organisation that has the legal authority to do so.

Your right to data portability

You may request that we provide you with an accessible copy of the personal data we hold about you in a readily available format.

Such as request may be made by sending an email to us at privacy@worlddataexchange.com.

Amendments

We review this privacy policy from time to time to ensure that it remains accurate and up to date. If we amend this policy we will provide you with prior notification and an explanation of the amendments.