Privacy Policy

If you are a patient at UMC Utrecht, we process your data. This means that we put your data in our system and use it where necessary. This is mandatory. You will find more information about this in this privacy statement.

Whose data do we process?

  • You as the patient;
  • You as contact person;
  • You as legal representative*.

*Are you a contact person or legal representative? If so, the UMC Utrecht processes a limited number of your personal data, such as your name, contact details and relationship to the patient. These data are needed to contact you about the patient’s treatment.

Who is responsible for my data?

UMC Utrecht is the so-called data controller in the sense of the General Data Protection Regulation (AVG). This means that UMC Utrecht is responsible for processing your data. The UMC Utrecht decides:

  • Which personal data are processed;
  • Why the data are processed;
  • How the data will be processed.

UMC Utrecht is responsible and accountable for this.

What do we use your data for?

Your personal data will be used within the UMC Utrecht for:

  • establishing disease profile (performing diagnostics), treatment and aftercare of patients;
  • exchanging data with referring physicians, general practitioners and other care providers;
  • handling patient care (e.g. care costs);
  • scientific research;
  • education and (continued) training;
  • accountability;
  • for quality assurance and quality improvement.

With whom do we share your data?

The UMC Utrecht provides your personal data for the above purposes to, among others:

  • Other healthcare providers, healthcare institutions or third parties who are or have been involved in your treatment. These data are about your treatment.
  • Other research institutions or third parties who are or have been involved in scientific research. This data is encrypted to protect your privacy.
  • GP. The general practitioner will receive a letter summarizing your treatment at UMC Utrecht.
  • Quality registrations. Only data that cannot be traced back to a person will be shared.
  • The health insurer. Only a DBC (financial codes) will be given for settlement of healthcare costs.
  • Indication bodies.
  • Other recipients based on your consent or if there is a legal obligation to do so, such as reporting an emergency.

More information

Your rights when sharing medical data (in Dutch).

Processing outside the EEA

Your data may also (partly) be processed by third parties, for example suppliers of UMC Utrecht or parties involved in scientific research, in countries outside the European Economic Area (EEA), which may not have the same level of protection for your data, such as the United States. According to the European Union, there is currently no adequate level of protection there due to, among other things, the ample possibilities the American authorities have to intercept or retrieve data and the limited possibilities for non-U.S. persons to oppose this. The UMC Utrecht will make further agreements with these parties so that this processing outside the EEA does meet the requirements of the AVG.

How do we obtain your data?

To provide you with the best possible care, we need the appropriate personal data from you. We get this data through:

  • what you (or your legal representative) tell the doctor about your health;
  • results based on bodily material (for example, blood samples);
  • results from imaging (for example, a scan or photograph);
  • determination of clinical picture (diagnostics) and reports by involved health care providers;
    patient checks;
  • referring health care provider.

What personal data do we process?

We process no more data than we need to provide good care to you, to improve our care and for our administration. Your data may also be used for scientific research (link in Dutch) under certain conditions.

Personal data we process from you are:

  • First and last name;
  • Date of birth;
  • Gender;
  • Residential address;
  • Nursing address if applicable;
  • Phone number;
  • Email address;
  • Insurance information;
  • Citizen service number (BSN)*;
  • Legal representative(s) if applicable;
  • History of immediate family if this is important to your treatment and diagnosis.

*It is a legal requirement that we record and verify your BSN via proof of identity. This is because we want to avoid confusing you with another patient. Other reasons we use your BSN are:

  • Preventing errors in the exchange of financial and medical data;
  • Making it easier to claim expenses from health insurance;
  • Provide better protection against identity fraud.

Special personal data

Sometimes it is necessary to process additional personal data. These are:

  • Health data, including documents containing health and personal data;
  • Data revealing racial or ethnic origin, such as nationality;
  • Data about religious or philosophical beliefs if relevant to treatment;
  • Data about sexual behavior if relevant to treatment;
  • Genetic data.

How do we protect your information?


  • All care providers working in the UMC Utrecht have a duty of confidentiality. They may not give any of your information to others without your permission. There are some (legal) exceptions.
  • All other employees (such as support services) also have a duty of confidentiality.


  • It is our job to protect your data. To this end, we take technical and organizational measures. For example, only caregivers involved in your treatment are allowed to view your file if necessary for your treatment.
  • Other employees may only view your file if this is necessary for their work. For example, the care administration staff who are responsible for the care account. They will only have access to the information necessary for their work.
  • The UMC Utrecht ensures that the computers are properly secured. We work according to nationally established security standards and are certified for this. In addition, we monitor which employees have viewed your file.
  • Sometimes it is necessary for the UMC Utrecht to engage a third party to perform its work. In that case the UMC Utrecht ensures that this third party uses the same level of security and confidentiality as the UMC Utrecht. Sometimes data is sent to third parties in countries outside the European Economic Area. In that case the UMC Utrecht will take the measures necessary to protect your personal data in accordance with the requirements of (European) privacy legislation.

How long do we keep your data?

  • We keep your data for 20 years from the moment our care for you stops.
  • This is required by the Medical Treatment Agreement Act (WGBO) and the Compulsory Mental Health Care Act.
  • We may keep your data longer if it is necessary to provide you with good care.

Archives Act

Furthermore, we comply with the Archives Act. This means that we keep some data from your medical record for up to 115 years after your birth (core documents). These records are:

  • discharge letter
  • surgery report
  • anesthesia report
  • results of pathological examination
  • first aid report
  • data about emergencies

We do not keep your data longer than necessary.

Scientific research

  • UMC Utrecht is a teaching hospital and has a legal duty to conduct scientific research.
  • We ask your permission if we want to use your data for scientific research. You can withdraw this permission at any time.
  • Sometimes we cannot ask for your permission, for example because someone has died or is very difficult to find. The UMC Utrecht may then use your medical information for scientific research under strict conditions. You can object to this with your healthcare provider.

More information on the use of medical data and body tissue (in Dutch)
More information about scientific research (in Dutch).

My UMC Utrecht patient portal (Mijn UMC Utrecht)

The UMC Utrecht stores your medical information in an electronic patient file (HiX). Through the Mijn UMC Utrecht patient portal you can view (part of) this data online. The e-consults you receive and share through the patient portal are also recorded in the electronic patient file.

More information about My UMC Utrecht (in Dutch).

Your rights

Your medical record: access, copy and destruction

  • You may inspect your personal data and your medical record. You can do this online via the My UMC Utrecht patient portal or you can ask your treating physician. In principle, your doctor may not refuse this. However, your doctor may hide certain parts of your file if it contains information about someone else, such as a family member.
  • You can also request a copy of your file and/or have your file destroyed. There may be reasons to refuse your request for destruction.

Changing data

Is your personal information incorrect? If so, it is important that you have them changed. This concerns only objective data, for example a change of address or if your telephone number has changed.

Supplementing data

You may supplement your data. This means, for example, that you can have the opinion of a second doctor (second opinion) added to your record or your own opinion about the care you received. You can ask your treated doctor to do this.

Right to portability

You have the right to obtain your personal data in a structured form, such as in a PDF file.
You also have the right to transfer these data to another data controller, without the UMC Utrecht preventing you from doing so.


Through this link (in Dutch) you can read more about your privacy rights including request forms if you want to exercise your rights.


  • Personal information that you enter through our website, such as your name or address, the UMC Utrecht uses only for the purpose for which you enter it. For example, registration for a meeting or subscription to a newsletter.
  • The UMC Utrecht adheres to the requirements of privacy legislation. The UMC Utrecht never uses your information for other purposes and never gives it to anyone outside the UMC Utrecht, unless you give permission.
  • We do not keep your data longer than necessary.


  • Do you visit our website? Then we use cookies.
  • The UMC Utrecht uses cookies to collect and analyze information about the use of the website and to display videos from YouTube and Vimeo.
  • We use anonymous data to improve and adapt the website.

Read more about our Cookie Policy.

Apps for home measurement

Terms of use & privacy home measurement apps (in Dutch).

Patient Experience Measurement (PEM)

  • The Dutch Federation of University Medical Centers (NFU) has been measuring patient experiences annually since 2013.
  • The measurement of patient experience in the NFU context allows UMC Utrecht to compare its own results with those of other UMCs.
  • By learning from good examples both inside and outside the hospital, UMC Utrecht can improve care for its patients.

Patient information

UMC Utrecht uses the following data from you to send an invitation to the patient experience:

  • First and last name;
  • E-mail address;
  • Gender;
  • The last specialty you visited in the UMC Utrecht.

We share this data, under strict security conditions, with measurement agency Expoints B.V. (in Dutch), which performs the measurement for us.

  • The data are stored on Expoints B.V.’s own secure server and are deleted as soon as possible. This takes place no later than 3 weeks after completing the questionnaire or after you have indicated that you no longer wish to receive the questionnaire.
  • Expoints B.V. sends out the invitations and has a website where the questionnaire can be completed. This site is the property of Expoints B.V.
  • Expoints B.V. sends the results to UMC Utrecht. The results are anonymous. This means that data cannot be linked to patients.
  • Expoints B.V. does not keep your data longer than necessary.


UMC Utrecht organizes webinars to share knowledge and experiences about care and research with interested parties. We organize these together with OnlineSeminar B.V. (link in Dutch).

Participating in a webinar

  • Through the website of UMC Utrecht you can register for a webinar.
  • For participation we ask for your first name, last name and e-mail address.
  • We share your information with OnlineSeminar. Here you can use the site on which the webinar is broadcast. This site is owned by OnlineSeminar.
  • OnlineSeminar uses your information to send a maximum of four e-mail messages: the invitation, a confirmation, a reminder and a calendar invitation.

The UMC Utrecht has agreed with OnlineSeminar that the data remains property of the UMC Utrecht. With your information the UMC Utrecht notifies you of the next webinar by e-mail. Do you want to see, change or remove this data? Please send an email to

Questions and complaints

We do our best to handle your data with care. But you may have questions or be dissatisfied with how the UMC Utrecht handles your privacy.

  • You can discuss your questions and/or dissatisfaction with your treating physician. Together with you, he will look for possible solutions.
  • You can also contact the Data Protection Officer. This is someone within the UMC Utrecht who supervises the application of and compliance with privacy legislation. The contact details are given below.
  • Hopefully you can submit your questions and/or comments through these channels. But you also always have the right to file a complaint with the UMC Utrecht.
    It is also possible to report a complaint to the privacy regulator, the Authority for Personal Data (in Dutch).

Contact details data protection officer

Postal address:
UMC Utrecht
Attn: Data Protection Officer
House Number Fac. 10.12
P.O. Box 85500
3508 GA Utrecht

T. 088-75 555 55

Third-party privacy policy

This privacy statement does not apply to third-party websites linked from our website. The UMC Utrecht is not liable for the content of these other websites nor for the processing of personal data, cookies and other data by the operators of these websites. For questions about these other websites, please contact the website administrator directly.