Privacy Statement

Privacy Statement

Last updated: 2026-05-21

Motion Lab Fysio respects your privacy and handles your personal data with care. This privacy statement explains what data we collect, why, how long we keep it, and your rights. We work in accordance with the General Data Protection Regulation (GDPR), the Dutch Act on Additional Provisions for Processing Personal Data in Healthcare (Wabvpz), and the Dutch Medical Treatment Contracts Act (Wgbo).

Who is responsible?

The data controller is Motion Lab Fysio, located at Silo Sports Club, Faas Wilkesstraat 104A, 1095 MD Amsterdam. Registered at the Dutch Chamber of Commerce under number 93093381. BIG-number 09923673204. Privacy questions can be sent to info@motionlabfysio.nl.

What data do we process?

When treating you, we process the following data:

  • Identification data: first and last name, date of birth, BSN (Dutch citizen service number), gender, and a copy of your ID (for verification at the first appointment only)
  • Contact details: address, e-mail, phone number
  • Insurance data: health insurer, policy number
  • Medical data: complaints, treatment history, findings, treatment plan, progress and outcome measurements
  • Referral data: details of your GP or referring specialist (if applicable)
  • Billing data: treatments, rates, payments

Medical data is classified as special category personal data (GDPR article 9). Stricter rules apply to this category. Some of your data is received from third parties, such as your GP or referring specialist via a referral letter. Providing the above data is necessary for the treatment agreement and for compliance with statutory obligations. Without this data we cannot treat you or bill your health insurer.

Why do we process your data?

We process your data for the following purposes:

  • To carry out the treatment contract (Wgbo)
  • To maintain your medical file (statutory obligation under Wgbo)
  • To bill for treatments to you or your health insurer
  • To maintain contact and schedule appointments
  • To comply with legal obligations (such as ID verification and retention periods)
  • Quality monitoring through anonymised patient satisfaction measurement (PREM)

The legal basis for processing is the performance of the treatment contract (GDPR art. 6(1)(b)) and compliance with legal obligations (GDPR art. 6(1)(c)). For medical data we rely on GDPR art. 9(2)(h) (processing for purposes of preventive or occupational medicine, medical diagnosis and the provision of healthcare).

Who do we share your data with?

We only share your data when necessary for your treatment, for billing, or when legally required. With all parties that process your data on our behalf ("processors") we have signed a processor agreement in accordance with GDPR art. 28.

Processors

  • Intramed (Convenient Software B.V.) โ€” electronic patient record system. Hosting and storage in the Netherlands.
  • Siilo โ€” secure messaging with other healthcare providers.
  • Qualiview โ€” patient satisfaction measurement (PREM). You will only receive a questionnaire after your explicit consent.

For the technical operation of the website (hosting, e-mail delivery, spam protection) we use standard service providers within the European Union, with whom we have signed processor agreements.

Recipients of data

  • Your GP or referring specialist โ€” for feedback after intake, treatment, or under Direct Access Physiotherapy (DTF), with your consent.
  • Your health insurer โ€” for the billing of treatments.
  • Vektis โ€” as the national billing infrastructure between care providers and health insurers.
  • Other healthcare providers โ€” only when necessary for your care and with your consent.

We never share your data for commercial purposes. We do not transfer your data outside the European Economic Area (EEA).

How long do we keep your data?

We retain your medical file for 20 years from the date of the last entry, or longer if reasonably required by good care practice. This is set out in article 7:454 of the Dutch Civil Code (Wgbo).

Financial records (invoices, payments) are kept for 7 years, in accordance with the fiscal retention obligation (article 52 of the Dutch General State Taxes Act).

Contact form data on this website is kept for a maximum of 2 years, unless a treatment relationship arises โ€” in which case it falls under the 20-year retention of the patient file.

Security

We take appropriate technical and organisational measures to secure your data. Our EPR provider complies with NEN 7510, the Dutch standard for information security in healthcare. This website is served exclusively over HTTPS. Access to your file is restricted to your treating physiotherapist. In the event of a data breach with consequences for your rights and freedoms, we report this within 72 hours to the Dutch Data Protection Authority and, where legally required, also to you.

Your rights

Under the GDPR and Wabvpz you have the following rights:

  • Right of access: you may inspect your file.
  • Right to a copy: you may receive an (electronic) copy of your file.
  • Right to rectification: you may have incorrect data corrected or supplemented.
  • Right to erasure: you may have (parts of) your file removed, unless a statutory retention requirement prevents this.
  • Right to restriction: under conditions, you may restrict the processing of your data.
  • Right to data portability: you may receive your data in a structured, commonly used format.
  • Right to object: you may object to processing.
  • Right to withdraw consent: where processing relies on your consent.

You can exercise these rights by e-mailing info@motionlabfysio.nl. We respond within one month. If we have doubts about your identity, we may ask you to provide identification.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (autoriteitpersoonsgegevens.nl) if you believe your data is not being processed correctly.

Data Protection Officer

Motion Lab Fysio is a solo practice. Under GDPR art. 37 a Data Protection Officer (DPO) is not required for our practice, and we have not appointed one. For privacy questions, please contact us directly at info@motionlabfysio.nl.

Electronic data exchange (Wabvpz)

For exchange of patient data with other healthcare providers we use secure communication channels, including Intramed and Siilo. For exchange via an electronic exchange system we obtain your consent in advance. You may withdraw this consent at any time without giving a reason. You also have the right to receive an overview of who has accessed your data (logging).

Cookies

This website does not place analytics or tracking cookies. We use no Google Analytics, no social media pixels and no advertising cookies. For this reason you will not see a cookie banner โ€” no consent is required.

Automated decision-making and profiling

We do not use automated decision-making or profiling. Decisions about your treatment are made exclusively by your treating physiotherapist, based on personal examination and in consultation with you.

Changes

We may update this privacy statement if laws, regulations, or our practices require. The most recent version is always on this page. The date at the top indicates when the statement was last updated.

Book assessmentCall usWhatsApp