1. Introduction and Our Role
This Privacy Policy describes how your personal information is collected, used, and protected when you visit the website https://diaeta.be or use the professional healthcare services of Diaeta.
Data Controller
Under the EU General Data Protection Regulation (GDPR) and Belgian data protection law, the "Data Controller" responsible for your personal data is:
| Business Name | Diaeta |
| Legal Entity | Sole Proprietorship |
| Enterprise Number (BCE) | 0540.714.226 |
| NIHDI Number | 5-63187-92-601 |
| Responsible Person | Pierre Abou-Zeid |
| Address | Laudinnestraat 94A, 1602 Vlezenbeek, Belgium |
| info@diaeta.be | |
| Phone | +32 479 35 55 51 |
| Website | https://diaeta.be |
As a Registered Dietitian, I am a licensed healthcare professional bound by professional confidentiality obligations under Belgian law and the GDPR. All personal data you share is treated with strict confidentiality and in compliance with the highest standards of data protection.
2. What Data We Collect
We collect personal data necessary to provide you with safe, effective, and personalized dietetic care. The types of data we process include:
A. Identity & Contact Data
- Full name
- Email address
- Phone number
- Preferred language of communication
B. Health & Clinical Data (Special Category Data)
This is sensitive health information processed specifically for your healthcare treatment:
Initial Consultation Information:
- Medical history and past health diagnoses (e.g., Type 2 Diabetes, Irritable Bowel Syndrome, high cholesterol)
- Current medications and supplements
- Food allergies and intolerances
- Family health history
- Lifestyle information (sleep, stress, physical activity)
- Details of your primary care physician or referring healthcare provider
Ongoing Clinical Monitoring:
- Food diaries and meal evaluations (recorded via our professional nutrition software)
- Fluid intake tracking
- Symptom journals (especially for IBS patients following low-FODMAP protocols)
- Weight measurements and body composition analysis (fat mass, muscle mass, hydration percentage) obtained via our professional clinical equipment
- Relevant blood test results provided by you (e.g., blood glucose, cholesterol levels, triglycerides)
- Progress notes and clinical observations from your dietitian
C. Financial Data
- Payment information related to consultation fees
- Invoice details (name, address for billing)
- Payment method (cash or Wero QR code)
- Insurance reimbursement documentation when requested by you
Note: We do not store credit card numbers. QR code payments are processed directly via Wero without any transaction data retention by our practice.
D. Website Technical Data
- IP address
- Browser type and operating system
- Pages visited
- Time spent on website
- Geographic location (city-level, not precise)
This data is collected anonymously via Vercel Analytics (cookieless performance monitoring). No analytics cookies are placed on your device.
3. How We Collect Your Data
Personal data is collected through multiple pathways:
- Direct Communication: When you provide information during in-person or virtual consultations via Google Meet
- Website Contact Form: When you submit inquiries using the contact form at diaeta.be. Form data is sent via secure email to info@diaeta.be and deleted immediately after processing or transfer to our patient management software if you become a patient. These emails are not retained permanently on servers.
- Booking Platforms: When you schedule appointments through Doctoranytime.be or our Google Business profile. Basic information (first name, last name, phone, email, date of birth) is transmitted to our practice for appointment management.
- Patient Management App: When you actively log food, symptoms, fluid intake, or communicate with your dietitian via our secure nutrition platform
- Clinical Measurements: When body composition is measured during consultation using our professional clinical equipment
- Automatic Collection: When you visit our website (anonymized IP address, browser data, analytics data with your consent)
Video Consultation Policy
Virtual consultations via Google Meet are conducted in real-time and are NOT recorded. No video or audio recordings are created or stored unless you explicitly request recording for clinical documentation purposes and provide clear written consent beforehand. In such cases, recordings are treated as part of your medical file and subject to the same 30-year retention period and security measures.
4. Legal Basis for Processing Your Data
The processing of your personal data is lawful only when we have a valid legal basis under GDPR. Here's how we justify our data processing:
A. To Provide You with Healthcare Services
General Data (Identity, Contact, Financial)
- Legal Basis: GDPR Article 6(1)(b) — Performance of a Contract
- Purpose: We process your contact and financial data to schedule appointments, manage your patient file, send appointment reminders, and process payments. This is necessary to fulfill our service agreement with you.
Health Data (Clinical Information)
- Legal Basis: GDPR Article 9(2)(h) — Provision of Health Care
- Purpose: As a Registered Dietitian, I am a healthcare professional legally bound by professional secrecy. The processing of your sensitive health data is necessary for the purposes of "medical diagnosis, the provision of health or social care or treatment" as permitted under this article. This is our primary legal basis for maintaining your clinical file.
B. To Comply with Legal Obligations
- Legal Basis: GDPR Article 6(1)(c) — Legal Obligation
- Purpose: Belgian law requires healthcare providers and paramedical professionals to retain patient medical files for a minimum of 30 years
- Purpose: Belgian tax law requires retention of financial invoices and billing records for 7 years
C. For Healthcare Team Coordination
- Legal Basis: GDPR Article 6(1)(a) — Explicit Consent & Article 9(2)(h) — Provision of Health Care
- Purpose: With your explicit consent, we may share clinical progress reports, treatment summaries, or relevant health information with:
- Your referring physician or primary care provider to ensure coordinated care
- Your insurance provider when you request documentation for reimbursement purposes (limited clinical information such as diagnosis, treatment dates, and invoice details)
This data sharing is done only at your request or with your clear written consent, and constitutes legitimate healthcare team communication.
D. For Website Analytics
- Legal Basis: GDPR Article 6(1)(f) — Legitimate Interest
- Purpose: We use privacy-preserving analytics tools (Vercel Analytics) in cookieless mode. These tools help us improve our website without placing cookies on your device and without personally identifying you. No consent is required as these tools operate without cookies and collect only aggregated, anonymized data.
Analytics Tools Used:
- Vercel Analytics — Performance monitoring, no cookies, anonymous data
- Vercel Speed Insights — Real User Metrics (Core Web Vitals)
- Sentry — Technical error tracking, EU hosted (Germany), for website reliability
5. How We Use Your Data
We use your personal data for these specific, legitimate purposes:
- Healthcare Assessment & Diagnosis: To conduct a comprehensive evaluation of your nutritional status, health condition, and treatment needs
- Treatment Planning & Delivery: To create, manage, and deliver your personalized dietetic plan and nutritional therapy
- Progress Monitoring: To track your clinical progress through food diary analysis via our nutrition software, body composition measurements via our professional clinical equipment, and symptom tracking
- Patient Communication: To communicate with you between appointments, provide feedback on your meals, answer your questions, and share clinical insights (primarily via our secure nutrition platform)
- Appointment Management: To manage your appointment schedule, send appointment reminders via SMS (without mentioning your name or personal data in the message, only phone number for delivery), and handle booking logistics
- Billing & Administration: To invoice you for services via Accountable.eu, process payments via cash or Wero QR code, manage financial records, and maintain accounting compliance. Invoices are securely transmitted via the PEPPOL network.
- Healthcare Coordination: To share relevant clinical information with your referring physician or insurance provider (only with your explicit consent or at your request)
- Legal Compliance: To maintain your medical file in accordance with the mandatory 30-year retention period required by Belgian law
- Website Analytics: To anonymously analyze website traffic and performance via Vercel Analytics (cookieless mode). These privacy-preserving tools do not place cookies on your device
Data Minimization Principle: We adhere to the data minimization principle under GDPR Article 5(1)(c). We collect only the personal data that is adequate, relevant, and strictly necessary for providing your healthcare services. We do not collect excessive or unnecessary information.
6. Data Security: How We Protect Your Information
The security of your personal data, particularly your sensitive health information, is a paramount priority. We implement robust technical and organizational measures to protect your data from unauthorized access, loss, alteration, or misuse.
Security Measures
Secure Software Systems:
- All clinical data is processed using dedicated, secure, and GDPR-compliant healthcare software
- Patient management is handled exclusively through certified health data processors with dedicated healthcare systems
- No patient data is stored on general office computers or unencrypted local devices
EU Data Hosting:
- Your clinical data is stored on secure, encrypted servers within the European Union
- Professional nutrition software (patient management, food diaries, clinical notes): Hosted on secure Amazon Web Services (AWS) infrastructure in Frankfurt, Germany (EU)
- Body Composition Analysis System: Hosted on certified HDS (Hébergeur de Données de Santé) health data servers in France, meeting the highest EU health data standards
- Google Cloud Platform (Backups & Long-Term Archives): Archived patient data and backups on 2 geographically remote servers located in Belgium, operating with medical-grade security and full compliance with health data protection requirements. These servers ensure data redundancy and the mandatory 30-year medical record retention required by Belgian law.
Backup & Archiving Infrastructure:
Our backup system ensures continuity of care and legal compliance:
- Purpose: Long-term medical record retention (30-year legal obligation) and security backup for service continuity
- Infrastructure: Google Cloud Platform (GCP) - Medical-grade protected storage buckets
- Location: 2 geographically remote servers in Belgium (data remains in EU)
- Encryption: Data encrypted at rest and in transit via Google Cloud security protocols
- Access Control: Strictly limited access to the Data Controller (Pierre Abou-Zeid)
- Redundancy: Dual geographic location for data loss protection
- Compliance: Google Cloud Platform Data Processing Agreement (DPA) in place
Access Control:
- Access to your identifiable patient file is strictly limited to Pierre Abou-Zeid (the treating dietitian)
- All access is authenticated and logged
- Future staff members (if applicable) will only access patient files necessary for patient care and will be bound by professional confidentiality obligations
Encryption:
- All patient data transmitted between devices and servers is encrypted in transit using industry-standard TLS/SSL encryption
- Data at rest on servers (nutrition software, body composition analysis system, GCP) is encrypted
- Communication via our nutrition platform is encrypted end-to-end
Physical Security:
- Paper records (if any) are stored in locked filing cabinets in secure office spaces
- Access to consultation rooms is controlled and limited to authorized personnel
- All office locations (8 practices in Brussels) implement appropriate physical security measures
- Documents are disposed of securely through cross-cut shredding when permitted by retention requirements
Staff Training:
- All current and future staff members receive mandatory data protection and patient confidentiality training before accessing any patient data
- Ongoing training ensures continued compliance with evolving GDPR standards
Incident Response & Data Breach Notification:
- Despite preventive measures, if a data security incident is suspected, we will investigate immediately to determine scope and impact
- Your Right to Notification (GDPR Article 34): In the unlikely event of a confirmed personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay. The notification will describe the nature of the breach, likely consequences, and measures taken or proposed to address it.
- Supervisory Authority Notification (GDPR Article 33): We will notify the Belgian Data Protection Authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to your rights and freedoms.
- Identity Verification: For your protection, when you exercise your data subject rights (such as requesting access to your data), we may need to verify your identity through secure means (e.g., matching your request details against information we hold, or requesting a copy of identification document). This prevents unauthorized access to your personal data.
Regular Security Review:
- All software providers undergo regular security audits and compliance certifications
- We maintain up-to-date vendor security assessments
- We conduct annual internal reviews of our data protection measures
7. Data Retention: How Long We Keep Your Records
We retain your personal data only as long as necessary to fulfill the purposes for which it was collected, or to comply with legal and regulatory requirements.
Retention Periods
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Medical & Clinical Records | 30 years from last consultation | Belgian law on medical records (Royal Decree of May 3, 1999) |
| GCP Backups (Medical Archives) | 30 years (same as medical records) | Belgian law - retention obligation |
| Financial Documents & Invoices | 7 years | Belgian tax law |
| Contact Requests (Non-Patients) | Immediate deletion after processing | Data minimization |
| Website Analytics Data | 26 months maximum | ePrivacy Directive |
| Cookie Consents | 13 months (then renewal required) | ePrivacy Directive |
| GDPR Consent Records | Duration of processing + 3 years | GDPR accountability |
Secure Deletion
When data is no longer needed and legal retention periods have expired, we securely delete or anonymize your personal data in such a way that it can no longer be recovered or reconstructed.
Special Note on Patient Records: Belgian law mandates the 30-year retention of patient medical files. This means we cannot delete your clinical data before this period expires, even if you request deletion. However, you retain other rights such as data portability and rectification.
8. Your Data Protection Rights Under GDPR
Under GDPR, you have comprehensive rights concerning your personal data. You can exercise these rights at any time by contacting us.
Your Rights
1. Right to Access (Article 15)
You have the right to request a copy of all personal data we hold about you. This includes:
- Confirmation that we process your data
- Access to your personal data
- Information on how we use your data
Response Timeline: 1 month (may be extended by 2 additional months for complex requests)
2. Right to Rectification (Article 16)
You have the right to correct inaccurate or incomplete personal data.
Example: If your email address, phone number, or medical information has changed, you can request an update.
3. Right to Erasure / “Right to be Forgotten” (Article 17)
You have the right to receive your health data in a structured, commonly used, and machine-readable format. We can provide your data in the following formats: CSV (Comma-Separated Values), JSON (JavaScript Object Notation), or structured PDF/A with extractable text. You can request to have your data transferred directly to another healthcare provider. We will provide this within 30 days of receiving a clear request.
8.4 Right to Restrict Processing (Article 18)
You have the right to request that we temporarily halt processing of your data in specific circumstances. For example, if you dispute the accuracy of data, you can request we restrict processing while the accuracy is verified.
8.5 Right to Object (Article 21)
- To Direct Marketing: You have an absolute right to object to any processing for direct marketing purposes, including promotional communications or newsletters. We do not currently engage in marketing communications; however, if we add such services in the future, you will have this right.
- To Other Processing: Where we process data based on legitimate interests (not currently applicable to clinical data), you may have the right to object. Note that this right does not apply to processing necessary for your treatment or legal obligations.
8.6 Right to Withdraw Consent (Article 7(3))
Where we rely on your consent (specifically for non-essential cookies on our website, sharing data with referring physicians, or providing insurance reimbursement documentation), you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing based on your consent before withdrawal. You can manage your cookie preferences through our cookie consent banner or by contacting us directly.
8.7 Right to be Forgotten / Erasure (Article 17)
Important Limitation: You have a right to request deletion of your personal data. However, this right is not absolute.
Under GDPR Article 17(3)(b), we are legally unable to erase your core patient medical file before the mandatory 30-year retention period has expired. This is required by Belgian law and by Article 6(1)(c) of GDPR (Legal Obligation).
We can, however, honor erasure requests for:
- Website contact form data (if you are not a patient)
- Analytical cookie data
- Other non-clinical data not subject to the 30-year retention requirement
Note: If you wish to discontinue treatment, we will respect your decision; however, your historical medical records must be retained for the full 30-year period for legal, medical, and professional reasons.
9. Third-Party Services & Data Processors
We do not sell, rent, or trade your personal information. We only share your data with trusted third-party service providers (known as "Data Processors" under GDPR) who are contractually bound to process your data only for the purposes we specify and to protect it according to GDPR standards.
We maintain Data Processing Agreements (DPAs) with all processors listed below as required by GDPR Article 28.
Data Processors
| Service | Provider | Purpose | Data Location | GDPR Compliance |
|---|---|---|---|---|
| Patient Management & Food Diaries | Professional nutrition software | Patient records, food diaries, patient-dietitian communication | AWS Frankfurt, Germany (EU) | ✅ GDPR Compliant, Data Processing Agreement signed |
| Body Composition Analysis | Professional Clinical Equipment | Body composition measurements, weight tracking | HDS Servers, France (EU) | ✅ HDS Certification (Hébergeur de Données de Santé), GDPR Compliant |
| Backups & Medical Archives | Google Cloud Platform (GCP) | Medical record backups, long-term archiving (30 years), data redundancy | 2 remote servers, Belgium (EU) | ✅ GDPR Compliant, Google Cloud DPA in place |
| Appointment Bookings | Doctoranytime.be | Appointment scheduling, contact data transmission | Belgium/EU | ✅ GDPR Compliant, Data Processing Agreement signed |
| Business Profile | Google Business Profile | Business information, reviews, bookings | Google data centers (EU) | ✅ GDPR Compliant |
| Video Consultations | Google Meet | Real-time virtual consultations (not recorded) | Google data centers (EU) | ✅ GDPR Compliant |
| Performance Monitoring | Vercel Analytics & Speed Insights | Website performance metrics (Core Web Vitals), anonymous data | EU/USA | ✅ GDPR Compliant, Cookieless, Anonymous Data |
| Error Tracking | Sentry | Technical error detection and website reliability | Germany (EU) | ✅ GDPR Compliant, Cookieless, EU Hosting |
| Website Hosting | Combell | Hosting website diaeta.be | Belgium/EU | ✅ GDPR Compliant, Belgian host |
| Payment Processing | Wero (formerly Payconiq) | QR code payment processing, pass-through only without data retention | Belgium/EU | ✅ GDPR Compliant, no transaction data retention |
| Invoicing & Tax Management | Accountable.eu | Invoice generation (basic data: name, address, amounts), secure PEPPOL transmission, tax compliance | EU | ✅ GDPR Compliant |
Data Protection Guarantees
For all processors, we ensure:
- Data Processing Agreements (DPAs): All processors sign formal data processing agreements in accordance with GDPR Article 28
- Security Measures: Processors must implement appropriate technical and organizational measures
- Confidentiality: Processor staff are bound by confidentiality obligations
- Audits: We regularly review processor security and compliance practices
- Breach Notification: Processors must notify us immediately of any data breach
No Unauthorized Third-Party Sharing
We never sell, rent, or share your personal data with third parties for marketing or commercial purposes. Your health data is shared only:
- With trusted processors for service delivery
- With your referring physician (with your explicit consent)
- With your insurance company (at your request for reimbursement)
- When required by law
Emergency Data Sharing
Emergency Situations: In rare medical emergencies where your health or life may be at immediate risk, we may disclose relevant health information to emergency services without prior consent. This is permitted under:
- GDPR Article 9(2)(c) — Protection of Vital Interests
- Belgian medical emergency protocols and professional duty of care obligations
10. International Data Transfers
Your personal data is processed and stored primarily within the European Economic Area (EEA), specifically in Belgium, Germany, and France.
Current Status of Data Transfers
All core clinical data and archives remain in the EU:
- ✅ Professional nutrition software: Hosted on AWS Frankfurt, Germany (EU)
- ✅ Body Composition Analysis System: Hosted on HDS servers, France (EU)
- ✅ Google Cloud Platform (GCP): 2 remote servers, Belgium (EU)
- ✅ Website Hosting: Combell, Belgium (EU)
- ✅ Doctoranytime: Belgium (EU)
- ✅ Accountable: European Union
- ✅ Wero: Belgium/EU
Services with Potential Non-EU Transfers
Some administrative (non-clinical) services may involve limited data transfers outside the EU:
Google Services (Google Meet, Google Business Profile)
- Primary Location: EU data centers
- Potential Transfers: Google may transfer administrative (non-clinical) data to the United States for processing
- Data Concerned: Meeting metadata only (no health data)
- Safeguards:
- Google adheres to the EU-U.S. Data Privacy Framework
- EU Standard Contractual Clauses (SCCs) in place
- Robust technical security measures
Analytics Services (All in EU)
- Sentry: Hosted in Germany (EU) — No transfers outside EU
- Vercel Analytics: May involve transfers to the United States for anonymous performance data. Vercel is GDPR compliant and adheres to the EU-U.S. Data Privacy Framework
Important: No patient health data is transferred outside the EU. Google services only process administrative metadata, while analytics tools process only anonymous, aggregated data.
Safeguards for Non-EU Transfers
When non-EU data transfers are necessary (only for non-clinical administrative data), we ensure that:
- Data is anonymized or pseudonymized when possible
- Processors adhere to the EU-U.S. Data Privacy Framework
- Standard Contractual Clauses (SCCs) are in place
- Additional security measures are implemented to protect data in transit and at rest
11. Policy on Artificial Intelligence (AI)
We maintain a clear and strict policy on the use of artificial intelligence:
Patient Data Protection
NO personally identifiable patient data, health history, food diaries, clinical notes, body composition measurements, or any sensitive health information is ever entered into, uploaded to, or processed by general-purpose AI tools (such as ChatGPT, Claude, Gemini, Perplexity, or similar systems).
Clinical Confidentiality
All patient-related information is kept strictly within our secure, dedicated, and EU-hosted patient management systems. These systems are not connected to general-purpose AI models.
Permitted AI Use
We may use AI tools only for non-clinical, anonymized business tasks such as creating general nutrition education content or researching nutritional science topics. Any such use excludes identifiable patient information entirely.
No Automated Decision-Making
We do not use automated decision-making or profiling as defined by GDPR Article 22. All clinical assessments, treatment decisions, and dietary recommendations are made by a qualified human dietitian (Pierre Abou-Zeid) based on professional judgment, clinical expertise, and individualized patient care.
12. Children's Privacy
Our healthcare services are provided to adults (18 years and older). We do not knowingly collect personal data from individuals under 18 years of age unless:
- Explicit, verifiable parental or legal guardian consent is obtained beforehand
- A parent or legal guardian is present during all consultations
- We maintain clear documentation of consent
If you believe we have collected data from a minor without proper consent, please contact us immediately at info@diaeta.be.
13. Data Protection Officer & Governance
We have assessed the requirement for appointing a Data Protection Officer (DPO) in accordance with GDPR Article 37. As a small healthcare practice processing health data on a limited scale (not large-scale systematic monitoring or core data processing activity), we have determined that a DPO appointment is not legally mandatory. However, we remain committed to maintaining high data protection standards and will reassess this determination if our processing scope changes.
14. Cookies & Website Technologies
Cookie Consent
When you visit diaeta.be, we use cookies to enhance your experience. We respect your privacy and only use cookies with your prior consent.
1. Strictly Necessary Cookies
Essential for website function (e.g., session cookies, security cookies). They do not require consent and will always be used as they are necessary for the technical operation of the website.
2. Functional Cookies
Remember your preferences (e.g., language selection, accessibility settings). These require your consent under the ePrivacy Directive. You can manage these preferences through our cookie banner.
3. Cookieless Analytics
We use privacy-preserving analytics tools (Vercel Analytics, Sentry) that operate without placing cookies on your device. These tools collect only aggregated and anonymized data. No consent is required as no cookies are used.
4. Marketing/Tracking Cookies
We do not use marketing or tracking cookies at this time.
Managing Your Cookie Preferences
When you first visit our website, a cookie consent banner will appear. You can change your cookie preferences at any time through the banner or by contacting us.
15. Changes to This Privacy Policy
We may update this privacy policy from time to time to reflect changes in our data practices, new technologies, legal requirements, or regulatory guidance. Any material changes will be posted on this page with an updated "Last Updated" date.
If changes significantly affect your rights or our data processing practices, we will notify you by email if you are a patient.
Annual Review Commitment: We conduct an annual review of this privacy policy to ensure continued compliance with evolving data protection standards and legal requirements.
16. Professional Confidentiality & Legal Compliance
As a registered healthcare professional in Belgium, I am bound by:
- Professional Secrecy: Belgian law requires healthcare providers to maintain strict confidentiality of patient information except where legally obligated to disclose (e.g., court orders, public health emergencies)
- GDPR Compliance: All data handling meets or exceeds GDPR requirements
- Belgian Patient Rights Law (2002): Your rights to quality care, information, consent, and access to your medical file are protected under Belgian law
- Patient Rights: Belgian patient rights legislation ensures your right to access, dignity, and confidentiality of health information
17. How to Contact Us & Lodge a Complaint
Data Protection Rights Requests
For any questions, concerns, or to exercise your data protection rights, please contact:
Pierre Abou-Zeid
Email: info@diaeta.be
Phone: +32 479 35 55 51
Address: Laudinnestraat 94A, 1602 Vlezenbeek, Belgium
Preferred Contact: Email (please include "Data Protection Request" in the subject line)
Response Timeline: We will acknowledge your request within 5 business days and provide a full response within 30 days. For complex requests or where clarification is needed, we may extend this timeline by up to 60 additional days.
Lodge a Complaint with the Data Protection Authority
If you believe we have not handled your personal data in accordance with GDPR or Belgian data protection law, you have the right to lodge a complaint with the Belgian Data Protection Authority:
Autorité de protection des données / Gegevensbeschermingsautoriteit
Website: autoriteprotectiondonnees.be
Address: Rue de la Presse 35, 1000 Brussels, Belgium
Phone: +32 (0)2 274 48 00
Email: contact@apda.be
18. Accountability & Documentation
We maintain comprehensive documentation of our data protection practices, including:
- Record of Processing Activities (ROPA) documenting all data processing operations
- Data Processing Agreements with all third-party processors
- Records of data security assessments and incident response procedures
- Consent records for website visitors
- Regular compliance reviews and updates
This documentation is maintained for supervisory authority review if requested.
Data Protection Impact Assessment (DPIA)
While GDPR Article 35 requires a Data Protection Impact Assessment (DPIA) primarily for large-scale processing of special categories of data, we have assessed our processing activities. As a small healthcare practice providing individualized dietetic care (not large-scale systematic monitoring), a formal DPIA is not legally mandatory. However, we continuously evaluate the risks of our processing activities and have implemented appropriate safeguards including HDS-certified data hosting, encryption, access controls, and regular security reviews to ensure the highest level of data protection for our patients.
19. Multilingual Availability & Legal Precedence
This privacy policy is provided in English and is legally binding. Additional language versions are available in French, Dutch, German, and Arabic upon request to better serve our multilingual patient community.
Legal Precedence: In case of any discrepancy or conflict between language versions, the English version shall take legal precedence and be considered the authoritative version for interpretation and enforcement purposes.
All language versions are maintained with the same "Last Updated" date to ensure consistency across translations. To request a copy in your preferred language, please contact info@diaeta.be.
Summary of Recent Enhancements (2025-01-17)
This privacy policy has been enhanced to achieve a 10/10 security level with the following improvements:
Enhancement 1: Functional Cookies Clarification (Section 14)
- Functional cookies now require consent under the ePrivacy Directive
- Added examples: language selection, accessibility settings
- Added reference to ePrivacy Directive for legal accuracy
Enhancement 2: Data Portability Formats (Section 8.3)
- Specified machine-readable formats: CSV, JSON, or structured PDF/A with extractable text
- Ensures full GDPR Article 20 compliance
Enhancement 3: Data Breach Notification Rights (Section 6)
- GDPR Article 34 - Patient Notification Rights: Right to notification for high-risk breaches
- GDPR Article 33 - Authority Notification: 72-hour notification requirement to Belgian DPA
- Identity Verification Procedures: Explains how identity is verified for data subject requests
Enhancement 4: DPIA Consideration (Section 18)
- Data Protection Impact Assessment explanation
- Justifies why DPIA not legally mandatory for small healthcare practice
- Lists safeguards implemented: HDS-certified hosting, encryption, access controls, regular security reviews
Enhancement 5: Browser Console Error Fixes
- Created
/public/favicon.svg - Added icon configuration to metadata
- Resolved favicon 500 error
Your privacy and the confidentiality of your health information are fundamental to our practice.
END OF PRIVACY POLICY