The Skin Club
Privacy Policy
How The Skin Club handles your personal data — in accordance with the GDPR
Your privacy matters to us. In this privacy policy, we clearly explain which personal data we process, why we do so, how long we retain it, and what rights you have. We handle your data with care and exclusively in accordance with the General Data Protection Regulation (GDPR) and applicable healthcare legislation.
1. Who is responsible?
The data controller is The Skin Club, established in De Lier and Rotterdam, registered with the Chamber of Commerce under number 85236535.
- Locations: Hoofdstraat 113, 2678 CH De Lier and Westzeedijk 507, 3024 EL Rotterdam
- E-mail: info@theskinclub.nu — Telephone: +31 6 11 27 00 08
Questions about your privacy? Send an e-mail to info@theskinclub.nu.
2. What data do we process?
Identity and contact details
- Name, gender, date of birth, address, e-mail address, and telephone number.
- BSN (citizen service number) — only insofar as permitted by law in the context of healthcare.
Health data (special categories of personal data)
- Medical history, medication use, allergies, and intake data.
- Treatment data, photographs of the treatment area, informed consent, and aftercare.
Financial and website data
- Payment and invoice details.
- Technical data when using the website, such as your language preference and theme preference (see Cookies).
3. For what purposes and on what legal basis?
We only process your data for clear purposes, each with a lawful basis under the GDPR:
- Performing the treatment agreement and delivering quality care — performance of a contract and legal obligation (WGBO).
- Maintaining the medical record — legal obligation (WGBO, Art. 7:454 of the Dutch Civil Code).
- Taking and retaining treatment photographs — explicit consent.
- Scheduling appointments and communicating with you — performance of a contract.
- Invoicing and administration — legal obligation (statutory retention obligation for tax purposes).
- Newsletter or marketing, where applicable — consent.
- Improving and securing the website — legitimate interest.
4. Our EHR system: Clinicminds
For maintaining your medical record, we use the electronic health record (EHR) system Clinicminds. Clinicminds processes your data solely on our behalf and in accordance with our instructions.
- We have entered into a data processing agreement with Clinicminds, as required by the GDPR.
- Data is stored within the European Economic Area (EEA) and secured with appropriate technical and organisational measures, including encryption and access controls.
- Only authorised staff bound by a duty of confidentiality have access to your record.
5. Who else receives your data?
We only share your data when necessary or legally required. For example:
- Other healthcare providers involved in your treatment, or your GP — only with your consent.
- Processors that support us, such as the EHR system, the IT provider, the payment platform, and our accountant, each under a data processing agreement.
- Authorities to whom we are legally required to provide data, such as the Tax Authority or supervisory bodies.
We never sell your data to third parties.
6. Transfers outside the EEA
In principle, your data is processed within the EEA. Should a processor handle data outside the EEA, we ensure appropriate safeguards are in place, such as the standard contractual clauses of the European Commission.
7. How long do we retain your data?
- Medical record — 20 years after the last treatment, or longer where required by good professional practice (WGBO).
- Treatment photographs — as part of the medical record, 20 years.
- Financial records — 7 years (statutory retention obligation for tax purposes).
- Contact and marketing data — until you withdraw your consent or the data is no longer needed.
8. Security
We take the protection of your data seriously and implement appropriate technical and organisational measures, including encryption, secure access, authorisation management, and a duty of confidentiality for all our staff. Do you suspect misuse or a data breach? Please contact us immediately.
9. Cookies
Our website only uses functional cookies and similar technologies that are necessary for the site to function properly. For example, we remember your language preference and your theme preference, and we use Cloudflare Turnstile to protect forms against spam. We do not place tracking or marketing cookies and do not follow you across websites. A cookie banner is therefore not required.
10. Your rights
Under the GDPR, you have the following rights:
- Access to the personal data we process about you.
- Rectification of inaccurate or incomplete data.
- Erasure of data, insofar as no statutory retention obligation applies.
- Restriction of processing and the right to object.
- Portability of your data (data portability).
- Withdrawal of previously given consent, without this affecting the lawfulness of prior processing.
Would you like to exercise a right? Send a request to info@theskinclub.nu. For verification of your identity, we may ask for additional information. We will respond within one month.
11. Complaint to the Data Protection Authority
Do you have a complaint about the way we handle your data? Please feel free to discuss it with us first. You also always have the right to lodge a complaint with the Dutch Data Protection Authority, the Dutch supervisory authority.
12. Amendments
We may update this privacy policy from time to time. The current version is always available on this page.
Established in June 2026. Next review in June 2028, or sooner in the event of changes to legislation or regulations.