This Privacy Policy describes how Rainbow Care & Coaching processes personal data in accordance with the GDPR.

Legal hierarchy: Statutory provisions of mandatory law take precedence over this policy. Contractual agreements do not limit or override the rights of data subjects under the GDPR.

1. WHO IS COVERED?

This policy applies to:

  • Children receiving care and support services
  • Parents or legal guardians of enrolled children
  • Employees, contractors, and partners of Rainbow Care & Coaching

2. PURPOSES OF DATA PROCESSING

Rainbow Care & Coaching processes personal and sensitive data for the following purposes:

  • Delivery of therapeutic, behavioural, and developmental services
  • Compliance with Dutch and EU law (UAVG, GDPR, WGBO, Wkkgz)
  • Internal recordkeeping and billing
  • Communication with parents or legal guardians
  • Safeguarding vulnerable children via supervised care and video surveillance (see Section 13)
  • Internal use of video footage for therapy review and staff coaching, solely on the basis of explicit consent (see Section 13 and the Parent Consent Form)

3. LEGAL BASES FOR PROCESSING

Article 6 GDPR: Ordinary personal data

  • Art. 6(1)(a) Consent: use of media, third-party collaboration, internal use of footage for staff training
  • Art. 6(1)(b) Contractual necessity: providing agreed-upon care services
  • Art. 6(1)(c) Legal obligation: reporting to authorities, regulatory compliance, reporting codes
  • Art. 6(1)(f) Legitimate interest: safeguarding children, securing the care environment, video surveillance

Article 9 GDPR: Special category data (health and behavioural data)

  • Art. 9(2)(h) processing necessary for healthcare by professionals bound to confidentiality (UAVG art. 30)
  • Art. 9(2)(b) processing necessary for social protection, in conjunction with UAVG
  • Art. 9(2)(a) explicit consent for optional processing such as use of footage for training

4. SPECIAL CATEGORIES OF DATA

Rainbow Care & Coaching may process medical or behavioural data where:

  • Explicit consent has been obtained (Art. 9(2)(a))
  • It is necessary for care delivery by professionals bound to confidentiality (Art. 9(2)(h) in conjunction with UAVG art. 30)
  • It supports therapeutic decision-making in a safe, evidence-based manner

A Record of Processing Activities is maintained in accordance with Art. 30 GDPR and is available to the Autoriteit Persoonsgegevens upon request.

5. DATA RETENTION PERIODS

  • General personal data: retained for the duration of the care relationship plus applicable statutory retention obligations.
  • Medical records: retained for a minimum of 20 years after the end of treatment, or longer where necessary for good care provision (WGBO art. 7:454, amended 1 January 2020).
  • Surveillance footage: retained for a maximum of 30 days unless preserved for an ongoing incident review, safeguarding investigation, or legal obligation. In that case, separate retention controls and access restrictions apply.
  • Anonymised data: may be retained for research, planning, or statistical purposes.
  • Incidents, complaints, and safeguarding matters: may be retained longer for legal obligations, quality monitoring, or dispute resolution.

6. DATA SHARING WITH THIRD PARTIES

We may share data with:

  • Care professionals, therapists, and behaviour specialists
  • Municipalities, educational institutions, or governmental bodies where required by law or contract
  • IT providers under signed Data Processing Agreements
  • The camera system installer (Hi Security Services BV), solely for technical maintenance under a signed Data Processing Agreement

All third parties are contractually bound by confidentiality and GDPR-compliant processing obligations.

International transfers: Rainbow Care & Coaching aims to keep all data processing within the EEA. Where IT systems or camera software route or process data outside the EEA, appropriate safeguards (Standard Contractual Clauses or adequacy decision) are implemented and documented. For queries about specific transfers: [email protected].

7. DATA SECURITY MEASURES

  • AES-encrypted local data storage only (no cloud storage)
  • Pseudonymisation of data where technically feasible (Art. 32(1)(a) GDPR)
  • Role-based access control and secure login procedures
  • Access logs maintained and reviewed regularly and following any security or safeguarding event
  • Physical safeguards on all devices storing sensitive data

8. RIGHTS OF DATA SUBJECTS

As a parent, legal guardian, or data subject, you have the following rights:

  • Access (Art. 15): you may request a copy of your personal data held in your client file. The right of access expressly does not apply to surveillance footage. Recordings contain the personal data of multiple individuals simultaneously, including other children, staff, and visitors. Providing footage to any individual data subject would violate the rights and privacy of all other persons captured in those recordings. By virtue of Art. 15(4) GDPR and the nature of this processing, access to surveillance footage is excluded regardless of the basis on which a request is made. Recordings are released solely on the basis of a court order or a formal request from a competent authority (see Section 13)
  • Rectification (Art. 16): you may request correction of inaccurate data
  • Erasure (Art. 17): you may request deletion of non-essential data, where no statutory retention obligation applies
  • Restriction (Art. 18): you may restrict certain processing activities
  • Data portability (Art. 20): you may receive your data in a structured, commonly used, and machine-readable format where applicable
  • Objection (Art. 21): you may object to processing based on legitimate interest. We will assess your objection and may only continue processing on compelling legitimate grounds
  • Withdrawal of consent (Art. 7(3)): you may withdraw any consent at any time without affecting the lawfulness of processing prior to withdrawal
  • Complaint (Art. 77): you may lodge a complaint with the Dutch Data Protection Authority (www.autoriteitpersoonsgegevens.nl)
  • Response timeframe (Art. 12(3)): We will respond to your request within one month of receipt. Complex or multiple requests may be extended by up to two further months; you will be notified in advance.

Contact: [email protected]

Certain data may not be deleted where retention or processing is required by law, professional standards, safeguarding obligations, or dispute resolution.

9. BREACH RESPONSE

  • The Autoriteit Persoonsgegevens is notified within 72 hours
  • Affected individuals are notified where high risk is determined
  • The incident is documented internally and breach logs retained

10. CHILDREN’S DATA PROTECTION

  • Data about children under 16 is only processed with parent/guardian consent (UAVG art. 5)
  • Additional safeguards apply to all children’s records: limited access, encryption, and restricted usage
  • When a child reaches the age of 16, privacy rights transfer directly to the child; parental consent ceases to be valid at that point. Rainbow Care & Coaching will notify families in advance

11. CHANGES TO THIS POLICY

We reserve the right to update this policy to reflect operational, legal, or technical changes. Material changes are published and shared with enrolled families. The most current version is available at www.rainbowcentrum.nl or upon request.

12. CONTACT & DATA PROTECTION OFFICER

For questions, requests, or complaints:

Rainbow Care & Coaching
Duikerlaan 260, 2903 AC Capelle aan den IJssel
[email protected]

Data Protection Officer (DPO): Rainbow Care & Coaching is in the process of formally assessing the obligation to appoint a DPO under Art. 37(1)(c) GDPR, given the nature of special category data processing involving vulnerable children. Once a DPO is appointed, their contact details will be published here.

13. VIDEO SURVEILLANCE IN CARE SETTINGS

Rainbow Care & Coaching uses video surveillance in therapy rooms, group rooms, hallways, and child-accessible kitchen areas.

Purpose: safeguarding vulnerable children (many of whom are non-verbal), objective incident reconstruction, supporting the four-eyes principle, and promoting professional accountability.

Legal basis: legitimate interest (Art. 6(1)(f) GDPR) and, where footage contains health- or behaviour-related information about children with neurodevelopmental characteristics, additionally Art. 9(2)(h) GDPR in conjunction with UAVG art. 30. A DPIA has been conducted in accordance with Art. 35 GDPR.

Surveillance policy framework:

  • No cameras in private areas (bathrooms, changing areas)
  • Visible camera signage throughout the facility
  • Recordings retained for a maximum of 30 days
  • Access limited to the Director and, where necessary and documented, the Clinical & Operational Coordinator (Youth Care)
  • All access is logged and periodically reviewed
  • Footage is not used for employee performance evaluation

Access to footage: access by parents or legal representatives is not a standard right and is provided only where required by law (court order or formal request from competent authorities).

Therapy recordings via HiRasmus: therapists may make session recordings which, together with daily reports, are uploaded to the HiRasmus care portal. These recordings are used for quality monitoring, therapy review, and providing professional feedback to therapists. This constitutes a separate processing activity from the fixed video surveillance system. The legal basis is explicit consent (Art. 9(2)(a) GDPR), provided via the Parent Consent Form.

Consent may be withdrawn at any time. Where consent is withdrawn, no further video or photo recordings will be made or shared, and daily reports to parents will no longer include visual content. Care provision itself is not affected by withdrawal, but the visual component of reporting will cease.

Contact Info

Social Media

Linkedin-in Instagram
© 2026 Rainbow Care&Coaching. All Rights Reserved.