Skip to content

Privacy statement

Introduction

Since September 2023, Cohesie B.V. has been part of the Colbe network (formerly Zorg van de Zaak). Colbe is a network of organisations specialising in occupational health and sustainable employability, and Cohesie is proud to contribute its expertise as part of this network.

If your employer has entered into an agreement with Cohesie, we may process your personal data as part of our occupational health services. This may happen, for example, when you report sick or when you are absent from work for a longer period.

We recognise the importance of protecting your privacy and handling your personal data with the utmost care. This Privacy Statement explains which personal data we collect, why we process it, how long we retain it and with whom we may share it. It also explains your rights under applicable data protection legislation and the measures we take to keep your information secure.

If you have any questions about this Privacy Statement or the way we process your personal data, please contact our Privacy Officer:

Michel van Beek
Telephone: +31 (0)88 988 0988

1. Who is who?

Throughout this Privacy Statement, the terms “you”, “your” and “employee” refer to you as an employee of an organisation that has entered into an agreement with Cohesie for occupational health services.

The terms “we”, “us”, “our” and “Cohesie” refer to Cohesie B.V., located at:

Baron van Nagellstraat 9
3781 AH Voorthuizen
The Netherlands

Registered with the Dutch Chamber of Commerce under registration number 32094064.

Cohesie acts as the Data Controller for all processing activities carried out in connection with its statutory occupational health responsibilities under Dutch law.

Your employer acts as a separate Data Controller for the processing of personal data relating to its own absence administration and employment obligations. Cohesie and your employer therefore act as independent Data Controllers and are not joint controllers within the meaning of the General Data Protection Regulation (GDPR).

Protecting your privacy is fundamental to the trust you place in us. We therefore process only those personal data that are necessary to provide our occupational health services and to fulfil our legal obligations.

We will never process your personal data for purposes other than those described in this Privacy Statement unless you have provided your explicit consent or we are legally required to do so.

To safeguard your information, we apply appropriate technical and organisational security measures. Cohesie is certified in accordance with ISO 27001 and NEN 7510, and we regularly audit our information security measures to ensure they continue to meet the highest standards.

2. What personal data do we process and why?

Cohesie may collect and process your personal data at various stages of our occupational health services. We only process your personal data where there is a lawful basis for doing so under the General Data Protection Regulation (GDPR).

In most cases, the legal basis is one of the following:

  • For non-medical personal data: processing is necessary for the performance of the agreement between Cohesie and your employer and/or to comply with our legal obligations.
  • For medical data: processing is necessary for the performance of the statutory duties of the Occupational Physician under the Dutch Working Conditions Act (Articles 9(2) and 30).

Below we explain when we process your personal data, which data we process and for what purpose.

a. When your employer enters into an agreement with Cohesie or when you join the organisation

For most of our clients, we receive a limited set of personal details for every employee. We are also informed when employees join or leave the organisation or when changes occur in the workforce.

This information is stored in our occupational health case management system and may include:

  • Full name
  • Residential address
  • Telephone number
  • Email address
  • Date of birth
  • Employment contract details
  • Job title
  • Department
  • Employer
  • Business unit

We process this information to verify that individuals contacting us are employed by one of our clients and to identify you correctly when you report sickness or contact our services. For identification purposes we may ask you to confirm additional information, such as your postcode or house number.

b. When you or your employer reports sickness

When either you or your employer reports sickness to Cohesie, we register the notification and the date on which it was received.

At this stage, we do not ask for medical information, such as your diagnosis or the nature of your illness. Instead, we ask questions that help us assess your expected availability for work and determine the most appropriate support for both you and your employer.

The information collected is used solely to advise your employer regarding your absence and reintegration process.

For example, we may ask whether you qualify for specific statutory provisions administered by the Dutch Employee Insurance Agency (UWV). If applicable, we may advise your employer that they could be eligible for reimbursement under the Dutch Sickness Benefits Act.

When you or your employer reports that you have recovered, we record the recovery date.

If your absence continues beyond the expected recovery period, we may contact you again. We will still not ask for medical information. If you voluntarily disclose medical details, we will not record or share this information with your employer.

Instead, we focus on your functional abilities, such as:

  • whether you are able to perform work;
  • how many hours you may be able to work;
  • under which conditions work may be possible (for example, working from home or using workplace adaptations).

This information enables us to provide appropriate advice to your employer while protecting your medical privacy.

Digital pre-assessment

From the third day following a sickness notification submitted by your employer, Cohesie may carry out a digital pre-assessment.

As part of this process, both you and your manager receive an email containing a single online question. We refer to this as the online assessment.

Using scientific research and data science, we combine the response to this assessment with a limited number of existing administrative data points to determine the most appropriate moment for one of our professionals to contact you.

The following information may be used:

  • your response to the online assessment;
  • the number of sickness notifications during the previous twelve months;
  • the number of sickness absence days during the previous twelve months;
  • your age;
  • your gender;
  • whether you work for a small or large organisation;
  • whether there have been consecutive sickness notifications within a period of 28 calendar days.

No automated decisions are made on the basis of this information. The assessment only supports our professionals in planning timely and appropriate support.

Why do we use the digital pre-assessment?

The purpose of the digital pre-assessment is to better align our services with the needs of both employees and employers.

Some employees prefer immediate guidance, while others do not require direct contact at the beginning of an absence period. The assessment enables us to deploy our professionals at the right moment and to provide advice and support that better reflects each individual situation.

Which personal data are processed during the digital pre-assessment?

The only new information processed is your response to the online assessment.

To ensure that the assessment is linked to the correct employee, the email invitation contains a limited number of administrative details that we already received from your employer:

  • your name;
  • your date of birth;
  • your Cohesie client reference;
  • the name of your employer.

Only the minimum amount of personal information required is included.

To further protect your privacy, the email invitation does not refer to sickness absence or illness. Instead, it simply states that your employer has submitted a notification.

c. When you receive support from one of our Absence Coaches

If your absence continues beyond a short period, you may receive guidance from one of Cohesie’s Absence Coaches.

The coach supports both you and your employer throughout the reintegration process.

Our Absence Coaches do not request medical information from you or from healthcare professionals. They also do not have access to the confidential medical records maintained by our Occupational Physicians.

They do, however, record meeting notes containing agreed actions, practical arrangements and recommendations. These records are used to monitor the reintegration process and to develop or update your return-to-work plan.

Most meetings are attended by both you and your employer.

d. When you consult one of our Occupational Physicians

If your absence lasts longer, you will also have regular consultations with one of Cohesie’s Occupational Physicians.

During these consultations, the physician records the information you provide. Where necessary, the physician may ask for medical information concerning your health, diagnosis, treatment or recovery. This information is stored in your confidential medical record.

Occupational Physicians are bound by professional medical confidentiality and may only process medical information where permitted by law as part of their statutory duties.

Your medical information will never be shared with your employer, your manager or an Absence Coach unless this is legally permitted or you have given explicit consent.

Only information that is necessary for your employer or the Absence Coach to fulfil their own legal responsibilities will be shared. Further information about this can be found in Section 5 – Who do we share your personal data with?

To safeguard the quality of our services, one of our Senior Occupational Physicians may occasionally review selected medical files as part of an internal quality assurance process. Not every file is reviewed; only a representative selection is used for quality monitoring.

3. How do we store your personal data?

We process the personal data described above in a secure occupational health case management system.

Access to this system is strictly controlled and limited to authorised personnel who require access to perform their duties. Different levels of access apply to different professional roles.

For example, confidential medical records are stored in a protected section of the system that is accessible exclusively to our Occupational Physicians and other healthcare professionals who are legally authorised to process medical information.

Your employer has access only to a restricted part of the system. They can view general information that is necessary for fulfilling their legal responsibilities, such as the advice we provide, reports of joint meetings as described in Section 2(c), and other non-medical information relevant to absence management.

Your employer never has access to your medical records.

4. How long do we retain your personal data?

We do not retain your personal data for longer than necessary to fulfil the purposes for which it was collected or to comply with our legal obligations.

Medical records are retained in accordance with Dutch legislation. In most cases, the statutory retention period is 20 years.

For certain occupational diseases or cases involving exposure to hazardous substances, longer statutory retention periods may apply. For example, records relating to employees who have been exposed to hazardous substances may be retained for 40 years after the date of exposure where required by law.

Non-medical personal data relating to absence management and reintegration are retained for a maximum of two years following completion of the absence guidance or return-to-work process, unless a longer retention period is required by law.

Once the applicable retention period has expired, your personal data will be securely deleted or destroyed.

5. Who do we share your personal data with?

We only share your personal data where this is necessary, legally permitted or required by law.

Whenever we share personal data, we ensure that only the minimum amount of information necessary for the specific purpose is disclosed.

a. Your employer

We only share with your employer the information they require to fulfil their legal responsibilities regarding your absence management and reintegration.

We never share medical information, such as your diagnosis, treatment or medical history. Our Occupational Physicians are legally bound by medical confidentiality and may not disclose such information to your employer.

The information we may share includes:

  • the work activities you are able or unable to perform;
  • the expected duration of your absence;
  • your level of work capacity, based on your functional abilities and limitations in relation to your job;
  • recommended workplace adjustments, accommodations or interventions that may support your successful return to work.

We may also share reports of meetings held with you and your employer. These reports are limited to practical agreements, recommendations and information relevant to your reintegration and do not contain medical information.

In some situations, we may organise a Social-Medical Consultation with your employer. The purpose of this meeting is to discuss the progress of your reintegration, coordinate next steps and advise your employer on workplace conditions that may facilitate your return to work.

Only information that may legally be shared with your employer is discussed during these meetings.

If we intend to discuss your individual situation during such a consultation, you will always be informed beforehand. You have the right to object. If you do so, your individual case will not be discussed.

In addition, we may provide your employer with anonymised statistical information, such as:

  • the total number of sickness notifications within the organisation;
  • average sickness absence duration;
  • general absence trends.

These reports cannot be traced back to individual employees and are intended to help employers improve their prevention and wellbeing policies.

b. The Dutch Employee Insurance Agency (UWV)

Under Dutch law, Cohesie is required to provide certain information to the Dutch Employee Insurance Agency (UWV) when requested.

Where legally required, this may include information relating to your health if this is necessary for the UWV to perform its statutory duties.

Only the information that is strictly necessary will be provided. No separate authorisation from you is required where disclosure is based on a legal obligation.

c. Independent Labour Experts

If you are absent from work for an extended period, one of our Occupational Physicians may engage an independent labour expert to assess your work capacity and reintegration possibilities.

In that case, we provide the labour expert with:

  • your contact details;
  • your employer’s contact details;
  • an overview of your functional limitations relevant to work.

Medical information is not shared.

The labour expert may contact both you and your employer to carry out their assessment.

d. Another Occupational Health Service Provider

If your employer transfers its occupational health services to another provider, the Occupational Physician of that provider may request your medical record.

This information will only be transferred after you have provided your explicit written consent.

e. Scientific research

From time to time, Cohesie participates in scientific or academic research projects.

Where personal data are used for research purposes, they are anonymised or pseudonymised wherever possible, ensuring that individual employees cannot be identified.

f. Other third parties

We do not disclose your personal data to third parties unless:

  • this is necessary for providing our services;
  • we are legally obliged to do so;
  • you have given your explicit consent.

Where personal data are shared with research institutions, partner organisations or service providers, we ensure that appropriate contractual safeguards are in place and that your privacy remains protected in accordance with applicable data protection legislation.

6. Where do we obtain your personal data?

In most cases, we receive the personal data we process directly from you or from your employer. Section 2 explains which personal data we collect and for what purposes.

In certain situations, one of our Occupational Physicians may require additional medical information from your General Practitioner, medical specialist or another healthcare provider.

Where this is necessary, we will always request your explicit consent before obtaining such information.

7. How do we protect your personal data?

Protecting your personal data is of the utmost importance to us.

We have implemented appropriate technical and organisational measures to safeguard your information against loss, misuse, unauthorised access, disclosure, alteration or destruction. These measures are based on the nature of the personal data we process, the risks involved, available technology and implementation costs.

Examples of the measures we have implemented include:

  • Encryption and secure communication
    All medical and personnel data are encrypted during storage and transmission using secure connections (TLS 1.3). Access to our systems is logged, monitored and protected through multi-factor authentication.
  • Role-based access control
    Personal data are processed within a secure occupational health case management system that is only accessible to authorised users. Access rights are assigned based on job responsibilities. Medical records are accessible exclusively to authorised Occupational Physicians and healthcare professionals.
  • Confidentiality obligations
    Every Cohesie employee with access to personal data must sign a confidentiality agreement. Any breach of confidentiality or failure to comply with our privacy policies may result in disciplinary action.
  • Independent audits
    As part of our ISO certifications, independent external audits are carried out annually to verify compliance with applicable legislation, information security standards and our quality management system. Compliance with our privacy policies forms an integral part of these audits.

8. Your rights

Under the General Data Protection Regulation (GDPR), you have a number of rights regarding the personal data we process about you.

Right of access

You have the right to know whether we process your personal data and, if so, to receive access to that information.

Requests for access should be submitted in writing. We will respond within one month of receiving your request. Before processing your request, we may ask you to verify your identity.

Where applicable, one of our Occupational Physicians will provide you with an overview of the personal data contained in your medical file.

Please note: Medical records are subject to specific legal requirements. Requests to access, correct or delete medical information are always handled by the Occupational Physician and only where permitted under applicable legislation and professional medical confidentiality.

Right to rectification

You may request that inaccurate or incomplete personal data be corrected or supplemented.

Right to erasure

You may request the deletion of your personal data where legally permitted.

For example, we may delete personal data if:

  • the data are inaccurate;
  • the data are no longer required for the purposes for which they were collected;
  • the data have been processed unlawfully;
  • the applicable statutory retention period has expired.

Please note that legal retention obligations may prevent us from deleting certain information immediately.

Right to object

You have the right to object to the processing of your personal data in certain circumstances.

Right to restriction of processing

You may request that we temporarily restrict the processing of your personal data under the conditions laid down in the GDPR.

Right to data portability

Where processing is based on your consent or on a contract, you may request to receive your personal data in a structured, commonly used and machine-readable format so that it can be transferred to another organisation.

Right to receive an electronic copy

You may request a free electronic copy of the personal data we process about you, provided that doing so does not conflict with our legal obligations.

How to exercise your rights

Requests concerning your privacy rights should be submitted in writing together with a copy of a valid proof of identity.

We will respond within one month. If we are unable to comply with your request, we will explain the reasons. If your request is granted, we will implement the requested changes as soon as reasonably possible.

Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before consent was withdrawn.

9. Complaints

If you have any questions or concerns regarding the way we process your personal data, we encourage you to contact us first so that we can work together to resolve the issue.

You can contact our Privacy Officer:

Michel van Beek
Telephone: +31 (0)88 988 0988

If you remain dissatisfied, you also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

More information can be found at:

https://www.autoriteitpersoonsgegevens.nl

We kindly ask that you first give us the opportunity to address your concerns before submitting a complaint to the supervisory authority.

10. Further information

Cohesie has an internal Privacy Policy that all employees are required to follow.

This policy describes in detail how we safeguard your privacy, the security measures we have implemented and the legal framework governing our processing activities.

You may request a copy of this policy free of charge by contacting us at:

administratie@cohesie.nl

11. Changes to this Privacy Statement

We may update this Privacy Statement from time to time.

We therefore recommend that you review this page regularly to stay informed of any changes. Whenever this Privacy Statement is amended, the updated version will be published on our website.

Version 3.0
Last updated: 7 August 2025

For information about the use of cookies on our website, please also refer to our Cookie Statement.