Privacy

Introduction

What does this privacy statement apply to?

This privacy statement applies to the personal data that the CCMO processes as part of its legal tasks. These include carrying out the Medical Research Involving Human Subjects Act (WMO) and the Embryos Act, supervising recognised Medical Ethics Review Committees (METCs), and carrying out its public, administrative, and international duties.

Who is responsible for processing your personal data?

The CCMO is an independent administrative body that falls under the responsibility of the Ministry of Health, Welfare and Sport (VWS). For the performance of its legal tasks, the CCMO acts as the data controller under the General Data Protection Regulation (GDPR).

How can you contact us?

For general questions about privacy, you can contact us at: ccmo@ccmo.nl.

For specific questions or to file a complaint, you can contact the Data Protection Officer (DPO) of VWS in two ways:

• Digitally:

Email: FG-VWS@minvws.nl.

• By post:

Ministry of Health, Welfare and Sport
Directorate of Administrative and Political Affairs
Postbus 20350
2500 EJ The Hague
The Netherlands

Processing of personal data

What personal data do we process and why?

The CCMO processes different types of personal data, depending on the purpose of the processing.

a. Data of researchers, institutions and committee members

• Name, job title, organisation and contact details;
• Login and account details for the Research Portal;
• Correspondence and submitted documents;
• Information about expertise or professional qualifications (if relevant).

b. Data of research participants

• Personal data (pseudonymised) that are part of research files, such as research protocols and attachments. These data may include (pseudonymised) special categories of personal data, such as health data. The CCMO does not have access to directly identifying data of participants. It only has access to research files at document level as part of its review and supervision tasks.
• The CCMO receives these data indirectly through researchers or medical ethics review committees..

c. Data of citizens or organisations who contact us

• Name and contact details;
• The content of correspondence (for example questions, requests or complaints).

How do we obtain your personal data?

The CCMO obtains personal data in different ways:

1. Directly from you, for example when you contact us by email, telephone or through the contact form, or when you provide information as a researcher or committee member.

2. Indirectly through third parties, for example:

• through researchers or institutions who submit a research file;
• through recognised Medical Ethics Review Committees (METCs) as part of supervision;
• through government bodies or inspection authorities that provide data based on a legal obligation;
• through international partners (such as the EMA) within the framework of European regulations.

Purposes and legal bases for processing

The CCMO processes personal data only to carry out its legal tasks and its public services.

Purpose of processing	Legal basis (GDPR)	Legal framework
Review and approval of medical research involving human subjects	Article 6(1)(e) GDPR – task carried out in the public interest	Medical Research Involving Human Subjects Act (WMO)
Supervision and registration of research and Medical Ethics Review Committees (METCs)	Article 6(1)(e) GDPR – task carried out in the public interest	Medical Research Involving Human Subjects Act (WMO)
Processing special categories of personal data in research files	Article 9(2)(g) GDPR – substantial public interest	Section 41 of the Dutch GDPR Implementation Act
Management of digital systems (such as the Research Portal) and communication with stakeholders	Article 6(1)(e) GDPR	GDPR, WMO
Handling questions, complaints and correspondence	Article 6(1)(e) GDPR	General Administrative Law Act
Publication of decisions or advice	Article 6(1)(e) GDPR	WMO and Government Information (Public Access) Act
Cooperation with European or international bodies (such as the EMA or the European Commission)	Article 6(1)(e) GDPR	EU legal obligations

The CCMO does not rely on consent as a legal basis for processing, except in exceptional situations (such as voluntary communication or newsletters).

With whom do we share your personal data?

The CCMO shares personal data only when this is necessary to carry out its tasks or when we are legally required to do so.

Possible recipients are:

• Recognised Medical Ethics Review Committees (METCs).
• The Health and Youth Care Inspectorate (IGJ).
• The Ministry of Health, Welfare and Sport (VWS).
• European bodies such as the European Medicines Agency (EMA) or the European Commission.

International data transfers

In principle, the CCMO does not process personal data in countries outside the European Economic Area (EEA). If this is necessary, it will only take place when there is an appropriate transfer mechanism in place and when we have confirmed that the transfer complies with the GDPR.

This may be the case, for example:

• if the European Commission has adopted an adequacy decision (Article 45 GDPR);
• or if standard contractual clauses are used (Article 46 GDPR).

An up-to-date list of countries with an adequacy decision can be found on the website of the European Commission.

Who within the CCMO has access to your personal data?

Within the CCMO, only authorised employees have access to personal data. Access is based on the need-to-know principle, in line with Article 32 GDPR and the Government Information Security Baseline (BIO). All employees with access to personal data have signed a confidentiality agreement.

How long do we keep your personal data?

The CCMO does not keep personal data longer than necessary for the purpose for which it was collected, or longer if this is required by law.

Examples:

• Research files: 15 years after the end of the research (in line with the WMO).
• Correspondence and questions: 2 years after completion.
• Administrative data: in accordance with the Public Records Act.

Some data may be transferred to the National Archives after a certain period instead of being deleted.

More information about retention periods and archiving can be found in the VWS-wide records retention schedule.

How do we protect your personal data?

The CCMO takes appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or unlawful processing.

We do this in line with legal requirements and guidelines, such as the Government Information Security Baseline (BIO).

The CCMO regularly reviews its security measures and reports data breaches in accordance with Articles 33 and 34 of the GDPR. If a data breach is likely to result in a high risk to your rights and freedoms, we will inform you personally.

If you have questions about security, please contact the Chief Information Security Officer (CISO) at: ciso-kern@minvws.nl.

Privacy rights

What are your rights?

Under the GDPR, you have the following rights:

• Right of access: you may ask which personal data we process about you.
• Right to rectification: you can ask us to correct incorrect data.
• Right to erasure: in some cases, you can ask us to delete your data.
• Right to restriction: you can ask us to temporarily stop using your data.
• Right to data portability: only for data you have provided yourself based on consent or a contract.
• Right to object: you can object to processing based on a public task.
• Right to human review of decisions: the CCMO does not make fully automated decisions with legal effects.
• Right to withdraw consent: only in situations where consent is used (such as voluntary communication).
• Right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

In some cases, your rights may be limited or may not apply. For example:

• when the CCMO processes only anonymised data and cannot identify you (in that case, the GDPR does not apply);
• when providing information would reveal confidential data of third parties or harm the rights and freedoms of others;
• or when exercising a right would seriously harm our legal tasks in the area of supervision or scientific research.

These exceptions are laid down in Article 23 of the GDPR and Section 41 of the Dutch GDPR Implementation Act.

How can you exercise your rights?

You can submit your request in two ways:

• Digitally:

Email: dienstpostbusavg@minvws.nl

• By post (signed):

Ministry of Health, Welfare and Sport
Directorate of Organisation, Operations and Personnel
Privacy Office Core Department, CIO Core and Information Management Division
Postbus 20350
2500 EJ The Hague
The Netherlands

Identification

Please include proof of your identity. The CCMO will use this copy only to verify your identity and will delete it afterwards. A valid proof of identification is for example a passport of driver’s license. The CCMO will use this copy only to verify your identity and will delete it afterwards.
You can create a secure copy using the KopieID app from the Ministry of the Interior and Kingdom Relations.

If you request access to special categories of personal data, criminal data, or data relating to minors, you may be asked to identify yourself in person when collecting the information.

Changes

If there is a difference between the English and Dutch versions of this privacy statement, the Dutch version is leading. The CCMO may update this privacy statement if there are changes in legislation or in the way we carry out our tasks. In case of important changes, the CCMO will inform data subjects through its website or other appropriate channels.

This privacy statement was last updated on January 20, 2026.