Privacy Policy


For this Directive, the following definitions shall apply:

Holder: SAMA Autism Center;
GDPR: General Data Protection Regulation;
Person: an individual, natural person;
Personal data: data that can be traced back to a person;
Client/applicant: the person;
Social network: all natural persons (including relatives) with whom the client is in contact;
Employee: employees employed by SAMA Autism Center;
Secretariat: the person who coordinates the care on behalf of SAMA Autism Center;
Customer registration: the consistent collection of personal data relating to different clients, which has been systematically created in order to ensure adequate consultation of those data;
File: all information recorded on paper or automated data carriers about the client and social network, stored in such a way that systematic accessibility is guaranteed and which as such, forms part of the client registration;
Registered: any person from the client system whose personal data is included in the client registration;
Reporting: recording (personal) data in a more coherent whole, intended as an evaluation of the referrer and family;
Referrer: a physician authorized to indicate the patient's benefit to be cared for, which is necessary for providing care. (Including the (Direct) practitioners, general practitioners, and hospitals.)
Processor: persons who process personal data on behalf of SAMA Autism Centre.

Duties of the holder

The Holder shall treat the information provided by the referrer by the GDPR. This means that the data for the benefit of individual clients will be treated confidentially and will not be shared with third parties without the consent of the client or his representative in case of incapacity.

The holder will ensure that his employees follow his confidentiality duty engaged in performing his duties.

By the Access to Client Information chapter of this Directive, the Holder must destroy all data, data, and agreements relating to the care provided that can be traced back to the person within the set period and legal frameworks upon termination of care.

Purpose and use of the registration

Enabling care for clients, their families, or social networks; Using the available data to improve the quality of care.

We are recording data necessary for responsible business operations and continuity of the holder and complying with legal obligations related to the funding conditions.

It records data of persons who request information about SAMA Autism Center and its activities via the website or by telephone to comply with the provision of information.

To send newsletters, record the names and e-mail addresses of data subjects.

For recording the data, explicit permission is requested from those involved unless the processing is necessary to comply with a (written agreement between the client and SAMA Autism Center).


The registration is carried out in the client's name, as it appears in the municipal personal records database. In addition, data of other persons belonging to the family or social network involved in the treatment as contact persons may also be recorded.

Inclusion of personal data

There is a manual and automated client registration that is not linked to other systems and includes the data provided by the client or his legal representative in the event of incapacity in this regard and referrer.

Only personal data that is necessary to provide good care will be processed. SAMA Autism Center has recorded in the GDPR data matrix which data this may be.

In addition to the client's data, (contact) details of relatives can be registered. These are also provided by the client and loved one.

There is a file kept by the referrer, practitioners, and employees, in which only those data that are important for the performance of the tasks of the holder and the purpose of the registration are stored.

The name, address, e-mail address, and telephone number of persons who request information from SAMA Autism Centre will only be recorded if these data are necessary to provide information.

Only the names, addresses, and e-mail addresses of people who receive newsletters are recorded.

Access to client registration

Direct access to customer registration is granted only to those who belong to the holder's organization and only to the extent necessary for the assigned task. Third parties may only have access if a statutory provision obliges the holder to authorize them.

Within the SAMA Autism Centre, client data processing is entrusted to the secretariat and care providers. They have insight into all recorded information and can adjust and change it.

Informal caregivers and other care providers only have access to those essential data for the care of the client in question.

Employees of SAMA Autism Center have a duty of confidentiality about this information.

During care, a digital file (EPD) is available with data that is relevant to care. The client's caregivers, the client himself, and their relatives can access this file. The client's permission for this will be requested. The data protection method is laid down within the organization and discussed with the client and relatives.

Processors on behalf of SAMA Autism Center

Processors are obliged to comply with the GDPR, whereby it is explicitly required that this processor makes every effort to protect personal data. This is regulated in a processing agreement. SAMA Autism Center does not use third parties to process client data.

Disclosure of data to third parties

When providing data concerning the client to third parties, the rule is that, without prejudice to the provisions of or based on the law, the holder, secretariat, or employee who is charged with the execution of the care does not provide information about the client in any form whatsoever to anyone other than the client, except with the consent of the client or his legal representative,  in case of incapacity at this point.

Once a year, anonymized data is provided to Zorgkaart Nederland. The aim of this is to map the quality of care.

Rights of clients/relatives (data subjects)

Data subjects are asked to permit data processing at the start of care.

The data subject has the right to inspect the data that is being collected at any time;

The data subject has the right to modify and delete data unless there is a legal obligation to retain the data.

For all questions about the processing of their data, the data subject can contact their managing practitioner.

Data subjects can submit a request for one or more rights in writing (by post or by e-mail), including access to the file.

Deletion, destruction, and retention periods of file data 

SAMA Autism Center adheres to the statutory retention periods.    

Invoices sent to clients have a legal retention period of 7 years.

Three years after termination of care, all data traced back to the person will be destroyed unless there are ongoing financial matters or the context of a complaint settlement. If that is the case, the closing date of this matter will be the end date.

After termination of care, personal data will only be provided within the Holder's organization, insofar as necessary for the performance of their task and to the persons designated by the Holder in charge of handling a complaint.

After the calendar year's end, data no longer used is archived.

The client's care file is subject to the institution's privacy regulations.

Research & Statistics

For statistical or geographical research, anonymized personal data of registered persons may be provided to third parties upon request.

Only the holder is competent to decide on this.

Outline management

The owner has protected the data against improper use, unauthorized access, theft, or other calamities.
Technical measures that have been taken:

Security of the office infrastructure using security software

Encryption when transporting/transmitting personal data

Organisational measures:

Restriction of access to the data. Healthcare providers only have access to the information that is relevant to them. This is laid down within the organization in procedures.

Access to applications is only done through a username and password.

Paper files are under lock and key; the organization describes their security.


Registrants may submit complaints to the holder about the implementation of this directive. The rules of the internal complaints procedure apply to the treatment. Using the complaints procedure allows registered persons to submit a complaint to the Dutch Data Protection Authority regarding privacy violations.

Final Provisions

  1. This Directive shall enter into force on 1 April 2024

  2. SAMA Autism Center reserves the right to change this privacy policy anytime. The Directive shall be amended or supplemented only by the rules laid down by the legislator. 

Adopted in Amstelveen, 26 February 2024

Questions or comments: Do you have questions about your privacy or the processing of your data? Then you can contact us via