Since 1 January 2026, the Wet kwaliteitsregistraties zorg (“Wkz”) has entered into force. The Wkz amends the Wet kwaliteit, klachten en geschillen zorg (“Wkkgz”). A ‘kwaliteitsregistratie (quality registry)’ contains data about the health of a group of patients. By using a ‘kwaliteitsregistratie’ healthcare providers can improve the quality of care, for example by learning from each other through data comparison.
‘Kwaliteitsregistraties’ have been used since the 1990s. What is new is that the Wkz provides a specific legal basis for processing health data and other special categories of personal data for ‘kwaliteitsregistraties’. Previously, organisations often relied on consent or other indirect legal bases. Thanks to this new legal basis, informative ‘kwaliteitsregistraties’ can now be developed more easily. This blog explains how healthcare organisations can use this new legal basis and what the role of (privacy) lawyers is in this process.
A registry holder can submit an application to the National Health Care Institute, Zorginstituut Nederland (“Zorginstituut”), for inclusion of a ‘kwaliteitsregistratie’ in the new public register. If the Zorginstituut determines that the application meets the legal requirements, the ‘kwaliteitsregistratie’ will be included in the register. At that moment, a legal obligation arises under the Wkz to supply data to the Zorginstituut.
Submitting an application requires some preparation, including in the area of privacy. The ‘kwaliteitsregistratie’ is first assessed by the Content Governance Committee (IGC) and the Data Governance Committee (“DGC”). These committees advise the Zorginstituut on the quality of the application. The DGC review includes an assessment of compliance aspects. The assessment criteria and additional information can be found here: https://ssc-dg.nl/documenten/
The Wkz currently applies only to medical specialist care (with the exception of curative mental health care, which is nevertheless considered medical specialist care). The intention is that the Wkz will later also apply to other medical sectors. This legislative amendment is relevant, for example, for healthcare institutions, collaborative partnerships, and scientific associations. IT-suppliers of a ‘kwaliteitsregistratie’ may also be affected by the Wkz due to their role as data processors.
In this blog, I highlight four key points of attention for (privacy) lawyers when preparing an application for inclusion in the public register of the Zorginstituut.
1. Conduct a DPIA
Carrying out a Data Protection Impact Assessment (“DPIA”) is mandatory for inclusion in the public register of the Zorginstituut. In practice, a DPIA will almost always be required under the General Data Protection Regulation (“GDPR”) as well, because ‘kwaliteitsregistraties’ typically involve large-scale processing of health data. For conducting a DPIA, organisations can use the DGC’s DPIA template or a comparable format. The DPIA assessment may not be older than one year.
Pay attention to purpose limitation in the DPIA as well. ‘Kwaliteitsregistraties’ are sometimes also used to: monitor the quality of care, compare healthcare institutions with each other (benchmarking), improve guidelines and treatment protocol and provide transparency to supervisors and patients. If a ‘kwaliteitsregistratie’ is used for one of these purposes, a separate legal basis may be required. It may also be necessary to implement additional safeguards, such as stricter requirements for pseudonymisation (see point 3).
2. Consider the Allocation of Roles
Determining the allocation of roles is important for several reasons:
- The controller of the ‘kwaliteitsregistratie’ submits the application to the Zorginstituut.
- A data processing agreement must be concluded between the controller and processor in order to submit the application to the Zorginstituut. The DGC has provided a template (with guidance) that can be used.
- The controller is responsible for obligations such as conducting the DPIA, reporting data breaches, informing patients through a privacy notice and handling GDPR requests.
The organisation that determines the purposes and means of a ‘kwaliteitsregistratie’ qualifies as the controller of that registry.
Example: a hospital provides data from its electronic health record (EHR) system to a knowledge institute (the data provider). The knowledge institute uses these data for ‘kwaliteitsregistraties’ (the controller). The knowledge institute may rely on the systems of an IT supplier (the processor). The controller of the source data (the provider) may therefore be different from the controller of the ‘kwaliteitsregistratie’ (for example, a knowledge institute).
According to the explanatory memorandum of the Wkz, it is generally expected that one party (the registry holder) acts as the controller. In practice, however, it must always be assessed which party actually determines the purposes and means of the processing.
3. Pseudonymise Personal Data
Although the Wkz provides a legal basis for processing health data, data minimisation remains essential. The extent to which pseudonymisation must be applied depends on the context. In general, the earlier the data are pseudonymised, the better. The Zorginstituut will assess how pseudonymisation has been implemented.
4. Update Internal Privacy Documentation
Due to this legislative amendment, the healthcare organisations involved must update their privacy documentation, such as the privacy notice, record of processing activities, and internal policy documents.
Under the new rules, healthcare organisations no longer need to obtain patient consent to process data for quality registries. This is because the law now provides that data may be processed as it is necessary for the performance of a public task. In addition, a legal obligationto process personal data arises, as healthcare organisations are required to share data with the Zorginstituut.
Patients will also be given an opt-out option, allowing them to object to the inclusion of their data in a quality registry. This option must also be reflected in the privacy documentation.
Furthermore, the DGC will assess whether the registry holder has established a record of processing activities and whether the correct legal basis has been linked to the relevant processing activity. The DGC has also provided a template for a record of processing activities. This requirement applies to the data controller involved as well as the relevant processor(s).
DPIA Questionnaire
Preparing a DPIA does not have to be complicated. Use our DPIA questionnaire. The result? A clear DPIA, ready to share internally or use in audits.
