Privacy statement alumni
Utrecht University (UU) is committed to look after the personal data of everyone who has studied with us. The privacy rules from the General Data Protection Regulation (GDPR) are crucially important to us, as this legislation is in line with our objective to provide education and research at the highest level, our ambitions for good employment practices and our guiding principle of sustainability.
In this privacy statement, we will inform you of the personal data we process, the purposes for which we do this, your privacy rights and other matters that are important to you.
The personal data we collect from you is processed by the UU for the following purposes:
- Validating, correcting and deleting alumni registration
- Encouraging the development of an alumni community
- Keeping a CRM (Client Relation Management) administration of alumni
- Keeping track of alumni participation in events
- Supporting alumni associations
- Sending newsletters to alumni
Your personal data will not be processed without your consent for a purpose that is not compatible with the above.
The UU processes the following data from you as an alumnus. Not all of this information may apply to you:
- Name
- Titles
- Date of birth
- Gender
- Language
- Address(es)
- Email address(es)
- Telephone number
- Student number
- Communication preference
In addition, there are data that are only processed from a limited group of alumni:
- Job function
- Study
- Graduation date
- Degree obtained
- Personal relationship(s) with other alumni or organizations
- Foundations or trusts in which the alumnus is or has been involved
This data is collected to create a profile of the relationship in order to determine whether someone could or would like to contribute to the goals of the UU.
The UU receives most data automatically via our student registration system Osiris or our PhD registration system MyPhD. We collect a number of data, such as your preferred language or communication preferences, directly from you. Finally, data from a limited group of alumni is collected by our relationship managers via public sources such as LinkedIn or newspapers.
The UU can only process your personal data if we have a good reason to do so. Such a reason must be indicated in the GDPR. This is called a legal basis. The UU processes your personal data in accordance with the legal basis of the legitimate interest of the UU or of a third party. This legitimate interest includes maintaining an alumni registration system and stimulating the connection of alumni with the UU.
The UU stores your personal data in accordance with the rules in the GDPR. This means that we do not store the data longer than is strictly necessary to achieve the purposes for which the data was collected.
The data in the alumni registration system will be kept for up to two years after your death. This retention period was chosen because once you’ve studied at the UU, you stay an alumnus for a lifetime. Moreover, many alumni choose to include the UU in their will. By keeping data for a while after your death, the UU has sufficient time to connect these donations to the appropriate alumnus and – where appropriate – express our condolences to the bereaved families.
The UU may instruct other organisations to arrange or organise certain elements of our activities on our behalf. If the relevant organisations process personal data in the context of that assignment, we call them data processors. The UU has so-called data processing agreements with these processors to ensure confidential and careful handling of personal data. The supplier of our alumni registration system is an example of such a processor.
Your personal data will never be rented out or sold. The UU can share your (personal) data with third parties (outside data processors) if, for example, you have given permission for this yourself or if this is necessary to be able to execute an agreement between you and the UU. In certain cases, we are also legally obliged to provide your personal data to third parties. An example is the Dutch tax authority in the case of donations.
Organizations involved in the processing of your personal data may also be located outside the European Economic Area (EEA). Transfers may only take place to third countries with an adequate level of protection, such as an adequacy decision by the European Commission, appropriate safeguards or specific exceptions. If you would like to know more about this, please contact privacy@uu.nl.
The GDPR gives you as an alumni a large number of rights with regard to your personal data. For example, you have the right to be informed in a timely, clear and complete manner about the processing of your data. This privacy statement is intended to do just that. In addition, you have the right to view your data and to have it corrected or deleted. In certain cases, you have the right to have the processing of your data temporarily frozen ('restricted'), the right to object to the processing and the right not to be subject to decisions resulting from fully automated processes (i.e. without human intervention) which may have serious consequences for you. And finally, in some cases you have the right to have a whole set of data that we have about you transferred to another organization. This is called the right to portability.
You have the right to know what personal data we process. At your request, we will provide you with an overview of all that data, or a specific part in which you are interested, free of charge. In doing so, we provide you with additional information, for example why we process that data, how long we keep it, and so on.
We must ensure that all your personal data stored on our systems is correct. If you notice (or if you think) that certain personal data is factually incorrect, you can request that we correct that data. And because our data must not only be correct, but also complete, you may supplement data if you think the information we have about you is incomplete. In certain cases, you can do so by offering us an additional statement of fact that we will add to your file.
There are situations in which you can ask us to delete certain data about you. You can do so, for example, if you feel that we no longer need this data or that we are processing it unlawfully, if you have withdrawn your consent or if you have objected to the processing. We will then check whether there are legitimate reasons to keep your personal data despite this. If there are no such reasons, we will delete your data.
In certain cases, we process your personal data because it is necessary to carry out a task carried out in the public interest or to pursue our legitimate interests (or those of another person or organisation). In such cases, we do not ask you your consent to the processing, but you can object to this based on your specific situation. If you object, we will suspend processing and balance your rights, freedoms and interests against our interests. We pay attention to your specific situation. If our interests outweigh yours, we will resume processing. If your rights, freedoms and interests outweigh ours in your specific case, we will permanently stop the processing. In either case, we'll let you know what we've decided.
Restricting the processing is nothing more than that you can temporarily 'freeze' the processing. If you request to restrict the processing of your personal data, we can’t do anything with your information other than storing it on our systems. You have the right to restrict the processing of your personal data if one of the following situations applies:
- You dispute the accuracy of the data, in which case we will interrupt the processing of your data until we have verified its accuracy.
- The processing is unlawful or the UU no longer needs your personal data for the purpose for which the data was collected and you do not want us to delete your personal data.
- You have, in accordance with your right to object, objected to the processing of your personal data and you are awaiting the outcome of your objection.
You don't have to accept that decisions are made about you without the involvement of a human being, if those decisions do have substantial consequences for you.
The UU never makes automated decisions that have substantial consequences for our students.
The UU makes sure that personal data is treated with confidentially. The UU takes appropriate technical and organisational measures to ensure that your personal data is properly protected.
Technical measures
In order to optimally protect your personal data against unauthorised access or use, the UU has appropriate security technology in use. We report (attempted) abuse.
Organisational measures
Within the organisation, the UU has taken a large number of measures to ensure that your data is not only technically secured, but that the chance of human error and misuse is also kept to a minimum.
Based on the above information, do you have any specific questions or comments about this privacy statement? Please feel free to contact us via privacy@uu.nl.
The UU has appointed a Data Protection Officer (DPO). This is an internal advisor and supervisor on the application of the GDPR. When you have questions about the processing of your personal data or when you want to file a complaint, you can contact our DPO via fg@uu.nl.
We would like to point out that you also have the right to file a complaint with the supervisory authority, the Dutch Data Protection Authority.
Contact details Utrecht University
Heidelberglaan 8
3584 CS Utrecht
Tel. +31(0) 30 253 35 50
Privacy statement - version
This privacy statement was last amended on 27 August 2024. From time to time, changes are made to this privacy statement. Please check our website to make sure you are consulting the most recent version.