Privacy statement campus visitors
Utrecht University (UU) is committed to look after the personal data of everyone who works, studies or visits one of our campuses. The privacy rules from the General Data Protection Regulation (GDPR) are crucially important to us, as this legislation is in line with our objective to provide education and research at the highest level, our ambitions for good employment practices and our guiding principle of sustainability.
In this privacy statement we inform you about the personal data we process, about the purposes for which we do this, about your privacy rights and about other matters that are important to you.
Parking
If you park at Campus Utrecht Science Park (USP), data about your transaction will be processed, including the date and time of entry, exit, and the location where you park. At the barriers we use automatic license plate recognition. You can enter your license plate number at the payment terminal, after which (of course after payment) the barrier opens automatically and you no longer have to enter your ticket. Payments are collected by an external financial services provider.
UU employees can park for free on the USP. In order to activate free parking at the USP, employees must share some data, like your campus card number, with IP-Parking (an external service provider contracted by the UU). More information on this topic can be found on Intranet (login required).
Printing
Within the UU buildings you can print in different ways: via a UU device, an online portal linked to your Solis account, and as a visitor to the university library with a guest Solis account. The printing service processes your print order linked to your Solis account; you can choose which printer you print your order with.
If you are not an employee of the UU, there are costs associated with printing. You can increase your print credit as described on the print information page. You can also link certain cards (e.g. OV-chipkaart) to your guest Solis account. When you use this method, no information on the card is shared with the UU, it is only used as a tool to log in quickly.
C&F Security control room
If you are on a UU campus, you can call the C&F Security (Campus & Facilities Service Centre) control room 24/7 in the event of problems or emergencies. The control room will set out the correct action(s) in response, such as calling our UU emergency responders (BHV) or connecting you to an emergency service (such as the fire department, police, or an ambulance). For less urgent matters, the report is forwarded to the relevant team to solve the problem.
The control room has a view of all surveillance cameras on campus.
All reports are registered in our Service Management System, TOPdesk.
CCTV
CCTV takes place in and around the buildings and grounds and of the UU. Cameras are used to protect our belongings, people and buildings. If something gets stolen or broken, or somebody is harassed while on our campus, images can be shared with the police.
Detailed information about camera surveillance at the UU can be found in the specific privacy statement.
Parking
If you park at the Campus Utrecht Science Park, we process your license plate number, the date and time of entry and exit, and your parking location (transaction data). If you pay at the payment terminal, your payment details are processed by an external financial services provider. This data is not shared with the UU. Additional data will be processed for employees who have linked their campus card to a parking subscription. More information on this topic can be found on Intranet (login required).
Printing
For the use of printers, the Solis-id is processed for UU staff and students. Guests who want to use a printer can create a guest-Solis account. For this purpose, the UU processes your name, date of birth and e-mail address.
C&F Security control room
The C&F Security control room collects your name, telephone number and the description of the problem or emergency you are calling for. All telephone conversations with the control room are recorded. If you are an employee of the UU, the control room responder may also ask for your Solis-id and UU e-mail address. Depending on the problem or emergency you are calling for, the control room responder may ask for additional information. For example, the control room can ask for your location to send the emergency responders in the right direction.
CCTV
Your image is captured by our CCTV cameras.
If you do not belong to one of the target groups mentioned above, we will in principle only process your personal data:
- To respond to a question or request from you. We do this in your interest. Without your personal data we would not be able to answer your question or request.
- To be able to enter into or prepare an agreement with you. To conclude an agreement, it is necessary to process personal data, otherwise we do not know, for example, with whom we have entered into the agreement. A registration for an event is an example of such an agreement.
- Because you gave consent for that. There may be situations in which we ask you whether you consent to us processing your personal data. We always explain exactly what we are asking for permission for.
If we process your data based on your consent, you have the right to withdraw this consent. This is always possible, even after we have already collected your data. Withdrawing your consent is just as easy as granting it, and you do not have to say why you are withdrawing your consent. Please note the following: if you withdraw your consent, we do not have to undo what we have done with your personal data up to that point. Withdrawing your consent does not have retroactive effect.
The cameras at the barriers of the car parks are used for automatic license plate recognition; they do not store images. Transaction data related to parking is deleted after fourteen days.
TOPdesk notifications are archived after some time. The exact retention period depends on the type of report and the associated follow-up actions. For example, recorded telephone calls at the control room are automatically deleted after six months.
In principle, images from security cameras are stored for a maximum of seven days. If an incident such as a theft or accident has occurred on campus, it may be necessary to keep the images for a longer period of time, for example in order to analyse what exactly happened or to share the images with the police. If this is the case, images will be deleted after the incident has been dealt with.
Parking data such as entry and exit times and account information are stored in our Parking Management System, which is managed by IP-Parking. Employees of IP-Parking have access to this data when it is necessary to solve technical problems. The UU has a data processing agreement with this party; the servers of our Parking Management System are located in the Netherlands.
The control room stores notifications in our Service Management system TOPdesk. Employees of TOPdesk only have access to this data when necessary to solve technical problems. The UU has a data processing agreement with this party; the servers of TOPdesk are located in the Netherlands.
When there is a suspicion that a crime has occurred or if an accident has happened, camera footage, parking transaction data and/or information from the control room can be shared with the emergency services, such as the police, fire brigade, or ambulance.
Security footage is stored on UU servers located in the Netherlands. Within the UU, a small group of people has access to recorded footage and live images. They can view images if an incident or emergency has occurred or if they have to solve a technical problem with the system.
The GDPR gives you as a campus visitor a large number of rights with regard to your personal data. For example, you have the right to be informed in a timely, clear and complete manner about the processing of your data. This privacy statement is intended to do just that. In addition, you have the right to view your data and to have it corrected or deleted. In certain cases, you have the right to have the processing of your data temporarily frozen ('restricted'), the right to object to the processing and the right not to be subject to decisions resulting from fully automated processes (i.e. without human intervention) which may have serious consequences for you. And finally, in some cases you have the right to have a whole set of data that we have about you transferred to another organization. This is called the right to portability.
You have the right to know what personal data we process. At your request, we will provide you with an overview of all that data, or a specific part in which you are interested, free of charge. In doing so, we provide you with additional information, for example why we process that data, how long we keep it, and so on.
We must ensure that all your personal data stored on our systems is correct. If you notice (or if you think) that certain personal data is factually incorrect, you can request that we correct that data. And because our data must not only be correct, but also complete, you may supplement data if you think the information we have about you is incomplete. In certain cases, you can do so by offering us an additional statement of fact that we will add to your file.
There are situations in which you can ask us to delete certain data about you. You can do so, for example, if you feel that we no longer need this data or that we are processing it unlawfully, if you have withdrawn your consent or if you have objected to the processing. We will then check whether there are legitimate reasons to keep your personal data despite this. If there are no such reasons, we will delete your data.
In certain cases, we process your personal data because it is necessary to carry out a task carried out in the public interest or to pursue our legitimate interests (or those of another person or organisation). In such cases, we do not ask you your consent to the processing, but you can object to this based on your specific situation. If you object, we will suspend processing and balance your rights, freedoms and interests against our interests. We pay attention to your specific situation. If our interests outweigh yours, we will resume processing. If your rights, freedoms and interests outweigh ours in your specific case, we will permanently stop the processing. In either case, we'll let you know what we've decided.
Restricting the processing is nothing more than that you can temporarily 'freeze' the processing. If you request to restrict the processing of your personal data, we can’t do anything with your information other than storing it on our systems. You have the right to restrict the processing of your personal data if one of the following situations applies:
- You dispute the accuracy of the data, in which case we will interrupt the processing of your data until we have verified its accuracy.
- The processing is unlawful or the UU no longer needs your personal data for the purpose for which the data was collected and you do not want us to delete your personal data.
- You have, in accordance with your right to object, objected to the processing of your personal data and you are awaiting the outcome of your objection.
Do you have questions about the way in which your data is processed by the control room or in the context of printing or parking on the campus grounds? Do you want to know what data the UU has collected about you or do you want to view this data ordo you want to object to the processing? Then you can submit a request using the Privacy Request Form (uu.nl).
If you think our CCTV cameras have recorded you when you do not want to, you may object. You can also ask to see the footage that includes you. Such requests can be directed to privacy@uu.nl. It is important to indicate as precisely as possible where exactly you were, on what day and at what time, so that we can find your image as quickly as possible. Please note that all footage is automatically deleted after seven days, so we are unable to share footage with you that is more than one week old. If you have sent us a request within seven days, we will ensure that your images are not removed before you have seen them.
The UU makes sure that personal data is treated with confidentially. The UU takes appropriate technical and organisational measures to ensure that your personal data is properly protected.
Technical measures
In order to optimally protect your personal data against unauthorised access or use, the UU has appropriate security technology in use. We report (attempted) abuse.
Organisational measures
Within the organisation, the UU has taken a large number of measures to ensure that your data is not only technically secured, but that the chance of human error and misuse is also kept to a minimum. For example, access to the physical control room, where all camera images and reports come in, is limited to a small group of employees. Digital access to camera images and notifications is limited to only those employees who actually need the access.
If you have any questions about CCTV cameras in your area, please send them to privacy.cf@uu.nl.
Based on the above information, do you have any specific questions or comments about this privacy statement? Please feel free to contact us via privacy@uu.nl.
The UU has appointed a Data Protection Officer (DPO). This is an internal advisor and supervisor on the application of the GDPR. When you have questions about the processing of your personal data or when you want to file a complaint, you can contact our DPO via fg@uu.nl.
We would like to point out that you also have the right to file a complaint with the supervisory authority, the Dutch Data Protection Authority. You can find their contact details at autoriteitpersoonsgegevens.nl.
Contact details Utrecht University
Heidelberglaan 8
3584 CS Utrecht
Tel. (030) 253 35 50
Privacy statement - version
This privacy statement was last amended on 27 August 2024. From time to time, changes are made to this privacy statement. Please check our website to make sure you are consulting the most recent version.