Privacy statement employees
This privacy statement is specifically intended for employees of Utrecht University (UU), including PhD students.
Utrecht University is committed to look after the personal data of everyone who works at our organisation. The privacy rules from the General Data Protection Regulation (GDPR) are crucially important to us, as this legislation is in line with our objective to provide education and research at the highest level, our ambitions for good employment practices and our guiding principle of sustainability.
In this privacy statement we inform you about the personal data we process, about the purposes for which we do this, about your privacy rights and about other matters that are important to you.
The personal data we collect from you will be processed by the UU for the following purposes:
- The performance of our legal duties and obligations as an employer.
- The implementation and evaluation of our human resources policy.
- Ensuring the accuracy of our financial and accounting data, and checking the integrity, accuracy and timeliness of financial transactions.
- Various processing operations that are necessary for performance of your work duties (such as emailing your colleagues).
The most important processes for which the UU processes personal data of the employees are:
- Maintaining the personnel administration
- Keeping track of payroll administration
- Checking and allocating allowances
- Keeping track of leave and absenteeism
- Conducting interviews and research
- Keeping track of work, working hours and study
- Handling objections and appeals
- Termination of employment
- Managing (early) retirement
- Facilitating reintegration
- Checking and fulfilling payment obligations to employees, such as the payment of salary, transition allowances, unemployment benefits, jubilee allowances and the reimbursement of claims
- Booking saved leave
- Registering and checking the work expenses scheme
- Storing and sharing personal data for the purposes of our internal controls with regard to our financial administration and the audit of the financial statements by the external auditor (currently Ernst & Young)
- Managing the quality of work and workflow management
In addition, we may use your personal data for numerous processes that play a role within an organisation such as the UU:
- Internal management (e.g. facilitating cooperation between colleagues and handling complaints and disputes)
- Health & safety (e.g. giving advice on safety and handling reports received by CERT)
- Housing (e.g. CCTV)
- Communication (e.g. sending newsletters)
- IT (e.g. providing access to and managing computer systems and networks)
- The university library (for example, keeping a borrower administration)
- Public engagement (e.g. lectures)
- Document management (e.g. registering mail and storing dissertations)
- Data protection (e.g. handling data breaches)
- Preventing unwanted transfer of knowledge and technology that has negative consequences for our national security and the Dutch innovative power (knowledge security).
- The management of eHerkenning
- Managing authorization roles for SAP
Your personal data will not be further processed without your consent for incompatible purposes.
The UU processes the following data about you as an employee:
- Name and address details (name, address, place of residence)
- Date of birth
- Marital status
- Telephone number(s)
- E-mail address
- Bank account number (IBAN)
- Burgerservicenummer (BSN) or V-number (identification number for foreign nationals)
- Personnel number
- Verklaring Omtrent Gedrag (VOG, certificate of conduct) (where applicable)
- Proof of identity (including name, BSN, document number and passport photo) / residence permit or visa
- Data relating to payroll administration, including in any case pay slips, annual statements, journal entries, pension documents and income tax returns
- Information on future and past training courses and traineeships
- Data about your position or former position at the UU
- Data relating to your performance assessment
- Data for the implementation of your Terms of Employment Options Model
- Data about family members or former family members, to the extent necessary in view of an agreed employment condition
- Your Solis-id
- Information about your campus card
- Data processed in your interest with a view to your working conditions
- Images (photos and videos)
- Ancillary positions
- Sick days
- Registration of leave, including special leave, maternity leave, and pre-maternity leave
The UU collects (personal) data directly from you, but in some cases the UU also receives personal data via third parties. This only happens as long as this is in accordance with the law or if you have given permission for this.
The UU may only process your personal data when we have a legal basis to do so. The UU processes your personal data on the basis of the following principles:
- The processing is necessary for the execution of an agreement that we have entered into or will enter into with you. Think in the first place of your employment agreement.
- The processing is necessary to comply with a legal obligation that rests on us. For example, providing your salary data to the tax authorities or the pension fund.
- The processing is necessary to protect your vital interests. Think of a situation in which there is a life-threatening situation (e.g. a serious accident) in which you are unable to give permission for the processing of your data.
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
- The processing is necessary for the representation of the legitimate interests of the UU or of a third party. Examples of this are the provision of your personal data to the external auditor for the audit of the annual accounts, the internal checks to ensure the correct processing of personnel provisions and the work expenses scheme, or sending newsletters within the UU.
- You have given permission for processing your personal data. For example, sharing your personal data with certain third parties.
Special category personal data
Special category personal data is more sensitive than ordinary personal data. Processing of special category personal data only takes place if the conditions mentioned in the law are met.
The UU stores your personal data in accordance with the GDPR. This means that the data will not be kept longer than is necessary to achieve the purposes for which the data was collected.
The personal data of employees will not be kept for longer than two years after the employee's employment or activities on behalf of the UU have ended, unless the processing of the relevant personal data is still necessary to comply with a statutory retention obligation.
Data relating to payroll administration are subject to a statutory retention obligation of seven years after the employee has left employment, or after the work on behalf of the UU has ceased. For data concerning income tax statements and for identity documents for the purpose of payroll tax, this statutory retention obligation is five years. After these respective periods, the relevant personal data is deleted.
The UU may instruct other organisations to arrange or organise certain elements of our activities on our behalf. If the relevant organisations process personal data in the context of that assignment, we call them data processors. The UU has so-called data processing agreements with these processors to ensure confidential and careful handling of personal data.
Your personal data will never be rented out or sold. The UU can share your (personal) data with third parties (other than data processors) if, for example, you have given permission for this yourself or if this is necessary to be able to execute an agreement between you and the UU. In certain cases, we are also legally obliged to provide your personal data to third parties. Think of government organizations such as the Belastingdienst, enforcement authorities such as the Data Protection Authority or fraud-fighting organizations such as the Public Prosecution Service.
The categories of third parties with whom the UU shares personal data are:
- Government agencies, such as tax authorities and the Immigration and Naturalisation Service (IND)
- Pension fund ABP
- Insurers in the context of offering collective insurance
- Law enforcement agencies
- Other universities
- External accountant
In some cases, the UU provides personal data to countries outside the European Union (EU). This happens when we engage a processor that is located outside the EU.
The GDPR gives you as an employee a large number of rights with regard to your personal data. For example, you have the right to be informed in a timely, clear and complete manner about the processing of your data. This privacy statement is intended to do just that. In addition, you have the right to view your data and to have it corrected or deleted. In certain cases, you have the right to have the processing of your data temporarily frozen ('restricted'), the right to object to the processing and the right not to be subject to decisions resulting from fully automated processes (i.e. without human intervention) which may have serious consequences for you. And finally, in some cases you have the right to have a whole set of data that we have about you transferred to another organization. This is called the right to portability.
If we process your data on the basis of your consent, you have the right to withdraw your consent. This is always possible, even after we have already collected your data. Withdrawing your consent is as easy as granting it, and you don't have to say why you are withdrawing your consent. Please note that if you withdraw your consent, we do not have to undo what we have done with your personal data up to that point. Withdrawing your consent does not work retroactively.
You have the right to know what personal data we process. At your request, we will provide you with an overview of all that data, or a specific part in which you are interested, free of charge. In doing so, we provide you with additional information, for example why we process that data, how long we keep it, and so on.
We must ensure that all your personal data stored on our systems is correct. If you notice (or if you think) that certain personal data is factually incorrect, you can request that we correct that data. And because our data must not only be correct, but also complete, you may supplement data if you think the information we have about you is incomplete. In certain cases, you can do so by offering us an additional statement of fact that we will add to your file.
There are situations in which you can ask us to delete certain data about you. You can do so, for example, if you feel that we no longer need this data or that we are processing it unlawfully, if you have withdrawn your consent or if you have objected to the processing. We will then check whether there are legitimate reasons to keep your personal data despite this. If there are no such reasons, we will delete your data.
In certain cases, we process your personal data because it is necessary to carry out a task carried out in the public interest or to pursue our legitimate interests (or those of another person or organisation). In such cases, we do not ask for your consent to the processing, but you can object to this based on your specific situation. If you object, we will suspend processing and balance your rights, freedoms and interests against our interests. We pay attention to your specific situation. If our interests outweigh yours, we will resume processing. If your rights, freedoms and interests outweigh ours in your specific case, we will permanently stop the processing. In either case, we'll let you know what we've decided.
Restricting the processing is nothing more than that you can temporarily 'freeze' the processing. If you request to restrict the processing of your personal data, we can’t do anything with your information other than storing it on our systems. You have the right to restrict the processing of your personal data if one of the following situations applies:
• You dispute the accuracy of the data, in which case we will interrupt the processing of your data until we have verified its accuracy.
• The processing is unlawful or the UU no longer needs your personal data for the purpose for which the data was collected and you do not want us to delete your personal data.
• You have, in accordance with your right to object, objected to the processing of your personal data and you are awaiting the outcome of your objection.
You don't have to accept that decisions are made about you without the involvement of a human being, if those decisions do have substantial consequences for you.
The UU never makes automated decisions that have substantial consequences for our employees.
If we process your personal data on the basis of your consent or a contract concluded with you, you have the right to have this data returned to you in a digital common file format. You are free to pass that data on to another party.
You can request a lot of personal data, such as your personnel file and your salary data, yourself via the mijn.uu.nl portal. That portal is secured with two-factor authentication (2FA). To access it, you (usually) also need to have your phone at hand. If you see an error and cannot correct it yourself, please contact HR.
If you want to exercise one or more of the aforementioned rights and you cannot do so via mijn.uu.nl or HR, you can submit a request via this form. We will then have one month to respond to your request. For very complex requests (or if there are a lot of requests coming in at the same time), we sometimes need more time (up to two months extra). We will let you know within that first month.
When exercising your rights, we first need to establish your identity. We do this in a way that suits the situation at hand and the right you want to exercise.
We would like to point out that the rights described above are not absolute rights. We assess each request individually. There may be circumstances that prevent us from responding to a particular request. If that's the case, we'll let you know why.
The UU makes sure that personal data is treated with confidentially. The UU takes appropriate technical and organisational measures to ensure that your personal data is properly protected.
In order to optimally protect your personal data against unauthorised access or use, the UU has appropriate security technology in use. We report (attempted) abuse.
Within the organisation, the UU has taken a large number of measures to ensure that your data is not only technically secured, but that the chance of human error and misuse is also kept to a minimum.
Do you have any specific questions or comments about this privacy statement? Please feel free to contact us via email@example.com.
The UU has appointed a Data Protection Officer (DPO). This is an internal advisor and supervisor on the application of the GDPR. When you have questions about the processing of your personal data or when you want to file a complaint, you can contact our DPO via firstname.lastname@example.org.
We would like to point out that you also have the right to file a complaint with the supervisory authority, the Dutch Data Protection Authority.
Contact details Utrecht University
3584 CS Utrecht
Tel. (030) 253 35 50
Privacy statement: version and policy document
This privacy statement was last amended on 16 August 2023. From time to time, changes are made to this privacy statement. Please check our website to make sure you are consulting the most recent version.