Privacy statement participants scientific research
This privacy statement is specifically intended for people whose personal data is processed in the context of scientific research carried out by Utrecht University (UU for short).
Utrecht University is committed to look after the personal data of everyone who participates in scientific research. The privacy rules from the General Data Protection Regulation (GDPR) are crucially important to us, as this legislation is in line with our objective to provide education and research at the highest level, our ambitions for good employment practices and our guiding principle of sustainability.
In this privacy statement we inform you about the personal data we process, about the purposes for which we do this, about your privacy rights and about other matters that are important to you.
If your personal data is processed within a research project, you have probably already received information about that project. In this privacy statement you will find more extensive (background) information about certain aspects of the processing.
In the vast majority of cases that are likely to be of interest to you, the UU is the data controller. This is the official term that is used in the GDPR, and it means that the UU determines the purpose of processing your personal data (for example: answering a specific research question) and what means are used to achieve that goal (for example: interviews, questionnaires or observations). Because the UU is the data controller, we have certain obligations. One of those obligations is to provide transparency towards the people whose personal data we process. Among other things, we must inform you about the purpose for which we process your personal data and the way in which we do this. You can read more about that below.
The UU processes your personal data primarily to be able to answer certain research questions or to achieve certain research objectives. You can read which questions or objectives these are in the information letter, the introductory information or the privacy statement that accompanies the research you are partaking in.
In addition, it is possible that the UU processes your contact details in order to be able to contact you.
In addition, the UU may retain your name and signature in order to be able to prove that you have given permission to participate in a certain research project, or you have given your consent to processing your personal data (or that of your child) in the context of such a project.
The UU carries out a huge number of scientific research projects. All these projects differ from each other. If you want to know what personal data is processed in the context of a certain project, it is best to consult the information letter, the introductory information or the privacy statement that accompanies the relevant research.
The most common personal data that we process in the context of research projects are:
- Name – to be able to address you
- Contact details – to be able to contact you
- Consent forms – to be able to demonstrate that you have voluntarily participated in the study and/or that you have given permission for the processing of your personal data
- Research data – the data collected during the research that is necessary for answering the research question or for achieving the research goal
- Demographic information – for example, your age and education level to contextualize and better understand the survey data
We may only process personal data if we have a good reason to do so. The GDPR mentions several reasons, which we call legal bases. Conducting scientific research is, in principle, subject to one of the following legal bases:
- Public interest – Conducting scientific research is a task of public interest entrusted to the UU. This follows from the Higher Education and Scientific Research Act (WHW). If we carry out research aimed at increasing society's knowledge, we usually do so on the basis of the legal basis of public interest.
- Legitimate interest – Sometimes we carry out scientific research that is not primarily aimed at increasing the knowledge of society as a whole. This concerns, for example, research commissioned by an external party, such as a government agency or a large company. Or it concerns research aimed at improving our own processes (including educational processes). We must then demonstrate that we have a legitimate interest in doing that research. Before we start, we weigh the rights, freedoms and interests of the participants against our own interests. We only start the investigation if our own interests outweigh the possible violation of the rights, freedoms and interests of the participants.
- Consent – In certain cases, we ask the participants in a research project to consent to the processing of their personal data. In this way, we give participants an extra degree of control over their personal data. They can then indicate, for example, for which processing operations they give permission (such as reuse of their data for other research, use of their name or photos, etc.). Of course, we always ask for your permission first before participating in the research itself.
Special category personal data
If we process special category personal data, we generally ask for the explicit consent of the participants. Sometimes, however, asking for permission is impossible or requires a disproportionate amount of effort. As long as the research also serves a public interest, the university is exempt from asking for permission. If this is the case, we will always ensure that the privacy of the participants is not disproportionately harmed
You can read exactly how long the UU will keep your personal data in the information letter, the introductory text or the privacy statement that accompanies your research. We will just mention some general principles here.
If the research is conducted in the public interest, we keep the raw data (which, in principle, cannot be traced back to you) for at least ten years after publication of the research results. This is necessary to be able to check the research results and make sure that the research is repeatable. We never retain more data than necessary for this purpose. All non-necessary data will be deleted, anonymised or pseudonymised as soon as possible.
When we conduct research in our own interest or in the interest of another party, we do not store your personal data longer than is necessary for the purpose of that research. After that, the data will be deleted or anonymised, as indicated in the information letter, the introductory text or the privacy statement.
We do not store your contact details longer than it is necessary or foreseeable for us to contact you.
Your consent form will be deleted when we delete or anonymise your data.
Internally within the UU, your personal data will only be shared with persons that require access to your data in the context of the research.
For certain projects we work together with external partners, such as other universities, research institutes or archives. We often exchange personal data with these parties. In such cases, the UU makes agreements with other parties to guarantee that the processing complies with the GDPR.
In addition, the UU may commission other organisations to carry out certain parts of the research on our behalf. If the relevant organisations process personal data in the context of that assignment, we call them 'data processors'. The UU has so-called data processing agreements with these processors to ensure confidential and careful handling of personal data.
Your personal data will never be rented out or sold. In exceptional cases, we are legally obliged to provide your personal data to third parties. Think, for example, of enforcement authorities (such as the Dutch Data Protection Authority) or fraud-fighting organisations (such as the Public Prosecution Service). When we provide access the research data to UU employees not involved with the research project, in the context of checking scientific integrity, we only do so after the employees involved have signed a confidentiality agreement.
Will my personal data be exported to a country outside the European Union (EU)?
For certain research projects, it is necessary to share your personal data with one or more countries outside the EU. Some of those countries have the same or a similar level of privacy legislation as the Netherlands.
However, there are also countries where privacy legislation is less stringent. If we share your personal data with such countries, we will always indicate this in the information letter, the introductory text or the privacy statement. We always mention how we guarantee the security of your personal data. You can then decide for yourself whether you find these guarantees sufficient.
The GDPR gives you a number of rights with regard to your personal data as a participant in scientific research. For example, you have the right to be informed in a timely, clear and complete manner about the processing of your data. This privacy statement, together with the information letter, the introductory information or the privacy statement that accompanies the research you are partaking in, is intended to do just that. If you have given permission for the processing of your personal data, you can also withdraw that consent. In other cases, you have the right to object to the processing.
If you participate in one of our research projects, you will be informed about that research in advance. You can then decide for yourself whether you want to participate or not. After all, participation must always be voluntary, based on all relevant information. We call this informed consent. There are several ways we can inform you:
- In many research projects, you will receive an information letter from the researcher, sometimes linked to a consent form. The information letter contains all the information about the project in question. The consent form contains an overview of what you specifically give permission for.
- When you see the researcher in person, you can always ask questions. The researcher will answer these to the best of their ability.
- With online research you often receive an invitation with a lot of information. In addition, you will be given an introductory text in which the most important information is listed again. You can only start the research after you have indicated that you have read that information.
- Some research projects, especially the larger ones, have their own privacy statement on a UU webpage. You can often find that privacy statement via a link or QR code on the information letter.
- In contactless research, we conduct research on people whom we have not personally approached for this. Think, for example, of web scraping (retrieving information from websites) or archival research. It is impossible to approach all those people personally to inform them. That is why we do our best to let those people know via general announcements (e.g. social media, websites) that they are (perhaps) being investigated. In such notices, we refer to a specific privacy statement on a website.
If we process your data on the basis of your consent, you have the right to withdraw that consent. This is always possible, even after we have already collected your data. Withdrawing your consent is as easy as granting it, and you don't have to say why you are withdrawing your consent.
Normally you have the right to know whether and which personal data we process from you. If the data we have about you is incorrect, you can ask us to correct that data.
However, slightly different rules apply for organisations that carry out scientific research. On the basis of the UAVG (the Dutch GDPR Implementation Act), we can exclude your right to view and correct your personal data. If this is the case in the specific research project you are participating in, this will be indicated in the information letter, the introductory text or the privacy statement.
There are situations in which you can ask us to delete certain data about you. We will then check whether there are important reasons to keep your personal data. If there are no such reasons, we will delete the data.
If we carry out scientific research and we process your personal data on the basis of the public interest or to represent our legitimate interests (or those of another person or organisation), you can object to that processing. If you object, we will suspend processing and balance your rights, freedoms and interests against our interests. We pay attention to your specific situation. If our interests outweigh yours, we will resume processing. If your rights, freedoms and interests outweigh ours in your specific case, we will permanently stop the processing. In either case, we'll let you know what we've decided.
Restricting the processing is nothing more than that you can temporarily 'freeze' the processing. If you request to restrict the processing of your personal data, we can’t do anything with your information other than storing it on our systems. The right of restriction is especially important if you do not want us to do anything with your personal data, but you also don’t want us to erase your personal data, for example because you are preparing a lawsuit. Here, too, organisations that carry out scientific research can exclude this right under the UAVG. If this is the case, it will be indicated in the information letter, the introductory text or the privacy statement.
In the context of scientific research, it can occasionally happen that profiles of individuals are generated by automated means. We are allowed to do so under certain conditions. It is a different situation if we subsequently use those profiles to make fully automated decisions that have material consequences for you. In the exceptional cases that this happens, you will be informed of this in the information letter, the introductory text or the privacy statement. You then have the right to object to such decisions and to demand that there is someone to check these decisions.
The right to data portability means that any data you have provided to an organisation can be transferred to another organization. This right is intended to ensure that you are not tied to a particular service just because you have entered a lot of data into that service (for example, a list of favorites on a music streaming service). In scientific research, this right usually has little meaning.
If you wish to exercise one or more of the above rights, you can submit a request using the Privacy Request Form (uu.nl). We will then have one month to respond to your request. For very complex requests (or if there are a lot of requests coming in at the same time), we sometimes need more time (up to two months extra). We will let you know within that first month.
When exercising your rights, we must first establish your identity. We do this in a way that suits the situation at hand and the right you want to exercise.
We would like to point out that the rights described above are not absolute rights. We assess each request individually. There may be circumstances that prevent us from responding to a particular request. If so, we'll let you know why.
All UU faculties work with an ethics review committee. Researchers can go there to have their research with human subjects assessed on issues such as informed consent, acceptable burden on test subjects, risks for test subjects and adequate handling of (personal) data. If the research in which you participate has been assessed and approved by an ethics review committee, it is usually stated in the information letter, the introductory text or the privacy statement.
The UU makes sure that personal data is treated with confidentially. The UU takes appropriate technical and organisational measures to ensure that your personal data is properly protected.
Technical measures
In order to optimally protect your personal data against unauthorised access or use, the UU has appropriate security technology in use. For example, many of our systems work with two-factor authentication (2FA). For most research data, we use our own, well-secured storage infrastructure: Yoda. Data communication takes place via secure connections.
Organisational measures
Within the organisation, the UU has taken a large number of measures to ensure that your data is not only technically secured, but that the chance of human error and misuse is also kept to a minimum. For example, in most research projects we work with research protocols, we conclude contracts with external parties and we ensure that internal and external employees are bound by confidentiality. As an organization, we work with a complete set of procedures for security, confidentiality, protection of personal data, and so on.
Do you have any specific questions or comments about our privacy statement as a result of the information above? Please feel free to contact us. Your first point of contact is the contact person for your research, as stated in the information letter, the introductory text or the privacy statement of the study itself. You can also send a message to privacy@uu.nl.
The UU has appointed a Data Protection Officer (DPO). This is an internal advisor and supervisor on the application of the GDPR. When you have questions about the processing of your personal data or when you want to file a complaint, you can contact our DPO via fg@uu.nl.
We would like to point out that you also have the right to file a complaint with the supervisory authority, the Dutch Data Protection Authority.
Contact details Utrecht University
Heidelberglaan 8
3584 CS Utrecht
Tel. (030) 253 35 50
Privacy statement: version and policy document
This privacy statement was last amended on 16 August 2023. From time to time, changes are made to this privacy statement. Please check our website to make sure you are consulting the most recent version.