Privacy statement students
This privacy statement is specifically intended for students of Utrecht University (UU). PhD candidates can read our privacy statement for employees.
Utrecht University is committed to look after the personal data of everyone who studies with us. The privacy rules from the General Data Protection Regulation (GDPR) are crucially important to us, as this legislation is in line with our objective to provide education and research at the highest level, our ambitions for good employment practices and our guiding principle of sustainability.
In this privacy statement we inform you about the personal data we process, about the purposes for which we do this, about your privacy rights and about other matters that are important to you.
The personal data we collect from you are processed by the UU for the following core purposes related to education:
- Establishing the identity of (potential) students.
- Informing potential and current students about UU programmes.
- Recruiting new students and promoting the university.
- Performing administrative actions with regard to registration and to calculating, establishing and collecting tuition and examination fees.
- Assessing prior education programmes and arranging matching and selection.
- Enrolling students in courses and registering attendance.
- Recording and publishing lectures.
- Receiving and reviewing assignments from students.
- Assessing study performance and awarding credits.
- Offering and delivering educational resources and IT, and facilitating remote collaboration.
- Supporting students with special needs or students in special circumstances.
- Taking action in response to exam fraud.
- Supporting and mentoring students by a study advisor and/or psychologist.
- Measuring and improving the quality of education and educational facilities.
- Preparing policies in the field of education, research, and business operations, and creating management information for the governing bodies within the university.
- Conducting quality research in preparation for policy decisions.
- Organising and providing information about additional courses, internships, graduation spots, career preparation and other extracurricular activities.
- Conducting exchange programs.
- Organising and holding elections for student participation bodies and facilitating joint decision making with student participation bodies.
- Recording study and exam results, and providing grade lists; approval of course package, statements and certification.
- Advising and supporting students and assessing special circumstances surrounding a binding study recommendation (bsa).
- Handling requests, complaints, objections and appeals cases, and reports of undesirable behaviour, personnel problems and abuses.
- Signing up graduates for alumni associations.
- Raising funds among alumni and maintaining relationships with alumni.
- Securing, maintaining and operating the university buildings.
- Securing our information systems and maintaining the proper functioning of IT facilities.
- Applying for, registering and disbursing a scholarship or research grant.
- Organising and registering (visa and) residence permits for students, employees and/or clients.
- Archiving documents and information.
- Organising education and examination.
- Stimulating housing facilities for students and promoting student societies.
- Providing information relevant to staff and students with a view to their work or study.
- Measuring the satisfaction of employees and students and the quality of employee and educational facilities.
The UU processes the following data from you as a student. Not all of this information may apply to you.
- Numbers to identify a person (UU student number, Study link number, Solis-id)
- Burgerservicenummer
- O&W number
- First and last name
- Contact details such as telephone number, address and e-mail address
- Passport photo
- Date, place, and country of birth
- Residence and visa details
- Account details, metadata, location data and last login date on Osiris Student
- Data relating to prior education
- Data on study progress and diplomas
- Financial data
- Data relating to exchange programmes and scholarships
- Notes from student counselors and student psychologists
- Health data (e.g. for the provision of extra services)
- Correspondence relating to reports, requests, complaints and objection and appeal procedures
The UU will receive your personal data via Studielink if you register there. Studielink is managed by a foundation that facilitates applications in higher education on behalf of the Dutch Education Agency (DUO) and the Dutch government. For more information about Studielink and privacy, please visit the Studielink website. In addition, we also receive personal data from DUO and the Basisregistratie Personen (registration of all inhabitants of the Netherlands).
In some cases, your data is obtained from an external source. Where possible, you will be informed in advance when data is shared with us.
The UU may only process your personal data if we have a good reason to do so. Such a reason should be mentioned in the law. We then speak of a legal basis. The UU processes your personal data on the basis of the following legal bases:
- The processing is necessary for the execution of an agreement that we have entered into or will enter into with you. This is the case, for example, when you sign up for contract education or make use of the services of the University Library.
- The processing is necessary to comply with a legal obligation that rests on us. For example, we store your thesis on the basis of the Archiefwet.
- The processing is necessary for the performance of a task carried out in the public interest. All activities that we carry out in the context of regular education fall under this basis. Under the Higher Education Act, the UU has the task of providing scientific education and conducting scientific research. In doing so, the UU fulfils a task of general importance to society.
- The processing is necessary for the representation of the legitimate interests of the UU or of a third party. These processing operations do not take place in the context of the exercise of the public task of the UU. You can think of processing personal data to provide students with better guidance or to measure the quality of education through learning analytics. The UU may also have a legitimate interest in processing personal for CCTV. More information about learning analytics and CCTV can be found in the privacy statement of learning analytics and camera surveillance. If we process your data on the basis of our legitimate interest, we carefully weigh up in advance between your rights, freedoms and interests and our interests.
- You have given consent for the processing of your personal data. If you participate in a survey, for example, you may be asked whether you give consent for the processing of your personal data.
Special category personal data
Special category personal data are more sensitive than regular personal data. Processing of special category personal data only takes place if the conditions set out in the law are met, and only if there is one of the exceptions mentioned in the applicable laws and regulations.
The UU does not store your personal data longer than is strictly necessary to achieve the purposes for which your data is processed.
We base our retention periods on the Selection list for universities and university medical centres 2020. The retention period for identification data and an identification number is 50 years. Financial data is kept for a period of 7 years after recording, data about previous education is kept for 2 years after recording and data about facilities is kept for 2 years. If you have held a management position within the UU, we must also keep certain information about that. Personal data may also be retained for longer when this is necessary for historical, statistical or scientific purposes.
We keep some data in order to be able to maintain contact with you even after you have finished studying with us through our extensive alumni program. You can find a separate privacy statement on that subject here. If you do not want to be contacted by the UU alumni team, you can indicate this by sending an email to alumni@uu.nl. We will then delete the relevant data from our files and mailing lists.
The UU may instruct other organisations to arrange or organise certain elements of our activities on our behalf. If the relevant organisations process personal data in the context of that assignment, we call them data processors. The UU has so-called data processing agreements with these processors to ensure confidential and careful handling of personal data.
Your personal data will never be rented out or sold. The UU can share your (personal) data with third parties (other than data processors) if, for example, you have given permission for this yourself, if this is necessary to be able to execute an agreement between you and the UU, or if this third party has a compelling legitimate interest. In certain cases, we are also legally obliged to provide your personal data to third parties. For example:
- DUO; in order to arrange your student finance.
- SSH Foundation (Stichting Studenthuisvesting); only if your accommodation is part of the SSH system and you have given permission to share your data with SSH in order to be able to demonstrate that you are registered as a student at the UU.
- Immigration and Naturalization Service (IND); only if you are a non-Dutch student and you need a visa or residence permit to study in the Netherlands.
Organizations involved in the processing of your personal data may also be located outside the European Economic Area (EEA). Transfers may only take place to third countries with an adequate level of protection, such as an adequacy decision by the European Commission, appropriate safeguards or specific exceptions. If you would like to know more about this, please contact privacy@uu.nl.
The GDPR gives you as a student a large number of rights with regard to your personal data. For example, you have the right to be informed in a timely, clear and complete manner about the processing of your data. This privacy statement is intended to do just that. In addition, you have the right to view your data and to have it corrected or deleted. In certain cases, you have the right to have the processing of your data temporarily frozen ('restricted'), the right to object to the processing and the right not to be subject to decisions resulting from fully automated processes (i.e. without human intervention) which may have serious consequences for you. And finally, in some cases you have the right to have a whole set of data that we have about you transferred to another organization. This is called the right to portability.
If we process your data on the basis of your consent, you have the right to withdraw your consent. This is always possible, even after we have already collected your data. Withdrawing your consent is as easy as granting it, and you don't have to say why you are withdrawing your consent. Please note that if you withdraw your consent, we do not have to undo what we have done with your personal data up to that point. Withdrawing your consent does not work retroactively.
You have the right to know what personal data we process. At your request, we will provide you with an overview of all that data, or a specific part in which you are interested, free of charge. In doing so, we provide you with additional information, for example why we process that data, how long we keep it, and so on.
We must ensure that all your personal data stored on our systems is correct. If you notice (or if you think) that certain personal data is factually incorrect, you can request that we correct that data. And because our data must not only be correct, but also complete, you may supplement data if you think the information we have about you is incomplete. In certain cases, you can do so by offering us an additional statement of fact that we will add to your file.
There are situations in which you can ask us to delete certain data about you. You can do so, for example, if you feel that we no longer need this data or that we are processing it unlawfully, if you have withdrawn your consent or if you have objected to the processing. We will then check whether there are legitimate reasons to keep your personal data despite this. If there are no such reasons, we will delete your data.
In certain cases, we process your personal data because it is necessary to carry out a task carried out in the public interest or to pursue our legitimate interests (or those of another person or organisation). In such cases, we do not ask you your consent to the processing, but you can object to this based on your specific situation. If you object, we will suspend processing and balance your rights, freedoms and interests against our interests. We pay attention to your specific situation. If our interests outweigh yours, we will resume processing. If your rights, freedoms and interests outweigh ours in your specific case, we will permanently stop the processing. In either case, we'll let you know what we've decided.
Restricting the processing is nothing more than that you can temporarily 'freeze' the processing. If you request to restrict the processing of your personal data, we can’t do anything with your information other than storing it on our systems. You have the right to restrict the processing of your personal data if one of the following situations applies:
- You dispute the accuracy of the data, in which case we will interrupt the processing of your data until we have verified its accuracy.
- The processing is unlawful or the UU no longer needs your personal data for the purpose for which the data was collected and you do not want us to delete your personal data.
- You have, in accordance with your right to object, objected to the processing of your personal data and you are awaiting the outcome of your objection.
You don't have to accept that decisions are made about you without the involvement of a human being, if those decisions do have substantial consequences for you.
The UU never makes automated decisions that have substantial consequences for our students.
If we process your personal data on the basis of your consent or an contract concluded with you, you have the right to have this data returned to you in a digital common file format. You are free to pass that data on to another party.
If you wish to exercise one or more of the aforementioned rights, you can submit a request using the Privacy Request Form (uu.nl). We will then have one month to respond to your request. For very complex requests (or if there are a lot of requests coming in at the same time), we sometimes need more time (up to two months extra). We will let you know within that first month.
When exercising your rights, we first need to establish your identity. Wedo this in a way that suits the situation at hand and the right you want to exercise.
Individual assessment
We would like to point out that the rights described above are not absolute rights. We assess each request individually. There may be circumstances that prevent us from responding to a particular request. If that's the case, we'll let you know why.
The UU makes sure that personal data is treated with confidentially. The UU takes appropriate technical and organisational measures to ensure that your personal data is properly protected.
Technical measures
In order to optimally protect your personal data against unauthorised access or use, the UU has appropriate security technology in use. We report (attempted) abuse. The UU also takes organisational measures to protect personal data against access by unauthorised persons.
Organisational measures
Within the organisation, the UU has taken a large number of measures to ensure that your data is not only technically secured, but that the chance of human error and misuse is also kept to a minimum.
Do you have any specific questions or comments about this privacy statement? Please feel free to contact us via privacy@uu.nl.
The UU has appointed a Data Protection Officer (DPO). This is an internal advisor and supervisor on the application of the GDPR. When you have questions about the processing of your personal data or when you want to file a complaint, you can contact our DPO via fg@uu.nl.
We would like to point out that you also have the right to file a complaint with the supervisory authority, the Dutch Data Protection Authority.
Contact details Utrecht University
Heidelberglaan 8
3584 CS Utrecht
Tel. (030) 253 35 50
Privacy statement: version and policy document
This privacy statement was last amended on 27 August 2024. From time to time, changes are made to this privacy statement. Please check our website to make sure you are consulting the most recent version.