Privacy statement website visitors (www.uu.nl)
Utrecht University is committed to look after the personal data of everyone who visits our website. The privacy rules from the General Data Protection Regulation (GDPR) are crucially important to us, as this legislation is in line with our objective to provide education and research at the highest level, our ambitions for good employment practices and our guiding principle of sustainability.
In this privacy statement we inform you about the personal data we process, about the purposes for which we do this, about your privacy rights and about other matters that are important to you.
Through our website, we process the personal data that can be requested through website forms. Usually these are contact details, but they can also be registration data, for example.
The purpose for which we process your personal data is clearly indicated on the page on which you enter it. For example, if you use our website to register for an event, your personal data will only be used to process that registration. In certain cases, your personal data will also be used to keep you informed of events or developments related to the subject for which we originally collected your personal data.
If you do not belong to one of the target groups like students and employees, for which we have drawn up separate privacy statements, we will in principle only process your personal data for the following purposes:
- To respond to a question or request from you. We do this in your interest. Without your personal data, we would not be able to answer your question or request.
- To be able to enter into or prepare an agreement with you. For the conclusion of an agreement, it is necessary to process personal data. If not, we do not know with whom we have entered into the agreement. A registration for an event is an example of such an agreement.
- Because you have given consent for this. There may be situations where we ask you if you consent to us processing your personal data. We always explain what exactly we ask your consent for.
- Because we are legally obliged to do so. Think, for example, of the Tax and Customs Administration or the Public Prosecution Service.
Because the personal data is collected via our website for such different purposes, we cannot specify in this privacy statement how long we store it. This information is often provided on the page on which you enter your details. If not, the general rule is that we do not store your personal data longer than necessary. In other words: the moment we no longer need your data, it will be deleted.
Your personal data will never be rented out or sold. The UU can share your (personal) data with third parties (other than data processors) if, for example, you have given permission for this yourself or if this is necessary to be able to execute an agreement between you and the UU. In certain cases, we are also legally obliged to provide your personal data to third parties. Think of government organizations such as the Belastingdienst, enforcement authorities such as the Data Protection Authority or fraud-fighting organizations such as the Public Prosecution Service.
Organizations involved in the processing of your personal data may also be located outside the European Economic Area (EEA). Transfers may only take place to third countries with an adequate level of protection, such as an adequacy decision by the European Commission, appropriate safeguards or specific exceptions. If you would like to know more about this, please contact privacy@uu.nl.
You can read more about our use of cookies in our Cookie Statement.
The GDPR gives you, as a visitor to the website, a large number of rights with regard to your personal data. For example, you have the right to view your data and to have it corrected or deleted. In certain cases, you have the right to have the processing of your data temporarily frozen ('restricted') and the right to object to the processing.
If we process your data on the basis of your consent, you have the right to withdraw this consent. This is always possible, even after we have already collected your data. You do not have to say why you withdraw your consent. Please note that if you withdraw your consent, we do not need to undo what we have done with your personal data up to that point. Withdrawing your consent therefore does not work retroactively.
You have the right to know which of your personal data we process and to check whether that data is correct. At your request, we will provide you with an overview of data free of charge, preferably as specific as possible. In doing so, we provide you with additional information, for example why we process that data, how long we store it, etc.
We must ensure that all your personal data stored on our systems is correct. If you notice (or think) that certain personal data is factually incorrect, you can request that we correct that data. And because our data must not only be correct, but also complete, you may supplement that data or have it completed.
There are situations in which you can ask us to delete certain data about you. You can do this, for example, if you feel that we no longer need this data or that we are processing it unlawfully, but also if you have withdrawn your consent or if you have objected to the processing. We will then check whether there are compelling reasons for us to keep your personal data (for example because we have an agreement with you). If these reasons are not present, we will delete your data.
In certain cases, we may process your personal data because it is necessary to perform a task carried out in the public interest or to pursue our legitimate interests (or those of another person or organisation). In such cases, we do not ask you to consent to the processing, but you can object to this based on your specific situation. If you object, we will suspend processing and balance your rights, freedoms and interests against our interests. We pay attention to your specific situation. If our interests outweigh yours, we will resume processing. If your rights, freedoms and interests outweigh ours in your specific case, we will permanently stop the processing. In either case, we'll let you know what we've decided.
Restricting the processing is nothing more than temporarily 'freezing' the processing. If you request to restrict the processing of your personal data, we can’t do anything with your information other than storing it on our systems. The right to restriction of processing can be useful if, for example, there is a conflict or dispute in which your personal data plays a role. By restricting the processing, you prevent your personal data from being changed or deleted.
You do not have to accept that automated decisions are made about you without the involvement of a human being if those decisions do have substantial consequences for you.
On our website, the UU never makes automated decisions that have substantial consequences for visitors.
If you wish to exercise one or more of the aforementioned rights, you can submit a request using the Privacy Request Form (uu.nl). We will then have one month to respond to your request. For very complex requests (or if there are a lot of requests coming in at the same time), we sometimes need more time (up to two months extra). We will let you know within that first month.
When exercising your rights, we first need to establish your identity. We do this in a way that suits the situation at hand and the right you want to exercise.
Individual assessment
We would like to point out that the rights described above are not absolute rights. We assess each request individually. Theremay be circumstances that prevent us from responding to a particular request. If so , we'll let you know why. There is one exception: if you object to the use of your data for direct marketing, we will always honour that objection.
The UU makes sure that personal data is treated with confidentially. The UU takes appropriate technical and organisational measures to ensure that your personal data is properly protected.
Technical measures
In order to optimally protect your personal data against unauthorised access or use, the UU has appropriate security technology in use. We report (attempted) abuse. The UU also takes organisational measures to protect personal data against access by unauthorised persons.
Organisational measures
Within the organisation, the UU has taken a large number of measures to ensure that your data is not only technically secured, but that the chance of human error and misuse is also kept to a minimum. For example, the UU applies an information security policy and a privacy policy, the UU works with confidentiality agreements where necessary and the UU staff regularly follows awareness training in the field of data security and protection.
Do you have any specific questions or comments about this privacy statement? Please feel free to contact us via privacy@uu.nl.
The UU has appointed a Data Protection Officer (DPO). This is an internal advisor and supervisor on the application of the GDPR. When you have questions about the processing of your personal data or when you want to file a complaint, you can contact our DPO via fg@uu.nl.
We would like to point out that you also have the right to file a complaint with the supervisory authority, the Dutch Data Protection Authority.
Contact details Utrecht University
Heidelberglaan 8
3584 CS Utrecht
Tel. (030) 253 35 50
Privacy statement: version
This privacy statement was last amended on 27 August 2024. From time to time, changes are made to this privacy statement. Please check our website to make sure you are consulting the most recent version.