Privacy statement Utrecht University
The university aims for a careful treatment of the personal data of everyone who works, studies or participates in research here. That aim should be the standard. The new privacyrules are crucial in this regard. The regulation is furthermore aligned to our objective to offer education and research at the highest level, as well as to our ambition to be a good employer and the underlying principle of pursuing sustainability in everything we do.
This Privacy Statement applies to all activities (including the activities via the website) of Utrecht University, hereinafter referred to as ‘UU’. Per topic, the Privacy Statement provides the most relevant information.
UU handles personal data with care and acts within the limits of the law, i.e. the General Data Protection Regulation (GDPR).
1. Responsible party and responsibility
UU is the responsible party within the meaning of the GDPR. UU believes it is essential that the personal data of its students, researchers, employees and visitors are handled and protected with the utmost care. We also want to be open and transparent about the way in which your data is processed by us. That is why we have explained this process in detail below. Our first priority is to comply at all times with the requirements set out in the GDPR.
2. For what purposes does UU process your personal data?
The personal data collected from you are used by UU for operational management and for the proper performance of its legal tasks and duties for education and research. The most important processes for which UU uses personal data are:
- A. Programme administration and educational support: recruitment, attracting & selecting new students, student administration, internal and external provision of information, recording of results, issuance of certificates, diplomas and degrees, formation and performance of agreements with students, customer involvement, relationship management and marketing, health, safety and security, organisational analysis, development and management reporting, substantiation for accreditation reviews, advice and guidance, handling of disputes, ability to perform an accounting audit.
- B. Human Resources: determination of salary entitlements, performance of the employment contract, settlement of claims related to benefits in connection with the termination of an employment, internal audit and accounting audit and in connection with University medical care services.
- C. Operational management and finances: financial administration, management of purchasing and payment systems, performance and management of procedures specifically focused on IT, legal affairs and other operational matters; recruitment & selection of new employees and candidates, personnel management, internal and external provision of information, formation and performance of agreements with employees, customers, consumers, suppliers and business partners, customer involvement, relationship management, marketing and market research, health, safety and security, organisational analysis, development and management reporting, complaint handling.
- D. Facilities management: access and management systems, camera surveillance, management of parking facilities.
- E. General processes: web content management, library system, physical and digital archiving, employee participation and elections, complaints procedure and appeal and objection.
- F. Scientific research: UU processes personal data through the various websites of UU, such as personal data obtained via contact forms. This is done based on consent or the legitimate interests of UU. All processes in which personal data are processed are recorded in a register of processing activities. Therefore, UU has a complete and up-to-date overview of all data-processing processes.
3. Whose personal data is collected by UU?
In the above-mentioned processes, UU collects data from different categories of data subjects. These include:
- Prospective students, potential students
- Employees, including PhD candidates and applicants
- External parties, including temporary employees
- Visitors to the website(s)
- Research subjects
4. What kind of personal data does UU collect?
In each process, different types of personal data are collected. The most common data are:
- Name, address and place of residence
- Bank account number (IBAN)
- Telephone number
- Date of birth
- Email address
- Interaction data (e.g. cookies or information received when you contact us)
- Images (photos and videos)
- Degree programme information, study progress and study results
- Surf and click behaviour
- Research data
UU collects (personal) data directly from you, but in some cases UU also receives personal data via third parties, insofar as this is in accordance with the law.
5. Granting and withdrawal of permission
UU offers various activities that can only be carried out by using your personal data. Examples of such data include your email address for the purpose of sending a newsletter or promotional emails or your study characteristics for conducting research. Your data will only be used if you give explicit permission for this. You will always be informed of the purposes for which your data will be used, what type of data this concerns and to whom these data will be provided. If you have granted UU permission for using your personal data, you may always withdraw this permission at a later date.
How does UU ensure the confidential handling of personal data?
UU treats personal data as confidential. We take appropriate technical and organisational measures to protect personal data. UU will only share personal data in accordance with this Privacy Statement and only with third parties if this is lawful and done with care.
6. Data sharing with third parties
Under the instructions of UU, third parties may provide certain parts of the services required for the performance of an agreement. UU makes agreements with these data processors to ensure the confidential and careful handling of personal data. These agreements are contractually laid down in so-called ‘Data Processor Agreements’.
Your personal data will not be rented, sold or otherwise shared with or provided to third parties. UU may share your (personal) data with third parties if you have given permission for this yourself or if this is necessary for the performance of the agreement.
UU provides personal data to enforcement authorities or anti-fraud organisations when this is necessary for complying with a legal obligation.
The categories of third parties with which UU shares data include:
- Public authorities, such as the Dutch Education Executive Agency (DUO), Tax and Customs Administration and the Immigration and Naturalisation Service (IND)
- Investigative authorities
- Research groups
7. Transfer of your data outside the EU
In a few cases, UU provides personal data to countries outside the EU. This is done in the following situations: for communications with foreign students who will study at UU and with students from UU who are studying abroad, and in the context of scientific research.
8. How long are the data stored?
UU stores your personal data in accordance with the GDPR. The data will not be stored longer than is strictly necessary to achieve the purposes for which the data have been collected.
9. How can you access, rectify or erase your data?
You are entitled to submit an access or rectification request to the UU. When making this request, please indicate clearly that this relates to an access or rectification request based on the GDPR. You may also request that your data be erased, although this is only possible insofar as this allows UU to continue to fulfil its legal obligations, such as the legal retention period. Please note that you may be asked to provide a copy of a valid ID so that your identity can be verified.
You can easily make a secure copy of your ID using the ‘Id copy’ app provided by the government, which can be downloaded from the app store.
Send your request to the email address email@example.com, clearly mentioning the type of request in the subject line of your mail.
You may also submit a complaint to the Dutch Data Protection Authority regarding the use of your data.
10. Technical security
To optimally protect your personal data against unauthorised access or unauthorised use, UU applies appropriate security technology. Any apparent or actual misuse of data will be reported to the relevant law enforcement authorities. In addition, UU takes organisational measures to protect personal data against unauthorised access.
11. Cookies and click behaviour
General visitor data are stored on our website, such as the most requested pages. The purpose of collecting these general visitor data is to optimise the layout of the website for you. UU uses various tools to make the website function optimally, improve user-friendliness and actively collect feedback from users. Read more about the cookies used by UU.
Do you have any specific questions or comments about our Privacy Statement based on this information? If so, do not hesitate to get in touch with us. You may either use the contact form on the website or send a message to firstname.lastname@example.org. The UU Data Protection Officer (FG) can also be reached via this email address.
Privacy statement - version
This Privacy Statement was last modified on 17 May 2018. UU reserves the right, where necessary, to make changes to the Privacy Statement.
The policy document explains how UU handles the processing of personal data.