Personal Data Protection Regulations

2019 version discussed at the Executive Board meeting on 12 November 2019

These Regulations explain how specific aspects of the processing of personal data are handled within Radboud University on the basis of applicable laws and regulations.

Preamble

Radboud University respects the privacy of data subjects and processes personal data in accordance with applicable laws and regulations. Since 25 May 2018, the processing of personal data has been governed by, among other things, the General Data Protection Regulation and the General Data Protection Regulation (Implementation) Act. These Regulations explain how specific aspects of the processing of personal data are handled within Radboud University on the basis of applicable laws and regulations.

These Regulations apply to the fully or partially automated/systematic processing of personal data that takes place under the responsibility of Radboud University, as well as to the underlying documents that are included in a file, and to the non-automated processing of personal data included in a file or intended for inclusion in it. Radboud University processes data relating to various people including (prospective) students, course participants, alumni, applicants, (former) employees, guests, visitors and external associates. The management and use of personal data and other data collected in the context of academic research and for statistical purposes are not covered by these Regulations, but are regulated separately. Refer to the page on research data management (http://www.ru.nl/rdm/) and the website of the Universities of the Netherlands.

The privacy of data subjects is respected as much as possible. The (manner of) processing of personal data must be lawful, proper, careful and transparent with regard to data subjects. Personal data relating to data subjects are protected against unlawful and unauthorised use. Radboud University aims to strike a good balance between the protection of privacy, functionality and security.

Radboud University informs data subjects through the Privacy Statement what personal data are collected by Radboud University and for what purposes and on what grounds this happens, how such personal data are processed, what rights data subjects have if their personal data are processed and where they can go with questions or requests concerning their privacy.

The internal Information Security Policy provides further details of the measures taken by Radboud University to ensure an appropriate level of security as well as the technical and organisational measures taken by Radboud University to prevent the unlawful processing of Personal Data.

Chapter 1 – General provisions

Article 1. Definitions 

The following terms are used in these Regulations: 

  1. Personal Data: data that relate to an identified or identifiable natural person; 
  2. Special Categories of Personal Data: data revealing race or ethnic origin, political views, religious or ideological convictions, or membership of a trade union, and the Processing of genetic data, biometric data with a view to the unique identification of a person, or data concerning someone’s health or sexual preference; 
  3. Data Subject(s): the natural person or persons to whom the data relate; 
  4. Controller: the Executive Board of Radboud University if this is the body that specifies the purpose of and the resources for Processing Personal Data. 
  5. Processor: a Third Party engaged by Radboud University who or which Processes Personal Data on behalf of Radboud University, on the basis of (written) instructions from Radboud University, in accordance with the purpose and means of Processing determined by Radboud University. It is also important that the person who then carries out this Processing is not under the direct authority of the Controller. An employee of an organisation that carries out the Processing is not deemed a Processor within the meaning of the GDPR, but the organisation is; 
  6. Processing: any operation or set of operations performed with regard to Personal Data or a set of Personal Data, whether or not by automated means, such as the collection, recording, storage, transfer and organisation of data; 
  7. Data Processing Agreement: agreement between the Controller and the Processor which sets out the subject matter, the duration of the Processing, the nature and purpose of the Processing, the type of Personal Data Processed, the categories of Data Subjects and the rights and obligations of the Controller; 
  8. Domain Owner: the party responsible for ensuring that the (ICT) business asset meets the requirements of the business processes and complies with the Information Security Policy;
  9. Third Party: a natural person or legal entity, public authority, agency or body other than the Data Subject, the Controller, the Processor or a person who, under the direct authority of the Controller or Processor, is authorised to Process the Personal Data; 
  10. Recipient: a natural person or legal entity, public authority, agency or another body, whether or not a Third Party, to whom or which Personal Data are disclosed; 
  11. Data Protection Officer (DPO): the officer appointed by the Executive Board to supervise the application of and compliance with the GDPR within Radboud University; 
  12. Consent of the Data Subject: any freely given, specific, informed and unambiguous expression of will through which the Data Subject, by means of a statement or an unambiguous act, accepts the Processing of their Personal Data;
  13. Personal Data Breach: a breach of security that intentionally or unintentionally leads to the destruction, loss, modification, unauthorised disclosure of or unauthorised access to data that have been transmitted, stored or otherwise Processed; 
  14. Register of Processing Activities: register recording the Processing activities that take place within Radboud University; 
  15. Privacy By Default: data Processing whereby the standard settings of products and services are configured in such a way that the privacy of Data Subjects is ensured to the maximum. This means, among other things, that as little data as possible are requested and Processed; 
  16. Privacy By Design: management of the entire lifecycle of Personal Data, from collection to Processing and erasure, whereby mechanisms are designed to take the privacy of Data Subjects into account as much as possible. Systematic attention is given to comprehensive safeguards relating to the accuracy, confidentiality, integrity, physical security and erasure of Personal Data; 
  17. Privacy Impact Assessment: an assessment that helps identify privacy risks and offers insight to reduce these risks to an acceptable level; 
  18. General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
  19. General Data Protection Regulation (Implementation) Act (UAVG): Act of 16 May 2018 containing rules for the implementation of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Chapter 2. Roles and responsibilities

Article 2:1 Principles relating to the Processing of Personal Data

Radboud University Processes Personal Data in accordance with applicable laws and regulations. The (manner of) processing of personal data must be lawful, proper, careful and transparent with regard to data subjects. Personal data relating to data subjects are protected against unlawful and unauthorised use. Radboud University aims to strike a good balance between protection of the privacy of Data Subjects, functionality and security. Within this balance, an attempt is made on the basis of collaboration with privacy managers to create workable situations based on a practical interpretation of the Personal Data Protection Regulations.

Article 2:2 Controller

  1. In the context of the administration and management of Radboud University, the Executive Board is the Controller. The Executive Board determines the policy, measures and procedures in relation to the Processing of Personal Data. 
  2. The actual Processing of Personal Data takes place within different levels of Radboud University, and it is everyone’s responsibility to ensure that Personal Data are handled with care. To this end, Radboud University provides training and information on the Processing of Personal Data for both employees and students. Employees, students and guests are expected to comply with and apply codes of conduct and integrity, to behave ethically in general and to handle Personal Data with care. For example, a duty of confidentiality has been laid down for employees in the Collective Labour Agreement. 
  3. Persons who are not already subject to confidentiality by virtue of their office or profession or a legal provision are also obliged to maintain the confidentiality of the Personal Data of which they become aware, except where any legal provision obliges them to report such or where the need to report such arises from the task assigned to that person within Radboud University.

Article 2:3 Management of the Personal Data of prospective students and other interested parties

  1. Central
    The Director of the Marketing and Communications Department (DMC) is responsible for the Processing and protection of this category.
  2. Faculty
    The deans of the faculties are responsible for the Processing and protection of the categories of Personal Data of prospective students and other interested parties that remain with the faculties.

Article 2:4 Management of the Personal Data of students

  1. The Director of the Student Affairs Office (DSZ) is responsible for the Processing and protection of the categories of Personal Data of students that remain with the Central Student Administration Office and with the central university student facilities.
  2. The deans of the faculties are responsible for the Processing and protection of the categories of Personal Data of students that remain with the faculties.

Article 2:5 Management of the Personal Data of employees

  1. The Director of the Human Resources Department (DPO) is responsible for the Processing and protection of the categories of Personal Data of employees that remain at the central level.  
  2. The deans of the faculties are responsible for the Processing and protection of the categories of Personal Data of employees that remain with the faculties. 
  3. The directors of the institutes, departments, units or offices are responsible for the Processing and protection of the categories of Personal Data of employees that remain with the respective institutes, departments, units or offices.

Article 2:6 Management of the Personal Data of course participants, alumni, other associates and external parties

  1. The directors of the institutes, departments, units or offices are responsible for the Processing and protection of the categories of Personal Data of course participants, alumni, other associates and external parties that remain with the respective institutes, departments, units or offices.

Article 2:7 Data Protection Officer

  1. The Executive Board has appointed an internal supervisor for the Processing of Personal Data. This is the Data Protection Officer (DPO). 
  2. The Data Protection Officer of Radboud University has been registered with the Dutch Data Protection Authority.  
  3. The Data Protection Officer and the DPO Office can be reached by email at privacy [at] ru.nl (privacy[at]ru[dot]nl)
  4. The Data Protection Officer has the following duties: 
    a. To develop policy with regard to the Processing of Personal Data in accordance with applicable laws and regulations and to advise the Executive Board on this; 
    b. To perform (or order) and verify Data Privacy Impact Assessments (DPIA); 
    c. To make an inventory of data Processing operations; 
    d. To develop internal regulations; 
    e. To maintain the Register of Processing Activities;
    f. To handle questions and complaints from Data Subjects regarding the Processing of Personal Data by Radboud University;
    g. To provide information and advice;
    h. To monitor compliance with the policy with regard to the Processing of Personal Data;
    i. To report Data Breaches to the Dutch Data Protection Authority.
  5. The Data Protection Officer and their deputy are authorised by the Executive Board to do the following on behalf of the Executive Board: 
    a. To act as a point of contact for Data Subjects in matters concerning the Processing of their Personal Data and to handle and settle requests from Data Subjects relating to the rights referred to in Article 3:7. 
    b. To assess the considerations justifying a legitimate interest and, in case of doubt, to submit these to the Executive Board.

Article 2:8 Register of Processing Activities

  1. The Register of Processing Activities contains details of the Processing activities that take place within Radboud University. The Domain Owner updates the Processing register within their domain. 
  2. Every Processing of Personal Data must be reported to the DPO Office for registration through the Decentralised Privacy Manager (contact person) (email: ).  
  3. The following information is provided when a Processing activity is reported:
    a. The purposes of the Processing;
    b. Who has access to the data; 
    c. The grounds for Processing; 
    d. The origin of the Personal Data concerned; 
    e. A description of the categories of Data Subjects and of the categories of Personal Data; 
    f. The categories of Recipients to whom the Personal Data have been or will be disclosed, including Recipients in third countries or international organisations and, if necessary, documents proving that appropriate safeguards have been put in place; 
    g. The intended retention periods; 
    h. A description of the technical and organisational security measures taken. 

Chapter 3. Principles and bases

Article 3:1 Principles of Processing

Radboud University Processes Personal Data in accordance with applicable laws and regulations. The (manner of) processing of personal data must be lawful, proper, careful and transparent with regard to data subjects. Personal data relating to data subjects are protected against unlawful and unauthorised use. Radboud University aims to strike a good balance between protection of the privacy of Data Subjects, functionality and security.

Article 3:2 Bases for Processing

  1. Personal Data are Processed within Radboud University only if and insofar as at least one of the following conditions arising from applicable laws and regulations has been met:
    a. The Data Subject has Consented to the Processing of their Personal Data for one or more specific purposes;  
    b. The Processing is necessary for the performance of a contract to which the Data Subject is a party, or to take measures at the Data Subject’s request prior to the conclusion of a contract;
    c. The Processing is necessary to comply with a statutory obligation incumbent upon Radboud University as the Controller;
    d. The Processing is necessary to protect the vital interests of Data Subjects or other natural persons;
    e. The Processing is necessary to carry out a task in the public interest or to exercise an official authority vested in Radboud University; 
    f. The Processing is necessary for the purposes of furthering the legitimate interests of Radboud University or of a Third Party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require the protection of Personal Data, particularly if the Data Subject is a child. 
  2. The Register of Processing Activities specifies the basis for each category of Personal Data.  
  3. If Consent is the basis for the Processing of Personal Data, Data Subjects have an individual choice to share data.

Article 3:3 Processing of Special Categories of Personal Data

The Processing of Special Categories of Personal Data is prohibited unless the conditions stated in applicable laws and regulations have been met or one of the grounds for exception stated in applicable laws and regulations applies. There are also more stringent requirements for the security of Special Categories of Personal Data. A national identification number (Citizen Service Number (BSN) or student number) is only Processed if there is a legal basis for doing so.

Article 3:4 Appropriate technical and organisational measures

  1. Radboud University ensures an appropriate level of security and takes appropriate technical and organisational measures to safeguard Personal Data against any breach or form of unlawful Processing, loss or damage. Measures that are applied as far as possible in this context include the encryption and pseudonymisation of Personal Data, encrypted communications and the treatment of Personal Data as confidential. Further details of these measures can be found in the internal Information Security Policy.
  2. Radboud University carries out a Data Privacy Impact Assessment in the course of activities or prior to the purchase of systems that are likely to pose a high risk to the rights and freedoms of natural persons. The principles of Privacy By Design and Privacy By Default are applied when purchasing new systems. 
  3. Anyone who Processes Personal Data within Radboud University must take the necessary measures to prevent any breaches, forms of unlawful Processing or loss of the Personal Data to be Processed by them. An example of such a measure is the application of encryption. 
  4. Employees must record and report any observed vulnerabilities in systems or services. Radboud University has a Data Breach Reporting Procedure, see https://www.ru.nl/privacy/english/ru/duty-report-data-breaches/. Security incidents anywhere within the organisation must be reported to the ISC Helpdesk +31 24 362 22 22, which is open 24 hours a day, 7 days a week. CERT-RU coordinates and handles reports of (possible) data breaches.

Article 3:5 Purpose limitation

Radboud University Processes Personal Data only for specific, explicitly described and legitimate purposes. Personal Data will not be Processed further, without the Consent of Data Subjects, for a purpose that is not compatible with these purposes.

Article 3:6 Data minimisation

Personal Data are Processed in a manner that is adequate, relevant and also limited to what is necessary for the purposes for which they are Processed.

Article 3:7 Accuracy

Personal Data are updated where necessary. All reasonable measures are taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are Processed, are erased or rectified without delay.

Article 3:8 Retention periods

Personal Data are not kept for longer than is necessary for the purposes for which they have been collected or are used. If the Personal Data concerned are subject to retention periods according to applicable laws and regulations or on the basis of a decision by the Executive Board, such retention periods are observed. If various periods exist, the longest retention period is applied. At the end of the retention period, Radboud University will destroy or anonymise Personal Data or it will archive such data if they are intended for historical, statistical or academic purposes.

Article 3:9 Disclosure of Personal Data

  1. Personal Data are only transferred within Radboud University if this is compatible with the data Processing objectives. 
  2. Radboud University only discloses Personal Data to Third Parties if this is compatible with the data Processing objectives and also in the interests of Radboud University. Radboud University does not disclose Personal Data to Third Parties who or which will use the data for their own purposes, unless Radboud University is legally obliged to disclose the data concerned or the Data Subject has Consented to this. Data Subjects can read in the Privacy Statement whether data are disclosed to Third Parties in their situation. 
  3. If data are disclosed to Third Parties with a view to having that data Processed by this Third Party, the applicable arrangements relating to such Processing are recorded in a Data Processing Agreement. 
  4. In principle, Radboud University only discloses Personal Data to Third Parties within the European Economic Area (EEA). Radboud University only discloses Personal Data to Processors located in a country outside the EEA if:
    a. the third country, territory or international organisation in question provides an appropriate level of protection according to the European Commission. Radboud University adheres to the general list of countries with an appropriate level of protection as published by the European Commission; or
    b. the transfer takes place on the basis of appropriate safeguards pursuant to Articles 46 and 47 GDPR; 
    c. the transfer takes place on the basis of one of the legal exceptions provided for in Article 49 GDPR.

Article 3:10 Privacy Statement 

Radboud University Processes Personal Data in a manner that is proper and transparent with regard to Data Subjects. This means that, prior to the Processing where possible, Radboud University makes it clear to Data Subjects how and to what extent their Personal Data will be Processed. Radboud University informs Data Subjects through the Privacy Statement what Personal Data are collected by Radboud University and for what purposes and on what grounds this happens, how such Personal Data are Processed, how long such Personal Data are retained for, what rights Data Subjects have if their Personal Data are Processed and where they can go with questions or requests concerning their privacy.

Chapter 4. Rights of Data Subjects, questions and complaints

Radboud University respects the rights that Data Subjects have under applicable laws and regulations. See also https://www.ru.nl/privacy/english/ru/exercising-right/.

Article 4:1 Right to information

Radboud University informs Data Subjects through the Privacy Statement what Personal Data are collected by Radboud University and for what purposes and on what grounds this happens, how the Personal Data of Data Subjects are Processed, what rights Data Subjects have if their Personal Data are Processed and where Data Subjects can go with questions or requests concerning their privacy.

Article 4:2 Right of access

Data Subjects have the right to see which of their Personal Data Radboud University Processes.

Article 4:3 Right to rectification and erasure

Under certain circumstances, Data Subjects are entitled to have their Personal Data amended or erased if the data are not, or no longer, correct, or if the Processing is not, or no longer, legitimate.

Article 4:4 Right to object

  1. If Radboud University Processes Personal Data on the basis of a legitimate interest or a task in the public interest, Data Subjects have the right to object to this.  
  2. If a Data Subject objects to the use of their Personal Data to inform them about Radboud University’s activities and for similar Processing (“direct marketing”), Radboud University will always honour this objection. In that case, the Data Subject’s data will no longer be used for this purpose. 
  3. If a Data Subject objects to other forms of Processing of their Personal Data, Radboud University will examine whether this objection can be honoured. If the interest stated by the Data Subject carries more weight than the interest that Radboud University has in the (further) Processing of the Data Subject’s Personal Data, Radboud University will stop Processing such data. If Radboud University is of the opinion that its legitimate interest in continuing to Process the Personal Data outweighs that of the Data Subject, this will be explained.

Article 4:5 Right to restriction, supplement, erasure or rectification

Data Subjects have the right to submit a request for restriction of the Processing of their data or for their data to be supplemented, erased or rectified. In the case of restriction, Radboud University will temporarily “freeze” the Processing of their data. The restriction will be clearly indicated in the file. A Data Subject can invoke this right while waiting for the assessment of a request for rectification if the data ought to be erased because the Processing is unlawful but, instead of requesting that the data be erased, the Data Subject requests that the Processing of the data be restricted if Radboud University no longer needs the data while the Data Subject still needs the data (to prepare) for a lawsuit or pending the assessment of an objection.

Article 4:6 Right to data portability

If Radboud University Processes Personal Data on the basis of the Consent of a Data Subject or a contract concluded with the Data Subject, the Data Subject has the right, with regard to such data, to receive (back) such data as disclosed digitally by the Data Subject in a common file format.

Article 4:7 Withdrawal of Consent

If Radboud University Processes Personal Data on the basis of the Consent of a Data Subject, the Data Subject often has the right to withdraw their Consent. In that case, Radboud University will stop the Processing. The withdrawal of Consent has no retroactive effect. This means that any Processing that has already taken place remains lawful.

Article 4:8 Automated individual decision-making

  1. Data Subjects have the right not to be subject to decisions by data Processing organisations that are based exclusively on automated Processing (including profiling). This is the case, for example, where such a decision has legal implications for them.  
  2. The right referred to in paragraph 1 does not apply where the decision is necessary for the performance of a contract, where it is permitted by a European or national law or where it is based on the explicit Consent of the Data Subject. 
  3. In the situations referred to in paragraph 2, Radboud University will take appropriate measures to protect the rights, freedoms and legitimate interests of the Data Subject. These will at least include the right to human intervention, the right of the Data Subject to express their point of view and the right to contest the decision.

Article 4:9 Restrictions on the rights of Data Subjects

Radboud University may restrict the rights of Data Subjects on the basis of legislation. Such a restriction must respect the essence of fundamental rights and freedoms. The restriction must be a necessary and proportionate measure to safeguard, for example, national or public security, objectives of public interest, or the protection of the Data Subject or the rights and freedoms of others.

Article 4:10 Right of opposition

Data Subjects may contact the DPO Office (mijnprivacy [at] ru.nl (mijnprivacy[at]ru[dot]nl)) to express their opposition to: 

  1. any Processing of Personal Data; 
  2. any other act or omission by an administrator that may affect the privacy of the registered person.

 

Article 4:11 Exercise of the aforementioned rights, questions or complaints

  1. If Data Subjects wish to exercise any of the aforementioned rights, they can contact the Data Protection Officer at the following email address: mijnprivacy [at] ru.nl (mijnprivacy[at]ru[dot]nl).   
  2. In this context, the Data Protection Officer may ask the Data Subject for further proof of their identity. This is done to prevent a situation where Personal Data are disclosed to the wrong party or changes are unlawfully made to the Personal Data or to the way in which such Personal Data are processed by Radboud University.   
  3. Radboud University does not charge Data Subjects for exercising the aforementioned rights, except where rights are abused.  
  4. In principle, Radboud University will respond to Data Subjects’ requests within a month. If more time is required to handle a request, the Data Subject will be informed of this within a month. The complexity of the requests and/or the number of requests may be such that it takes up to three months in total to respond.  
  5. There may be circumstances that prevent Radboud University from complying with a particular request. Every request will be assessed individually. If Radboud University does not or is unable to comply with a particular request, it will inform the Data Subject of this and will include the reasoning for its decision. However, the right to object to the use of data for direct marketing purposes is absolute. Requests to unsubscribe from any commercial communications will therefore be honoured in all cases.

Chapter 5. Camera surveillance

Article 5:1 Camera surveillance

The use of camera surveillance is deemed a form of Processing of Personal Data. This is subject to the following additional conditions within Radboud University:

  1. camera surveillance is undertaken exclusively: 
    i. to protect personal health and safety;
    ii. for surveillance inside campus buildings and on campus premises;
    iii. to monitor items located inside campus buildings and on campus premises. 
  2. the location of the cameras is clearly indicated. 
  3. with regard to the retention of the data recorded by means of camera surveillance, images are only stored when a camera has been installed to monitor items located inside campus buildings and on campus premises. The data recorded by means of camera surveillance are not retained for more than four weeks unless incidents have been recorded. 
  4. if images are stored, these are accessible exclusively to members of the Executive Board, to the head of the Security and Parking Supervision Service, to the responsible dean or (cluster) director and, in the absence of the above, to the two nominated replacements for each of the aforementioned officers. With regard to the replacements, the relevant Representative Councils (OCs) or, in the case of faculties, the Faculty Joint Assemblies (FGVs) must approve of the replacement officers beforehand. 
  5. if the camera surveillance is extended, if the application of a camera is changed or if a camera is removed, the relevant Representative Council (OC) or, in the case of faculties, the Faculty Joint Assembly (FGV) will be asked for its approval beforehand.  
  6. the Works Council (OR) and the University Student Council (USR) receive an annual overview of the current camera applications. This states the location of the cameras, their application and the officers who can access the monitors and any stored images.

Chapter 6 – Final provisions

Article 6:1 Hardship clause

In respect of any matters not provided for by these Regulations, the Executive Board will decide.

Article 6:2 Official title

These regulations can be cited as the Personal Data Protection Regulations of Radboud University.

Article 6:3 Publication and announcement

These Regulations will be published on the website and will be available at https://www.ru.nl/privacy/english/.

Article 6:4 Effective date

These Regulations were adopted by the Executive Board on 18 June 2019 and, following consultation with the Works Council and University Student Council, will enter into force on [date], repealing the Radboud University Regulations for the Protection of Personal Data, with effect from that date.

Article 6:5 Contact person

For any questions relating to the protection of personal data within Radboud University, or these Regulations, please contact the Office of the Data Protection Officer at privacy [at] ru.nl (privacy[at]ru[dot]nl).