This Privacy Statement sets out how the University of Amsterdam (hereinafter: ‘UvA’, ‘we’ or ‘us’/'our') processes your personal data which you provide to us or which we obtain through our website(s). This Privacy Statement was last amended on 23 May 2018. We may amend this Privacy Statement from time to time.
1. About the UvA
The UvA is the party responsible for processing your personal data (the 'controller') within the meaning of the General Data Protection Regulation (‘GDPR’).
The UvA is located at Spui 21, 1012 WX Amsterdam. Our postal address is PO Box 19268, 1000 WX Amsterdam. Any questions you might have can be emailed to email@example.com.
The UvA has appointed a data protection officer (‘DPO’). The DPO’s email address is firstname.lastname@example.org.
2. What personal data do we process?
Amongst other things, we process the following personal data from students (or prospective students):
- name and address;
- telephone number, email address;
- date of birth, sex;
- bank and payment details (of students/prospective students or their parents, as appropriate);
- study choice, academic progress and other study-related data;
- any personal experiences in the event of the student (or prospective student) consulting a study advisor;
- log-in credentials (such as UvAnetID).
Amongst other things, we process the following personal data from visitors to our websites:
- website visit and use;
- IP address;
- duration and time of visit to the website;
- use of social media.
Within the compass of surveys or scientific research we may, in addition to the above, process additional personal data for each survey or study. The nature and scope of the personal data can vary in these cases; further information on this will accompany the survey or study concerned.
3. For what purposes do we process personal data?
We process personal data for the purposes of our service provision, within the framework of education and research, and in order to comply with statutory obligations.
Personal data supplied by students (or prospective students) is processed for the following purposes:
- registration for the purposes of education;
- administrative purposes, to enable courses to be attended and the payments for these to be collected;
- to process requests for information about study programmes or publications;
- to provide study choice support;
- to manage course details and online services to facilitate course supervision;
- information purposes;
- to provide (more detailed) updates on current developments, conferences, seminars, etc.;
- to email newsletters, invitations to participate in (student) surveys, information on your student account, your study status and other (necessary) information from the UvA;
- to insure students;
the continuous improvement of the quality and accessibility of teaching by, among other things, conducting (statistical) research and carrying out and processing surveys and their results; and
the recommendation for a membership, prize or nominations,
The personal data supplied by visitors to our websites is processed for the following purposes:
- to compile user statistics;
- to promote security and improvement of our websites; and
- to improve our services.
Within the compass of surveys or academic research, personal data is processed for the purposes of the survey or study concerned. Further information on the way in which personal data is processed will accompany the survey or study concerned.
4. Grounds for processing personal data
In order to be allowed to process your personal data, there must be a legitimate basis for doing so as set out in the GDPR. In the case of the UvA this legitimate basis will be – depending on the type of personal data concerned – performance of an agreement, a legal obligation, a legitimate interest or consent. If you do not provide certain personal data, you may not be allowed to attend any course of education, conduct research or benefit from all website functionality.
We need to process personal data for the purposes of fulfilling certain contractual obligations. Examples include processing personal data in connection with agreements between the UvA and a contract student, or in connection with an authorisation to collect tuition fees.
We need to process (and, in particular, save or hand over) certain personal data pursuant to such legislation as the Higher Education and Research Act, General Administrative Law Act, Higher Education and Research Funding Regulation and tax law.
We have an interest in being in a position to carry out certain surveys or research, to safeguard the quality of education and to provide information. On the grounds of these interests, we will process your personal data unless your privacy interests outweigh our interests. For that reason, we sometimes carry out surveys in the public domain with personal data being processed, carry out student satisfaction surveys and keep a record of your use of the website.
If none of the aforementioned bases for processing apply, then we will request your consent to process certain personal data. An example of a situation for which we could ask for your consent is issuing your personal data to an insurer and to a university abroad, within the compass of an exchange project. You are free to withdraw your consent at any time.
5. To whom does the UvA issue personal data?
In order to be of service to you and to perform our duties, we enlist the services of other parties to process personal data on our behalf. Third parties that we enlist include satisfaction survey organisers, insurers, accountants, debt collection agencies and investigatory agencies. We are required to request your consent for some transmissions. Sometimes we are legally obliged or a court will order us to hand over personal data to such parties as the Dutch Tax and Customs Administration (Belastingdienst), the police or the regulatory body.
If we instruct a third party to process personal data on our behalf and we have and retain control over the processing, we will sign a written processing agreement with the third party concerned (the 'processor'). That document will lay down agreements on such points as the objective, the duration and scope of the processing, the retention times and the security measures for the personal data. A processor within the meaning of the GDPR could (for example) be a party carrying out certain IT work for us or a financial service provider facilitating payments.
6. Processing personal data outside of the EU
The UvA will endeavour to process your data solely within the European Union (‘EU’) by saving your data on a server located in the EU wherever possible. Sometimes this will not be possible, e.g. if we supply data to a university outside of the EU after obtaining your consent.
When we enlist the services of data processing firms, we stipulate that they must save personal data on servers located in the EU. To the extent that this is not possible, we take the requisite measures to provide a suitable level of protection to ensure that your personal data is secure.
7. Your rights with regard to personal data
You are entitled, under certain circumstances, to access any personal data processed by us or to have it corrected or deleted or restrict its processing. Sometimes you can also lodge an objection or request a transfer of your personal data. To submit a request to us in this respect, please contact us by sending an email to email@example.com. If in doubt about your identity, we are entitled to ask you to provide proof of your identity first.
Access and correction
If you wish to know whether we are processing your personal data or would like to amend your personal data, please get in touch with us.
Under certain circumstances, the GDPR allows you to have personal data erased. We will assess whether it is possible to implement such a request: in some cases we will have to retain your personal data, e.g. to comply with a statutory obligation, to facilitate education or (as a one-off action) to see to it that you will no longer receive messages from us.
You are entitled to contact us with a request to restrict the processing of your data if you think that your personal data is incorrect, the processing of it is unlawful, you require it for legal action or you have objected to it being processed.
if we process your personal data on the basis of a legitimate interest, then you can object to further use of your personal data on the grounds of your specific reasons.
Objection to receiving messages
If you no longer wish to receive email messages or any other electronic messages from us, then you can deregister for these by clicking on the unsubscribe button in an email message received from us. You can also deregister by contacting us.
8. How do we secure your personal data?
We have taken appropriate technical and organisational measures to prevent loss or unlawful processing of personal data. For example, your personal data can only be viewed by staff authorised to view it on the grounds of their role.
9. How long do we keep your personal data?
We will not keep your personal data for longer than is necessary for the purposes for which we use it. We are required by law to keep some data for a certain period of time.
For example, it could be that after you have completed a course of study we have to keep certain personal data for administrative purposes or due to a legal obligation. Wherever possible, we will pseudonymise or anonymise your personal data to the fullest extent possible.
10. Questions and complaints
If you have any questions on the way in which we process your personal data, please let us know by sending an email to firstname.lastname@example.org. We will be happy to help.
If you believe that your personal data is being processed in breach of the GDPR, you can submit a complaint to the DPO by sending an email to email@example.com. The DPO is the link between the UvA and the external regulatory body (the Dutch Data Protection Authority). The DPO acts independently and can consult with or seek advice from the Dutch Data Protection Authority regarding your complaint.
If you disagree with the outcome of the DPO’s handling of your complaint, you can submit a complaint to the Dutch Data Protection Authority directly. The Dutch Data Protection Authority will handle the complaint or request and make a decision on it.