This Privacy Statement describes how the University of Amsterdam (hereinafter ‘UvA’) processes your personal data. This Privacy Statement relates to personal data that you provide to us or that we obtain from you through our website(s).
We may amend this Privacy Statement from time to time. This Privacy Statement was last amended in November 2021.
The Executive Board of the UvA is the controller within the meaning of the General Data Protection Regulation (GDPR) in respect of the data processing discussed in this Privacy Statement. This means that the Board of the UvA (hereinafter also ‘we’, ‘us’ or ‘our’ ) decides which personal data will be processed, for what purpose, and in which manner. The UvA has the responsibility to ensure careful and fair processing of your personal data.
The UvA has its registered office at Spui 21, 1012 WX Amsterdam. Our postal address is Postbus 19268, 1000 WX Amsterdam. If you have any questions or comments about our processing of personal data, please send an email to firstname.lastname@example.org.
The UvA has appointed a Data Protection Official (DPO). The DPO can be contacted at email@example.com.
This Privacy Statement provides information on the processing of personal data of prospective students, students, parents of students (or of prospective students), survey or study participants in cases where data are not obtained from the data subjects themselves, and visitors to our websites. ‘Prospective students’ means anyone who signs up for one our orientation activities (such as an open day, workshop or degree programme orientation event) and anyone who has already enrolled in a programme, but has not yet started their studies. Such personal data may include contact details, information on whether or not someone is enrolled in a programme, and clicking behaviour. We also place cookies (after obtaining your consent, if required). More information on this can be found in our Cookie Statement.
Personal data we process in respect of current and prospective students includes, among other things:
Personal data we process in respect of visitors to our websites includes, among other things:
In addition, if you participate in any survey or scientific research, we may process additional personal data in each survey or study in which you participate, for the purposes of this survey or study. The nature and scope of the personal data may differ per survey or study. Further information on this will be provided during the survey or study.
We process personal data for the purposes of providing our services in the context of education and research, and in order to comply with legal obligations.
Personal data provided by current or prospective students are processed for the following purposes:
The personal data provided by visitors to our websites is processed for the following purposes:
In the context of surveys and scientific research, personal data is processed for the performance of the relevant surveys or scientific research. Further information on the manner of and the basis for the processing of personal data in the context of this survey or scientific research will be provided in the relevant survey or study.
In order for us to be allowed to process your personal data, the processing must be based on one of the lawful bases set out in the GDPR. In the case of the UvA, this basis for processing will be one of the following, depending on the specific personal data: a legal obligation, a contract, a task carried out in the public interest, a legitimate interest, consent, or a vital interest. If you do not provide certain personal data, you may not be able to attend education, conduct research or experience all the functionalities of the website.
Contract: we need to process personal data to be able to perform certain contracts. Examples include the processing of personal data in connection with the performance of a contract between the UvA and a contract student, and the processing of personal data in connection with an authorisation to collect tuition fees.
Legal obligation: based on Dutch legislation and regulations, including the Higher Education and Research Act, the General Administrative Law Act, the regulations governing the funding of higher education and scientific research, and tax legislation, we must process certain personal data (in particular: retain or provide data).
Task carried out in the public interest: in order to provide education, it is necessary to process personal data. We process those personal data that are necessary in order to facilitate the services in the context of education on the basis of a ‘task carried out in the public interest’. Such as in order to create timetables, to issue lists of marks and to deploy anti-plagiarism software.
Legitimate interest: we process personal data if this is necessary to promote the legitimate interests of the UvA or of a third party. For example, in the interest of the safety of its students and staff, the UvA uses CCTV monitoring and the UvA controls access to the University Library.
Consent: if the processing of personal data is not covered by one of the aforementioned bases, we will request your consent to process certain personal data. An example of when we may request you to consent to the processing of personal data is in order to enable us to provide your personal data to the insurer and to a university outside the Netherlands in the context of an exchange project. You can withdraw your consent at any time.
Vital interest: in exceptional cases, we may process your personal data where this is necessary to protect your vital interests. This only occurs when there is an urgent medical necessity. This concerns situations of life or death, or at least situations where there is a serious risk of injury or other damage to your or another person’s health.
The basic principle is that your personal data will only be used by the UvA. In a number of cases, we share your personal data with other parties.
These other parties fall into the following categories.
In some cases, we have a legal obligation or are ordered by a court to share personal data with government agencies. This may include, for example, the Tax and Customs Administration, the Education Executive Agency (DUO), the police or a regulatory authority. The UvA is careful in providing personal data and only provides the personal data it is legally obliged to provide.
The UvA may share your personal data with other educational and research institutions if this is necessary to provide education or conduct scientific research. This may include, for example, a programme that is carried out in cooperation with another institution (i.e. a joint degree), an exchange programme and partnerships in the context of scientific research. The UvA makes written agreements with these parties regarding the processing and security of personal data.
Finally, the UvA shares personal data with third parties to support the performance of its tasks. This may include, for example, a software supplier, an external administration office, or other service providers who need personal data to be able provide their services. In addition, this includes third parties involved in appointments, nominations and the awarding of prizes. The UvA makes written agreements with these parties regarding the processing and security of personal data.
The UvA will endeavours to process your data solely within the European Union (‘EU’) by storing your data on a server located in the EU wherever possible. This is not possible in some cases, such as when we transfer data to a university outside the EU after obtaining your consent.
When we engage the services of data processors, we require that they store personal data on servers located in the EU. Where this is not possible, we will take the necessary measures to provide an appropriate level of security for the protection of your personal data.
If we process your personal data, you have the following rights, depending on the circumstances: the right to access your personal data, the right to rectification of your personal data, the right to their erasure, and the right to restriction of processing of your personal data. In some cases, you also have the right to object to the processing of your personal data or the right to request the transfer of your personal data. To make a request relating to any of these rights, please contact us at firstname.lastname@example.org. In case of doubt about your identity, we may ask you to provide us with identification.
Access and rectification: if you want to know whether we process your personal data correctly or would like to have your personal data rectified, you can contact us to access and rectify your personal data.
Erasure: under certain circumstances, the GDPR offers the possibility to have your personal data erased. We will assess whether such a request can be implemented. In some cases, we will need to retain your personal data, e.g. to comply with a legal obligation, to facilitate education, or to ensure (by means of a one-off action) that you no longer receive messages from us.
Restriction of processing: if you believe the personal data we have processed about you are inaccurate, or that our processing of your personal data is unlawful, or if you need your personal data for legal action, or have objected to our processing thereof, you can request us to restrict the processing of your personal data.
Objection to processing: If we process your personal data on the basis of a task carried out in the public interest or on the basis of a legitimate interest, you can object to the further use of your personal data, on grounds relating to your particular situation.
Objection to electronic messages: If you no longer wish to receive email messages or any other electronic messages from the UvA, you can unsubscribe from them by clicking on the unsubscribe link in any email message you receive from us. You can also unsubscribe by contacting us.
We have a strict (information) security policy to ensure that your data is protected against loss or any form of unlawful processing. Our security policy and standards are regularly brought in line with new regulations and developments. Click here for the latest version of our Information Security Policy. We take appropriate physical, technical and organisational measures to protect data. Employees are to be screened if necessary and have a duty of confidentiality. Within the UvA, your personal data can only be accessed by employees who need your data to properly carry out duties for the purposes described in paragraph 3 of this Privacy Statement. When we engage a third party in order to process your personal data, we always check that this third party has an adequate level of security.
If, despite this strict security, an incident should occur, we will resolve the incident as soon as possible and take measures to ensure it cannot happen again. We report data breaches that pose a risk to the rights and freedoms of data subjects to the Dutch Data Protection Authority.
We will not retain your personal data for any longer than necessary for the purposes for which we use them. By law, we are required to retain certain data for a specific period.
After your enrolment at the UvA has been terminated, we may need to retain certain personal data for our records or in order to comply with a legal obligation. Where possible, we will pseudonymise or anonymise your personal data to the fullest extent possible.
If you have any questions about how we process your personal data, please let us know by sending an email to email@example.com. We will be happy to assist you.
If you believe that your personal data is being processed in breach of the GDPR, you can submit a complaint to our Data Protection Officer (DPO) by sending an email to firstname.lastname@example.org. The DPO is the link between the UvA and the external regulatory authority (the Dutch Data Protection Authority). The DPO acts independently, has a duty of confidentiality and may consult or seek advice from the Dutch Data Protection Authority regarding your complaint.
If you disagree with the outcome of the DPO’s handling of your complaint, you can submit a complaint directly to the Dutch Data Protection Authority.