This Privacy Statement sets out how the University of Amsterdam (hereinafter: ‘UvA’, ‘we’ or ‘us’/'our') processes your personal data which you provide to us or which we obtain through our website(s).
We have drawn up a separate privacy statement for UvA alumni. The Alumni Privacy Statement explains how and why the University of Amsterdam processes personal data for the purpose of contacting alumni.
This Privacy Statement was last amended 16 August 2021. We may amend this Privacy Statement from time to time.
The UvA is the party responsible for processing your personal data (the 'controller') within the meaning of the General Data Protection Regulation (‘GDPR’).
The UvA is located at Spui 21, 1012 WX Amsterdam. Our postal address is PO Box 19268, 1000 WX Amsterdam. Any questions you might have can be emailed to firstname.lastname@example.org.
The UvA has appointed a data protection officer (‘DPO’). The DPO’s email address is email@example.com.
Amongst other things, we process the following personal data from students (or prospective students):
Amongst other things, we process the following personal data from visitors to our websites:
Within the compass of surveys or scientific research we may, in addition to the above, process additional personal data for each survey or study. The nature and scope of the personal data can vary in these cases; further information on this will accompany the survey or study concerned.
We process personal data for the purposes of our service provision, within the framework of education and research, and in order to comply with statutory obligations.
Personal data supplied by students (or prospective students) is processed for the following purposes:
The personal data supplied by visitors to our websites is processed for the following purposes:
Within the compass of surveys or academic research, personal data is processed for the purposes of the survey or study concerned. Further information on the way in which personal data is processed will accompany the survey or study concerned.
In order to be allowed to process your personal data, there must be a legitimate basis for doing so as set out in the GDPR. In the case of the UvA this legitimate basis will be – depending on the type of personal data concerned – performance of an agreement, a legal obligation, a legitimate interest or consent. If you do not provide certain personal data, you may not be allowed to attend any course of education, conduct research or benefit from all website functionality.
We need to process personal data for the purposes of fulfilling certain contractual obligations. Examples include processing personal data in connection with agreements between the UvA and a contract student, or in connection with an authorisation to collect tuition fees.
We need to process (and, in particular, save or hand over) certain personal data pursuant to such legislation as the Higher Education and Research Act, General Administrative Law Act, Higher Education and Research Funding Regulation and tax law.
We have an interest in being in a position to carry out certain surveys or research, to safeguard the quality of education and to provide information. On the grounds of these interests, we will process your personal data unless your privacy interests outweigh our interests. For that reason, we sometimes carry out surveys in the public domain with personal data being processed, carry out student satisfaction surveys and keep a record of your use of the website.
If none of the aforementioned bases for processing apply, then we will request your consent to process certain personal data. An example of a situation for which we could ask for your consent is issuing your personal data to an insurer and to a university abroad, within the compass of an exchange project. You are free to withdraw your consent at any time.
The starting point is that your personal data are only used by the UvA. In a number of cases, we do share your personal data with other parties.
These other parties can be divided into the following categories.
Sometimes we are required by law or a court forces us to share personal information with other government agencies. Examples include the Tax Authorities, the Education Executive Agency (DUO), the criminal investigation department or a supervisor. The UvA is careful in providing personal data and only provides those personal data to which it is legally obliged.
Other educational and research institutions
The UvA can share your personal data with other educational and research institutions when this is necessary for providing education or doing scientific research. For example, think of a study programme that is carried out in collaboration with another institution (a joint degree), an exchange programme and collaborations in the context of scientific research. The UvA formalises the processing and security of personal data through agreements with these parties.
Finally, the UvA shares personal data with third parties to support the performance of its duties. You can think of a software supplier, an administration office or other service providers who need personal data to deliver their services. Furthermore, think of third parties involved in appointments, nominations and awarding prizes. The UvA formalises the processing and security of personal data through agreements with these parties.
The UvA will endeavour to process your data solely within the European Union (‘EU’) by saving your data on a server located in the EU wherever possible. Sometimes this will not be possible, e.g. if we supply data to a university outside of the EU after obtaining your consent.
When we enlist the services of data processing firms, we stipulate that they must save personal data on servers located in the EU. To the extent that this is not possible, we take the requisite measures to provide a suitable level of protection to ensure that your personal data is secure.
You are entitled, under certain circumstances, to access any personal data processed by us or to have it corrected or deleted or restrict its processing. Sometimes you can also lodge an objection or request a transfer of your personal data. To submit a request to us in this respect, please contact us by sending an email to firstname.lastname@example.org. If in doubt about your identity, we are entitled to ask you to provide proof of your identity first.
If you wish to know whether we are processing your personal data or would like to amend your personal data, please get in touch with us.
Under certain circumstances, the GDPR allows you to have personal data erased. We will assess whether it is possible to implement such a request: in some cases we will have to retain your personal data, e.g. to comply with a statutory obligation, to facilitate education or (as a one-off action) to see to it that you will no longer receive messages from us.
You are entitled to contact us with a request to restrict the processing of your data if you think that your personal data is incorrect, the processing of it is unlawful, you require it for legal action or you have objected to it being processed.
if we process your personal data on the basis of a legitimate interest, then you can object to further use of your personal data on the grounds of your specific reasons.
If you no longer wish to receive email messages or any other electronic messages from us, then you can deregister for these by clicking on the unsubscribe button in an email message received from us. You can also deregister by contacting us.
We have taken appropriate technical and organisational measures to prevent loss or unlawful processing of personal data. For example, your personal data can only be viewed by staff authorised to view it on the grounds of their role.
We will not keep your personal data for longer than is necessary for the purposes for which we use it. We are required by law to keep some data for a certain period of time.
For example, it could be that after you have completed a course of study we have to keep certain personal data for administrative purposes or due to a legal obligation. Wherever possible, we will pseudonymise or anonymise your personal data to the fullest extent possible.
If you have any questions on the way in which we process your personal data, please let us know by sending an email to email@example.com. We will be happy to help.
If you believe that your personal data is being processed in breach of the GDPR, you can submit a complaint to the DPO by sending an email to firstname.lastname@example.org. The DPO is the link between the UvA and the external regulatory body (the Dutch Data Protection Authority). The DPO acts independently and can consult with or seek advice from the Dutch Data Protection Authority regarding your complaint.
If you disagree with the outcome of the DPO’s handling of your complaint, you can submit a complaint to the Dutch Data Protection Authority directly. The Dutch Data Protection Authority will handle the complaint or request and make a decision on it.