GDPR & personal data
Working in accordance with the GDPR
The GDPR (General Data Protection Regulation) is a European regulation that took effect on 25 May 2018. In order to comply with the GDPR, the UG must satisfy certain requirements when processing personal data. Just like any other organization, the UG must be able to account for the processing of personal data.
Which requirements must be satisfied?
The GDPR applies whenever you handle personal data of other people. Every processing operation concerning personal data must comply with the following principles from the GDPR:
-
Lawfulness - personal data may only be processed if there is a lawful basis for this.
-
Transparency - the data subject must be aware that their personal data is being processed.
-
Fairness - the organization must respect the interests, rights, and freedoms of data subjects when processing personal data.
-
Purpose limitation - people’s personal data may only be used for specific and legitimate purposes and may not automatically be processed for other purposes.
-
Data minimization - no more personal data may be processed than is required to achieve the legitimate purposes of the entity processing it.
-
Data quality - personal data that is processed must be correct and up to date.
-
Storage limitation - personal data may be stored no longer than is necessary to achieve the legitimate purposes of the entity processing it. It is therefore important to think about retention periods.
-
Security - technical and organizational measures must be taken to protect personal data and prevent its loss or unlawful processing.
-
Confidentiality - personal data must in principle be confidential.
-
Responsibility - the UG must be able to demonstrate to the data subject and the supervisory authority that the above principles have been applied.
Controller versus processor
Who is the controller?
The controller is the organization, person or group that determines the purpose and means of data processing. For example, the controller determines:
-
That data needs to be processed
-
The purpose of processing data
-
For how long the data should be stored
-
With whom the data may be shared
One example is the processing of personal data for registering international students. The UG supports international students in applying for residence permits. In such cases, the UG chooses to gather the necessary data and share these with the Immigration and Naturalisation Service (IND: Immigratie- en Naturalisatiedienst).
Who is the processor?
The processor is a person, company or group that processes personal data on behalf of a controller. Examples include the provider of a cloud application for student administration or the company that carries out the UG’s salary administration.
If a controller engages a third party (the processor) to process personal data, agreements have to be made about that processing. This is done in a data processing agreement.
More information on the website of the Dutch Data Protection Authority (Dutch DPA) (In Dutch)
Last modified: | 08 September 2023 08.51 a.m. |