The Hague University of Applied Sciences Privacy Regulations

Laid down by the Executive Board on 10 January 2006. Revised in July 2013, February 2016 (addendum), December 2016 (retention periods, DPO reports, names of the organisation), March 2018 (rewritten in accordance with the General Data Protection Regulation (GDPR) and consequence of the Policy on Processing Personal Data of The Hague University of Applied Sciences, part of the obligation to provide information (chapter 8.1).

Article 1 Definitions

The following terms used in these Regulations are defined as follows:

Regulations: these Regulations relating to the processing of Personal Data of The Hague University of Applied Sciences.

GDPR: the General Data Protection Regulation that came into force on 25 May 2016 and is effective as of 25 May 2018.

Data Subject: the identified or identifiable natural person to whom the Personal Data relate.

Controller: the Executive Board of The Hague University of Applied Sciences who lays down the purpose and means for Processing Personal Data.

Personal Data: any data concerning an identified or identifiable natural person;

Processor: a (third) party engaged by The Hague University of Applied Sciences, who on behalf of The Hague University of Applied Sciences and on the basis of their written instructions processes Personal Data.

Processing: any operation or set of operations performed on Personal Data, including the collection, recording, organization, storage, consultation, updating, restriction, erasure or destruction of data.

Filing system: any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

Third party: any person other than the Data Subject, the Controller or the Processor, or any person who comes under the direct authority of the Controller or Processor and is authorised to process personal data.

System owner: the System Owner is responsible for the application and the related ICT facilities providing proper support to the process for which it is responsible and complying with the Policy.

PDO: the Personal Data Officer is the internal supervisor of the Processing of Personal Data.

Data leak: a breach of the security of Personal Data resulting in any unauthorised Processing thereof. This includes both intentional and unintentional data leaks.

Privacy Impact Assessment (PIA): an assessment that assists in identifying privacy risks and provides the tools to reduce such risks to an acceptable level.

Article 2 Scope

  1. These Regulations relate to the processing of Personal Data of all Data Subjects within The Hague University of Applied Sciences, in any case including all employees, students, visitors and external relations (hiring/outsourcing), as well as to other Data Subjects of whom The Hague University of Applied Sciences processes Personal Data (such as for instance potential students, job applicants, student interns etc.).
  2. In these Regulations the focus is on the automated/systematic Processing in whole or in part of Personal Data under the responsibility of The Hague University of Applied Sciences as well as on the underlying documents that are incorporated in a Filing System.
  3. The Regulations also apply to the non-automated Processing of Personal Data that have been incorporated in a Filing System or that are intended to be incorporated therein.

The separate Processing of Personal Data of The Hague University of Applied Sciences have been incorporated in the appendices. These appendices are part of these Regulations.

Appendix 1: Processing Personal Data of Students of The Hague University of Applied Sciences;

Appendix 2: Processing Personal Data of Employees of The Hague University of Applied Sciences.

Article 3 Purpose of these Regulations

The purpose of these regulations is:

  1. Informing Data Subjects about the manner in which The Hague University of Applied Sciences handles Personal Data.
  2. Set rules regarding the protection of Data Subjects in connection with the Processing of Personal Data and regarding the free movement of Personal Data.
  3. Raise awareness of the importance and necessity of protecting Personal Data, as well as to avoid risks resulting from non-compliance with the relevant laws and regulations.
  4. Ensuring the rights of the Data Subjects.

Article 4 Duty to report

Any Processing of Personal Data must be reported (in advance) to the DPO through the Data Processing Contact Point.

Article 5 Purposes of Processing Personal Data

  1. Personal Data will only be collected for specific and legitimate purposes and will not be processed for purposes that are incompatible therewith.
  2. The purposes relating to the Processing of Personal Data of students and employees are stated in the appendices for Processing Personal Data in question.

Article 6 Lawful ground for Processing

Processing is lawful, only if and to the extent that at least one of the conditions stated below has been met:

  1. the Data Subject has given consent to Processing his/her Personal Data for one or more specific purposes.
  2. Processing is necessary for the performance of a contract to which the Data Subject is party (such as for instance program enrolment or an employment contract), or in order to take steps at the request of the Data Subject prior to entering into a contract.
  3. Processing is necessary for compliance with a legal obligation to which the Controller is subject.
  4. Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person.
  5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.
  6. Processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a Third Party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of personal data, in particular where the Data Subject is a child.

Article 7 Categories of Data Subjects and Personal Data

The categories of Data Subjects and Personal Data have been included in the appendices.

Special categories of Personal Data (such as data relating to race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, genetic or biometric data, health or data concerning someone´s sex life or sexual orientation) will only be processed with the Data Subject´s explicit consent.

Article 8 Manner of obtaining and Processing Personal Data

  1. Personal Data are collected as much as possible from the Data Subject himself/herself and from employees of The Hague University of Applied Sciences who have the responsibility to do so pursuant to their position.
  2. Personal Data will only be collected from Third Parties if the Data Subject has given his/her unequivocal Consent or pursuant to a legal obligation.
  3. Personal Data will be processed in accordance with the GDPR and in a fair and careful manner.
  4. Taking the purposes stated in the appendices into account, Personal Data will only be processed in so far as they are adequate, relevant and limited to what is necessary for the purposes for which they are processed.
  5. The System Owner will take the necessary measures to promote the accuracy and completeness of the Personal Data.

Article 9 Processors

Processing Personal Data of students and employees at The Hague University of Applied Sciences may be outsourced to Third Parties if the conditions in the GDPR have been complied with and these conditions have been laid down in a processor agreement.

Article 10 Deleting Personal Data (retention period)

  1. Personal Data that are no longer required for their purpose, will be deleted as soon as possible. Deletion implies destruction or being processed such that it will no longer be possible to identify the natural person.
  2. The retention periods of the various Personal Data are indicated in the appendices.

Article 11 Access to and disclosure of Personal Data

The appendices state which persons have access to the Personal Data, which Personal Data can be disclosed and to which persons (inside and outside of the organization) Personal Data can be disclosed.

Article 12 Confidentiality

Persons who take note of Personal Data, and to whom by virtue of their office, profession or statutory provision a duty of confidentiality does not already apply, are obliged to keep these Personal Data confidential and use them for no other purpose than required in the performance of their duty and not to share them with unauthorized persons.

Article 13 Security

  1. The Executive Board ensures the necessary arrangements of a technical and organizational nature in order to prevent unauthorized Processing of Personal Data.
  2. Each System Owner takes the necessary measures to prevent unauthorized processing of the Personal Data they manage. The System Owner also ensures the security against breaking in and theft.
  3. The DPO will be informed about the way in which data are secured.

Article 14 Right to access

  1. Every Data Subject has the right to access the Personal Data that have been processed relating to him/her.
    A motivated and specified request for access can be submitted in writing with the System Owner.
  2. As soon as possible, but in any case no later than one month after receipt of the request, the Data Subject will be notified whether the request is valid and practicable (not excessive). The System Owner ensures that the Data Subject´s identity will be properly verified.
  3. If Personal Data of the Data Subject are processed, the response by the System Owner contains a complete overview of the Personal Data in an intelligible form.
  4. Each (first) application can be submitted free of charge. The Hague University of Applied Sciences may charge the Data Subject a fee for administrative costs for each additional or disproportionate application.

Article 15 Right to correct, supplement, object to, delete, restrict or transfer Personal Data

  1. Each Data Subject has the right to request that the Personal Data The Hague University of Applied Sciences has recorded about him/her be amended/altered, corrected, supplemented, stopped, deleted, restricted or transferred. A motivated and specified request to that end must be submitted in writing with the System Owner. The System Owner ensures that the Data Subject´s identity will be properly verified.
  2. As soon as possible, but in any case no later than one month after receipt of the request, the Data Subject will be notified whether the request is valid and practicable (not excessive). This assessment is the responsibility of the System Owner with an advice from the DPO.
  3. If the Personal Data recorded of the Data subject are factually inaccurate, incomplete for the aim or purposes of the Processing or not relevant or have otherwise been processed contrary to a statutory provision, the System Owner will as soon as possible, but in any case no later than one month after receipt of the request, ensure that the data are corrected.
  4. Depending on the complexity of the request and/or the number of requests, said period may if necessary be extended by another two months. The Data Subject will be notified of such an extension within one month of receipt of the request.
  5. Third parties to whom the data were disclosed prior to the correction, will be notified thereof. The Data Subject may request to be provided with a statement of to whom The Hague University of Applied Sciences has sent such a notification.
  6. Each (first) application can be submitted free of charge. The Hague University of Applied Sciences may charge the Data Subject a fee for administrative costs for each additional or disproportionate application.

Article 16 Legal protection

  1. If the Data Subject is of the opinion that the statutory provisions on privacy protection or the stipulations of these regulations are not correctly enforced, he/she can file a written complaint with The Hague University of Applied Sciences through a general complaints procedure of The Hague University of Applied Sciences.
  2. If The Hague University of Applied Sciences decided to reject a request for access, correction, supplementing, deletion, restriction or transfer of the Personal Data, the Data Subject can bring petition proceedings before the subdistrict court.

Article 17 Authorization

In the event that a Data Subject is unable to exercise the right of access, correction, supplementing, deletion, restriction or transfer of Personal Data himself/herself, he/she may authorize another person in writing to do so. In case of minors who have not yet reached the age of 16 years, a request to exercise such rights must be made by their legal representative.

Article 18 Data Protection Officer (DPO)

  1. The DPO of The Hague University of Applied Sciences supervises compliance with these Regulations.
  2. The DPO reports his/her findings to the Executive Board.

Article 19 Final Provisions

In the event of situations for which these Regulations do not provide, the Executive Board will decide on the basis of an advice from the DPO.

The Executive Board will ensure that these Regulations are evaluated regularly.

Such evaluation will take place at least once every 3 years. Amendments to these Regulations will be announced through THUAS messages and the most recent version is published on the intranet page of The Hague University of Applied Sciences.

For questions or comments regarding these Regulations, please consult the DPO.

These Regulations have been laid down by the Executive Board of The Hague University of Applied Sciences on 10 January 2006 after having obtained the consent of the General Council.

Appendix 1 Processing Personal Data of Students of The Hague University of Applied Sciences

In this appendix the Privacy regulations are set out in more detail as regards the Processing of Personal Data of (enrolled) Students at The Hague University of Applied Sciences.

Controller

The Executive Board of The Hague University of Applied Sciences is Controller for Processing Personal Data of students.

System Owner

System Ownership for the centrally managed concern applications within The Hague University of Applied Sciences, is held by the Director Facilities & IT. System Ownership of the applications that are not managed centrally is held by the Faculty Director/Director of Services in question.

Filing systems

Personal data of students will among others be processed in the following filing systems:

  1. student administrations, including enrolment administrations, administrations for timetables, examinations, and internships;
  2. student monitoring system;
  3. student information systems;
  4. course participant administrations;
  5. computer and network filing systems;
  6. library lending systems / audio-visual equipment;
  7. video camera files;
  8. communication files;
  9. filing systems for other internal management and records management.

Data Subjects

Personal Data of the following categories of Data Subjects are processed:

  1. students (including master´s students);
  2. external candidates and external minor students;
  3. course participants /contract students;
  4. alumni;
  5. visitors;
  6. prospects (persons who requested enrolment and/or information or who registered their interest in either information days or activities);
  7. former students, former participants, former course participants, former external candidates and former external minor students.

Purpose of Processing

The purpose of processing Personal Data includes:

  1. the organization of education or teaching, supervising participants or students, or giving study advice;
  2. providing learning resources or making them available or providing a facility;
  3. announcing information about the organization and learning resources as meant under a and b, as well information about participants or students on the THUAS website;
  4. calculating, determining and collecting fees for tuition, exams and courses and contributions or fees for learning resources and extracurricular activities, including handing claims over to third parties;
  5. handling disputes and complaints and having an accounting audit carried out;
  6. internal management or records management;
  7. carrying out scientific, statistic or historical research;
  8. providing access to buildings or information systems, or parts thereof;
  9. internal checks, company security and the recording of incidents;
  10. maintaining contact with the Data Subject;
  11. sending information to the Data Subject and keeping an overview of the information sent;
  12. enforcing or applying another law.

Personal Data

  1. The Personal Data that are processed, include the following:
    1. name, first names, initials, academic titles, gender, data of birth, address, post code, city/town, telephone number and similar details required for communication as well as the Data Subject´s bank account number;
    2. data as meant under a of the Data Subject´s parents, guardians or caregivers;
    3. nationality and place of birth of the Data Subject;
    4. an administration number not containing any other information than as meant under a;
    5. student number, correspondence number (DUO) and Citizen Service Number;
    6. data in view of the Data Subject´s health or wellbeing;
    7. data relating to the nature and the progress of the education, as well as the achieved study results;
    8. data in view of the organization of education or providing learning resources or making them available;
    9. data relating to information sent or to be sent;
    10. data that are necessary in view of maintaining contact with the Data Subject;
    11. data in view of calculating, recording and collecting enrolment fees, school and tuition fees and contributions or fees for learning resources and extracurricular activities;
    12. data relating to the actual use of the authorizations granted, as well as data relating to the use of passwords;
    13. photos and video footage with or without sound of activities of the organization;
    14. data relating to the nature and duration of the membership of former members, or the nature of the study and the period during which the former pupil, former participant or the former student attended classes.
  2. Other Personal Data than stated under a – n of which the Processing is required pursuant to or necessary in view of the relevant laws and regulations.
  3. The above-mentioned Personal Data are not limitative and subject to change as a result of changes in the relevant laws and regulations.

The manner in which the Personal Data are obtained

  1. The Personal Data are among others provided by the Data Subject himself/herself upon registering or enrolment or generated via the Dutch Education Executive Agency (DUO) or by The Hague University of Applied Sciences and subsequently collected and updated by The Hague University of Applied Sciences.
  2. In addition, the Data Subject is responsible for checking and timely providing the correct data for registering the correct name, address details, of both the home address and the correspondence address in the student administration.

Access to the Personal Data

Among others the following persons have access to the Personal Data:

  1. the Controller;
  2. the faculty and educational employees;
  3. the System Owner;
  4. the Processor;
  5. the application and technical managers;
  6. the DPO.

Disclosure of Personal Data

Apart from those who have access to Personal Data, Personal Data are among others disclosed to:

  1. the Data Subject, his/her own data only;
  2. for internal management to officers and committees in so far as necessary in view of their duties and powers;
  3. to Third Parties if required by law (such as for instance the Dutch Ministry of Education, Culture and Science, DUO, the Tax Authorities and the Higher Education Inspectorate) or with the Data Subject´s explicit consent.

Transfer to countries outside of the European Economic Area (EEA)

Personal Data may be transferred to countries outside of the EEA within the context of among others the performance of internship contracts.

Security of Personal Data

Taking the current state of the art, the costs of execution, as well as the nature, scope, context and processing purposes into account and the, in terms of likelihood and seriousness, diverse risks to the personal rights and liberties, the Controller and the Processor have put appropriate technical and organizational measures in place to ensure a security level geared to the risk, which measures, where appropriate, among others comprise: the ability to guarantee the confidentiality, integrity, availability and resilience of the processing systems and services on a permanent basis.

Deleting Personal Data (retention periods)

  1. Personal Data are processed no longer than is necessary for the Processing purposes. In that respect, the applicable statutory periods of retention and destruction will be observed.
  2. once enrolment has been terminated, all personal data of the Data Subject are digitally retained or physically archived for a period of at least 5 years, unless a shorter or longer retention period is considered more efficient or is required on the basis of relevant laws and regulations;
  3. video camera files will be deleted no later than four weeks after recording the footage. Footage showing serious incidents may be stored for as long as necessary in the context of an investigation.

Appendix 2 Processing Personal Data of Employees of The Hague University of Applied Sciences

In this appendix the Privacy Regulations are set out in more detail as regards the Processing of Personal Data of Employees of The Hague University of Applied Sciences.

Controller

The Executive Board of The Hague University of Applied Sciences is Controller for Processing Personal Data of Employees.

System Owner

System Ownership for the centrally managed concern applications within The Hague University of Applied Sciences, is held by the Director Facilities & IT. System Ownership of the applications that are not managed centrally is held by the Faculty Director/Director of Services in question.

Filing systems

Personal Data of employees are among others processed in the following filing systems:

  1. personnel administration;
  2. payroll administration;
  3. employee information systems;
  4. computer and network filing systems;
  5. library lending systems / audio-visual equipment;
  6. video camera files;
  7. filing systems for records purposes or for document management;
  8. communication files;
  9. filing systems for other internal management and records management.

Data Subjects

Personal Data of the following categories of Data Subjects are processed:

  1. employees who have an employment contract for a definite period of time, for a definite period with the prospect of an employment contract for an indefinite period of time, who have an employment contract for an indefinite period of time or who have a flexible employment contract;
  2. temporary staff;
  3. seconded staff;
  4. persons that perform work in the context of an assignment;
  5. student interns;
  6. job applicants;
  7. former employees.

Purpose of Processing

The purpose of processing Personal Data includes:

  1. the assessment of the suitability of the Data Subject for job placement or for a position that is vacant or may become vacant;
  2. supervising the Data Subject´s work;
  3. the personnel administration and payroll administration;
  4. handling human resources;
  5. calculating, determining and paying salaries, allowances and other sums of money and rewards in kind to or for the benefit of the Data Subject;
  6. calculating, determining and paying taxes and contributions on behalf of the Data Subject;
  7. a term of employment that applies to the Data Subject;
  8. calculating, determining and paying claims to benefits in connection with the termination of employment;
  9. the education of the Data Subject;
  10. the company medical care for the Data Subject;
  11. company welfare;
  12. the election of the members of participation bodies;
  13. internal checks, company security and the recording of incidents;
  14. the execution of a term of employment that applies to the Data Subject;
  15. granting discharge
  16. the administration of the staff association and the association of former employees;
  17. collecting claims, including handing those claims over to third parties;
  18. dealing with disputes and having an accounting audit carried out;
  19. the transition of the Data Subject to, or their temporary posting with, another section of the university of applied sciences;
  20. listing the dates of the birthdays of Data Subjects and other festivities and events;
  21. internal management or records management;
  22. carrying out scientific, statistic or historical research;
  23. providing access to buildings or information systems, or parts thereof;
  24. maintaining contact with the Data Subject;
  25. sending information to the Data Subject and keeping an overview of the information sent;
  26. enforcing or applying another law.

Personal Data

  1. The Personal Data that are processed, include the following:
    1. name, first names, initials, academic titles, gender, data of birth, address, post code, city/town, telephone number and similar details required for communication, as well as the Data Subject´s bank account number;
    2. nationality, place of birth and Citizen Service Number;
    3. an administration number not containing any other information than as meant under a;
    4. data relating to trainings, courses followed or to be followed and internships done or to be done;
    5. data relating to the position or the previous position as well as relating to the nature, job description, start and termination of the employment;
    6. data relating to the Data Subject´s work experience or the position for which the Data Subject has a preference;
    7. data relating to the nature and content and the party issuing instructions for a previous or current job placement, as well as relating to its termination;
    8. other data that are of importance in the context of the Data Subject´s job placement, in so far as such has been provided by him/her or that he/she knows of.
    9. data in view of the administration of the Data Subject´s attendance at the location where work is performed and his/her absence in connection with leave, reduction in working hours, child birth or illness, with the exception of details about the nature of the illness;
    10. data which in the interest of the Data Subject are recorded in view of their working conditions; data, including details relating to family members and former family members of the Data Subject, that are necessary in view of an agreed term of employment;
    11. data in view of organizing personnel assessment and career counselling, in so far as those data are known to the Data Subject;
    12. data in view of calculating, determining and paying salaries, allowances and other sums of money and rewards in kind to or for the benefit of the Data Subject;
    13. data in view of calculating, determining and paying taxes and contributions on behalf of the Data Subject;
    14. data in view of calculating, determining and paying claims to benefits in connection with the termination of employment;
    15. data in view of calculating, determining and paying pension entitlements or early retirement payments;
    16. data relating to information sent or to be sent;
    17. data that are necessary in view of maintaining contact with the Data Subject;
    18. data relating to the actual use of the authorizations granted, as well as data relating to the use of passwords;
    19. photos and video footage with or without sound of activities of the organization;
    20. data relating to the nature and duration of the membership of the former employee association, and the position in which and the period during which the former employee was employed;
  2. Other Personal Data than stated under a – t of which the Processing is required pursuant to or necessary in view of the relevant laws and regulations.
  3. The above-mentioned Personal Data are not limitative and subject to change as a result of changes in the relevant laws and regulations.

The manner in which the Personal Data are obtained

  1. The Personal Data are among others provided by the Data Subject himself/herself on commencing employment or generated by The Hague University of Applied Sciences and subsequently collected and updated by The Hague University of Applied Sciences.
  2. In addition, the Data Subject is responsible for checking and timely providing the correct data for registering the correct name, address details, of both the home address and the correspondence address in the personnel administration.

Access to the Personal Data

Among others the following persons have access to the Personal Data:

  1. the Controller;
  2. the manager;
  3. the System Owner;
  4. the Processor;
  5. the application and technical managers;
  6. the DPO.

Disclosure of Personal Data

Apart from those who have access to Personal Data, Personal Data are among others disclosed to:

  1. the Data Subject, his/her own data only;
  2. for internal management to officers and committees in so far as necessary in view of their duties and powers;
  3. to Third Parties if required by law (such as for instance the Tax Authorities, the General Pension Fund for Public Employees (ABP), the Employee Insurance Agency (UWV), occupational health and safety service or the bank in question) or with the Data Subject´s explicit consent.

Transfer to countries outside of the European Economic Area (EEA)

Personal Data of employees may be transferred to countries outside of the EEA within the context of among others the performance of employment contracts or internship contracts.

Security of Personal Data

Taking the current state of the art, the costs of execution, as well as the nature, scope, context and processing purposes into account and the, in terms of likelihood and seriousness, diverse risks to the personal rights and liberties, the Controller and the Processor have put appropriate technical and organizational measures in place to ensure a security level geared to the risk, which measures, where appropriate, among others comprise: the ability to guarantee the confidentiality, integrity, availability and resilience of the processing systems and services on a permanent basis.

Deleting Personal Data (retention periods)

  1. Personal Data are processed no longer than is necessary for the Processing purposes. In that respect, the applicable statutory periods of retention and destruction will be observed.
  2. all personal data of employees will be deleted from the filing systems no later than two years after termination of employment or work, or two years after termination of pension entitlements or early retirement payments or termination of employment, unless a shorter or longer term is considered efficient or necessary pursuant to relevant laws and regulations.
  3. data of unsuccessful job applicants will be deleted as soon as possible on request of the Data Subject in any event no later than four weeks after the application procedure ended. With the consent of the Data Subject, Personal Data may be retained for one year after the end of the application procedure.
  4. video camera files will be deleted no later than four weeks after recording the footage. Footage showing serious incidents may be stored for as long as necessary in the context of an investigation.