Questions about processing personal data

1. Who is the owner of the personal data?

When the AUAS collects data about students, staff or other data subjects, this does not mean that the AUAS is also the ‘owner’ of this personal data in a legal sense. The basic principle in the GDPR is that whomever collects the personal data is responsible for using it safely and appropriately.

2. How long can personal data be retained?

The retention period for personal data partly depends on the purpose for which it has been collected. The general rule is that ‘personal data may not be retained for longer than is necessary to achieve the purpose for which it was collected.’ Under certain conditions, personal data may be retained for longer (e.g. for archiving purposes, scientific or historical research or statistical purposes). This is only permitted insofar as the rights and freedoms of the data subjects are safeguarded.

The AUAS uses the selection list of the Netherlands Association of Universities of Applied Sciences as a basis for determining retention periods.

More information on the retention periods is available under Archive > What does the Department of Records and Information Services (DIV) do? (only in Dutch)

3. What is considered lawful processing of personal data?

Processing of personal data is lawful if at least one of the following conditions applies:

The data subject has given explicit consent for the processing.

The processing is necessary for the performance of a contract to which the data subject is party.
The processing is necessary to fulfil a legal obligation. The AUAS is authorised to process certain personal data in accordance with e.g. tax-related and educational legislation.
The processing is necessary based on legitimate interests of the AUAS. Legitimate interests may be involved if the processing is necessary in order to carry out regular business operations.
The processing is necessary in order to protect the vital interests of the data subject or of another natural person. Vital interests are involved if, for example, the data subject is rendered unconscious due to an accident and medical attention is necessary. In that case, the protection of privacy is outweighed by an overriding interest.
The processing is necessary in order to properly perform a task carried out in the public interest.

4. Does the AUAS need my consent to process my personal data?

Consent from the data subject is one of the so-called basic principles for processing personal data. Depending on the purpose of the processing activity, another basic principle may also apply. Consent is not required if the processing activity is based on a legal obligation or contractual agreement, for example, as is the case when a student enrols at the AUAS or when an employee enters into employment. In both cases, personal data are processed without explicit consent: DUO is informed of student data and the tax authorities receive information on employees' salary payments.

Under certain conditions, requesting consent to process personal data is also not necessary if the interests of the AUAS override those of the data subject, or if refraining from requesting consent is necessary in order to protect the vital interests of the data subject (legitimate interests).

5. Who is allowed to process which personal data at the AUAS?

Who within the AUAS is allowed to process which personal data in what way depends on the nature of the employee's role and the tasks for which he or she is responsible. For instance, some employees are authorised to access personal data by virtue of their position, while other employees are allowed to not only access personal data, but also to modify it.

An employee cannot process personal data at his or her discretion: each form of processing is dictated by the legal framework and – if necessary – its further elaboration in AUAS rules and guidelines.

6. Is the AUAS permitted to make copies of identity documents?

In order to carry out its regular operations, the AUAS is permitted to make copies of identity documents. This is allowed under tax regulations and under the Dutch Higher Education and Research Act (Wet op het hoger onderwijs en wetenschappelijk onderzoek). The AUAS can also ask you to provide proof of identity, for instance if you submit a request to access your personal data. The AUAS must verify that the identity of the person requesting access matches that of the person connected to the personal data in question. Presenting a copy of an identity document is not always sufficient. When it comes to student enrolment, for instance, the AUAS may ask students to show the original identity document.

7. Is my student or staff ID number and AUAS email address considered personal data that the AUAS can disclose to third parties?

AUAS email addresses and student ID numbers are personal data, since they provide access to other personal data such as a person's date of birth, address, academic results and so on. In some cases student ID numbers are shared with other controllers, for example with DUO or another educational institution when students participate in exchanges and minors. Student ID numbers can also be shared with another controller if the students concerned have given their explicit consent or if the AUAS has outsourced the processing to a processor. In the latter case, the working arrangement will be based on a processing agreement in order to safeguard the processing.

Email addresses are provided to allow the AUAS as an educational institution/employer to communicate with data subjects and to give data subjects the opportunity to communicate with one another in a professional context. The AUAS does not provide email addresses to third parties (e.g. for commercial purposes), because these are intended to facilitate communication between the AUAS, students and employees, and not to allow third parties to communicate with AUAS students and staff.

8. Do I need to ask internal and external data subjects for their explicit consent to receive newsletters and mailings, even if they have subscribed for these in the past?

For internal data subjects (e.g. staff and students), you do not need to ask for their explicit consent to send them newsletters or mailings.

This is different for external data subjects. If you can demonstrate that someone has given consent in the past (with evidence that can be traced back to the person concerned), you do not need to request consent again. If you cannot prove that a person has actively subscribed, then you must make a new request for consent and archive this consent as well.

If prior consent cannot be proved:

Before sending the next newsletter or mailing, you must ask external data subjects to give their consent for you to continue contacting them for the purpose of that newsletter or mailing, for example via a reply to the email.
Be sure to then register this consent.
For those who do not give their consent, please delete all details relating to these data subjects from your records.
By default, an opt-out option must be provided in each newsletter or mailing (e.g. an ‘unsubscribe’ button at the bottom of the newsletter or mailing). This in any case was already a mandatory requirement.

Please note: the opt-out option is also required for newsletters and mailings sent to recipients who have previously given their consent, so check that your current newsletters and mailings contain this option by default.

Published by Communication 24 October 2022

List