Accountability obligation

The AUAS has established a privacy policy which indicates how the AUAS approaches personal data protection. This policy also includes the procedure for dealing with data breaches.

Read the policy on privacy and processing personal data (only in Dutch).

The AUAS maintains a register of processing activities. All processing activities for which the AUAS acts as controller are recorded in this register. In the register, the AUAS documents the various activities and systems as well as which personal data is processed, for what purpose, where this data comes from and with which external parties the information is shared, if any. Examples include entering and keeping track of academic results.

If the AUAS contracts an external party for data-processing activities, then the AUAS must conclude a processing agreement with this processor. In this agreement, the AUAS must at minimum specify the following:

• the subject matter and duration of the processing;
• the nature and purpose of the processing;
• the type of personal data and the categories of data subjects;
• the rights and obligations of the controller.

A Data Protection Impact Assessment (DPIA) is a tool for identifying the privacy risks of a data-processing activity beforehand in order to subsequently implement measures to minimise these risks. A DPIA should be performed if an intended data-processing activity is likely to involve a high privacy risk. Examples include processing personal data in pupil monitoring systems and using camera surveillance.

If students, staff, alumni, prospective students and research participants would like to exercise their rights, they can submit a request to Legal Affairs.

Read more about your rights under What are my rights?

The data protection officer internally monitors and provides advice on the AUAS's application of and compliance with the GDPR.

Read more about the data protection officer.