Questions about disclosure of personal data

The sharing of personal data is regarded as a processing activity under the GDPR. In certain situations, the AUAS is permitted to share personal data with third parties:

  • with the consent of data subjects;
  • for the fulfilment of a contract;
  • due to a legal obligation;
  • to protect vital interests;
  • to perform a task governed by public law;
  • and where legitimate interests are involved.

A document has been added under What are my rights? > Right of access with an overview of the main systems processing your data and the entities with which this data is shared.

No. Academic results are personal data. These may only be disclosed to parents or guardians if the student gives his or her consent. The AUAS does however provide information on students' academic progress to DUO. Such information disclosure is based on a legal obligation.

As in the past, the protection of personal data of those under the age of 16 (such as prospective students) remains a point of special attention under the GDPR. In the case of processing personal data based on consent (e.g. upon registration for open days), such consent must be given by a parent/guardian. The AUAS must verify and be able to demonstrate that consent has indeed been provided by a parent/guardian (e.g. by requiring the signature of the parent/guardian).

The disclosure of academic results is a form of ‘processing’ of personal data. It is only possible to disclose this information to an employer if the student concerned has given his or her explicit consent. It is up to the student and/or the employer to arrange this. The AUAS will only disclose information to the employer once it has been confirmed that the student has given his or her explicit consent.

The disclosure of students' academic results/personal data is a form of ‘processing’ of personal data. Such ‘processing’ is permitted under certain conditions. This is the case when, for instance, the AUAS and another educational institution jointly offer (part of) a study programme and both institutions need to know which students are participating in this programme.

For students wishing to obtain a residence permit to pursue a study programme in the Netherlands, the Dutch government requires information on the academic progress of the students concerned. This is provided for in the Code of Conduct for International Students in Dutch Higher Education and the Modern Migration Policy Act. Students can only obtain a residence permit if they are enrolled in a study programme at a higher education institution that has signed the Code of Conduct. This is the case at the AUAS.

Yes, under the Dutch Higher Education and Research Act (Wet op het hoger onderwijs en wetenschappelijk onderzoek), the AUAS is required to disclose student data to DUO.

The disclosure of personal data is a form of ‘processing’ of personal data. In the case of a criminal investigation being conducted by the Public Prosecution Service, the AUAS is required by law to disclose certain information. The requested information will only be disclosed once an authorised officer has submitted a request in writing.

The AUAS is allowed to disclose personal data to other faculties. Reasons for this might be that a student who is enrolled at the AUAS will be conducting research or taking courses at another faculty.

The international organisations with which the AUAS cooperates include partner schools where students can go to participate in an exchange programme.

If the AUAS cooperates with an organisation located in an EU Member State, then the General Data Protection Regulation (GDPR) applies. The GDPR also applies if the EU-based organisation is a subsidiary of an organisation located outside the EU. The general rule is that, in all cases, the processing of personal data should be carried out in an EU Member State where the GDPR is in effect.

If personal data will be processed outside the EU, this is only permitted if a sufficient level of protection is in place. The European Commission determines whether or not such processing is permitted by means of an adequacy decision. Important criteria for the issuing of an adequacy decision include:

  1. whether the country concerned respects the rule of law;
  2. the existence and effective functioning of one or more independent supervisory authorities;
  3. the international commitments the country concerned has made in relation to privacy protection, as well as its participation in multilateral or regional systems.

If the EU has not (yet) issued an adequacy decision, then the AUAS will seek to safeguard the protection of students' personal data as effectively as possible in accordance with the GDPR by including this in e.g. cooperation agreements and data processing agreements.

Published by  Communication 24 October 2022