General questions
Under the GDPR, organisations like the AUAS which process personal data must be able to account for how they deal with the GDPR's basic principles in their processes relating to education, research and operational management. Read more about the basic principles.
The AUAS also observes the GDPR by following the approaches of Privacy by Design and Privacy by Default. Privacy by Design means that attention should be devoted to protecting data subjects' privacy early on in an activity's development phase. In concrete terms, this means that if the AUAS wants to purchase a software program for a particular activity, for instance, the AUAS will not only examine the program's functionalities, but will also assess its impact on privacy. Privacy by Default means that the settings of a program, app, website or service are configured to provide maximum privacy. In addition to options that can be set up, other aspects such as the general terms and conditions must be privacy-friendly as well.
Under the GDPR, the AUAS is required to appoint a data protection officer. Read more about the data protection officer.
The AUAS's privacy policy contains more detailed information on how the AUAS handles your personal data, the measures taken by the AUAS to protect your privacy and the rules which apply to the AUAS.
Read the AUAS's draft policy on privacy and camera surveillance (only in Dutch).
The GDPR provides additional rights to data subjects whose personal data are processed. This means that all AUAS students and employees have various rights which they can exercise, such as the right to inspection of one's data, or the right to be forgotten. Read more about your rights and how you can exercise them. There you can also find an overview of the main systems processing your data and the entities with which your data is shared.
The AUAS is required to respond to your requests unless they are unfounded or excessive (e.g. if you request the same thing several times in a row). You should receive a response from the AUAS within one month, even if the AUAS has decided not to comply with your request. The AUAS must substantiate any refusals. If you disagree with the refusal of your request, you have the right to lodge a complaint with Legal Affairs.
The GDPR stipulates that the AUAS is not required to observe the rights of data subjects in specific situations. These situations arise when the restriction of the rights of data subjects is necessary in order to safeguard, for example, national security, criminal investigations, the protection of the data subject and the protection of judicial proceedings. In addition to these exceptions, the AUAS can restrict the right to erasure if:
- The processing is necessary in order to exercise freedom of expression and information;
- The AUAS is legally required to process the data;
- The data will be archived for reasons of general public interest, as part of scientific or historical research, or for statistical purposes;
- The data is necessary for a legal claim.
The right to be informed also does not apply if:
- The data subject already possesses the information;
- The disclosure of information to the data subject proves to be impossible or would involve disproportionate effort;
- The processing of the data is required by law and the interests of the data subject are safeguarded by such law;
- The data must be kept confidential due to professional confidentiality.
If a student would like to exercise his or her rights, you can refer the student to the A-Z list of his or her degree programme for more information, where a section on privacy has also been included. A detailed explanation of how and when a request can be submitted is provided under What are my rights? You can also refer the student to the privacy statement, which describes how the AUAS deals with privacy and personal data.
Also read the Provisional protocol for questions about rights (only in Dutch).
Legal Affairs is responsible for processing, evaluating and recording these requests. You may receive a request from Legal Affairs to supply personal data of a student in response to a student's request.
In the case of a complaint rather than a request, for instance because the student believes that his or her personal data is not being properly handled, the student can lodge a complaint with the data protection officer.