General Data Protection Regulation
The General Data Protection Regulation (GDPR) is a European law that regulates the protection of personal data.
General Data Protection Regulation (Implementation) Act
In a number of areas, the GDPR offers room for the inclusion of specific provisions or exceptions. In the Netherlands, these specific provisions are laid down in the General Data Protection Regulation (Implementation) Act (Uitvoeringswet Algemene Verordening Gegevensbescherming, UAVG).
Dutch Data Protection Authority
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) monitors compliance with the statutory rules for the protection of personal data and provides advice on new regulations.
Data Protection Officer
The Data Protection Officer (Functionaris voor Gegevensbescherming, FG) internally monitors and provides advice on the application of and compliance with the GDPR by the organisation. The Data Protection Officer is also the contact person for the data subject and is responsible for creating awareness about data protection. Erik van Leeuwen serves as TU Delft’s Data Protection Officer.
Personal data are described as all information about an identified or identifiable natural person (the data subject). A person is considered identifiable if he or she can be identified directly or indirectly based on one or more items of personal data, for example, student number, name and address, email address, date of birth and IP-address. In general, it can be assumed that personal data include all data relating to a living person that make it possible to identify this person or to distinguish him or her uniquely from other persons.
Sensitive personal data
Some types of personal data are considered as sensitive. These include, for example, financial data, location data, data relating to children or other vulnerable groups (Click here to see the full list). For the processing of these personal data, it is important to provide additional safeguards to ensure that they are processed in accordance with the GDPR.
Special categories of personal data and data pertaining to criminal matters
In addition to ordinary personal data, the GDPR also defines a stricter regime for special categories of personal data. As a rule, the processing of such data is prohibited. However, these data may be processed in certain cases if an exception for this is included in the GDPR or the GDPR (Implementation) Act. For example, when explicit permission has been given by the person in question.Special categories of personal data include information about a person’s religion, race, health, sexual life, political preference, trade union membership as well as genetic and biometric data. In the GDPR, the processing of personal data relating to criminal convictions and criminal offenses or related security measures is also subject to a separate regime.
Processing refers to any operations performed on personal data, such as storage, collection, recording, organisation, updating, modification, retrieval, consultation, use, disclosure, etc.
The person whose personal data are processed.
The processor is responsible for processing personal data on behalf of the controller, without being directly under the authority of the controller. This is the supplier to which a service is outsourced (for example, management services, cloud services, salary processing).
Data processing agreement
An agreement or other binding legal act laying down the arrangements made with the processor with regard to the processing of personal data.
The party (person or organisation) that determines the purposes for which and the means by which personal data is processed. So, the party that decides why and how the personal data should be processed. The TU Delft is data controller for most data processing activities within the organisation. For example, the processing of student data for teaching purposes. There can be one or multiple data controllers (joint controllership). For instance, joint controllership can occur in research groups in which the TU Delft co-operates with other partners.
The GDPR stipulates that personal data may only be processed if a legal basis for this can be found in Article 6 of the GDPR.
The legal bases are:
- Consent of the data subject: Personal data may be processed if the data subject has given consent for this. This consent is only considered valid if it satisfies certain conditions. The consent must be freely given, specific and informed and unambiguous. For more information, please refer to the GDPR or the GDPR Guide. You may use this as a basis only if the other legal bases do not apply. Important note: you must explicitly request consent.
- Necessary for the performance of a contract: Personal data may be processed if this is necessary for the performance of a contract to which the data subject is party, for example, for the performance of the employment contract. Personal data may also be processed if, at the request of the data subject, it is necessary to take certain measures prior to the conclusion of a contract, i.e. in the pre-contractual phase. This may apply, for example, to an employment contract, a PhD agreement, an agreement to take a course of study or an agreement to take out a sports club membership, etc.
- Necessary for compliance with a legal obligation: Data may also be processed for the purpose of complying with a legal obligation. In order to apply this as the basis for the processing of personal data, such processing must be absolutely essential for complying with the legal obligation. A legal obligation is, for example, that employers are obliged to keep a copy of their employees’ passports in accordance with the Wages and Salaries Tax Act (Wet op de loonbelasting). Administrative activities at TU Delft are conducted based on legal obligations such as the tax legislation and the Works Council Act (Wet op ondernemingsraden) (this relates to statutory duties not specifically assigned to TU Delft as an organisation, but which may apply to all organisations).
- Necessary for protecting vital interests: Personal data may be processed if this is necessary for protecting the vital interests of the data subject or of another natural person; this basis may only be used if none of the other legal bases apply. An example of this may be a situation where care providers have to process personal data in order to provide urgently needed medical assistance to the data subject. This is not applicable at TU Delft; only if it concerns matters of life and death, involving ambulance services, fire brigade, etc.
- Necessary for a task of public interest or for the exercise of official authority: Personal data may be processed if this is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The task must be assigned by law, which must also state the purpose of the processing. This includes tasks assigned under the Dutch Higher Education and Scientific Research Act (Wet op het hoger onderwijs en wetenschappelijk onderzoek). The task must be specifically assigned to TU Delft by law; the Dutch Higher Education and Research Act designates TU Delft as an approved educational institution.
- Necessary for representing legitimate interests: Personal data may be processed if this is necessary for representing the legitimate interests of the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject or subjects. Please note: TU Delft is not entitled to rely on this basis for the performance of its duties. This legal basis may only be used for processing activities performed by organisations (governed by either public and private law), for example, in the context of business operations. This specifically relates to processing activities necessary for business operations, such as identification for access to buildings or systems.