FAQ GDPR - general questions and answers

  • What should I do if I discover a security incident or data breach?

    You should immediately report this to cert@utwente.nl. For more information on how the UT handles data breaches, please see our procedure for handling data breaches.

  • What should I do if I lose my device containing personal details of the University of Twente (through loss or theft)?

    You should immediately report this to cert@utwente.nl. Specify whether the hard disk was encrypted and whether the device was properly password protected.

    For more information on how the UT handles data breaches, please see our procedure for handling data breaches.

  • What is the difference between anonymization and pseudonymization?

    When personal data is pseudonymized, you secure the data in a way that the data is no longer directly retraceable to an individual. Certain elements from the personal data may  be deleted or the data can be coded, in which case the key can be stored in another location. Pseudonymization is a security measure. When personal data is pseudonymized, they are still personal data. The data may no longer be directly retraceable, but indirectly you can still identify an individual with the pseudonymized data. Therefore, you have to comply with the GDPR.

    When personal data is anonymized, you can no longer trace back to an individual, even in case you would have additional data. In this case, the data are no longer personal data and the GDPR does not apply.

    IMPORTANT NOTE: the anonymizing of personal data is a way of processing personal data; until the moment the data is fully anonymized, it still is personal data. Only after anonymizing, the GDPR no longer applies.

  • How can I anonymize PDF documents?

    Be careful when anonymizing PDF documents. Drawing tools, used to draw a box over the sensitive information, don't usually hide the information. These boxes are easily removed to reveal the original information. The University advises to use Acrobat Pro. Acrobat Pro has the Redact tools to remove or redact sensitive images and text. Redacted and removed information will not be retrievable in the saved document.

    More information is available on the Adobe site.

  • Is the UT allowed to make and keep a copy of someone's passport/proof of identity?

    If the UT wants to make/keep a copy of someone's proof of identity, then the UT must explain why a copy/scan is necessary or based on what legal obligation a full copy/scan must be made. 

    In case this cannot be based on a legal obligation, but the UT still wants to make a copy/scan, the UT must assure that this copy/scan does not include any special categories of personal data or a social security number (BSN). The UT should point out that you should cover your photo and social security number. You can use an ID-cover or the KopieID app. On a hardcopy document, you can make sure certain data will be unreadable yourself. 

    When your photo and social security number are covered, the ID still shows personal data. When processing this, the UT also needs to be able to show that this is necessary and it must be based on a legal ground. This also means that the UT should investigate whether it is possible to reach the purpose in another way using less personal data. 

  • I want to store personal data securely. Is that possible in the cloud?

    The University has agreements with SURFnet for the use of SURFdrive, with Google about the use of G Suite, including Google drive, and with Microsoft for the use of OneDrive for Business. They all comply with the GDPR and can therefore be used for storing data. 

    The employee can therefore make a choice from the various solutions, taking into account the reason he wants to use the storage for. In all cases, pay attention to how synchronization is handled. All providers offer the possibility to synchronize files with the workplace. Therefore, that computer must also be adequately secured with, at minimal, encryption of the storage media in and connected to the workplace.

    Please note that the above only applies to the G Suite and OneDrive variants for which the university has a contract with Google and Microsoft. If in doubt, do not use it and contact the Service Desk ICT.

    You can also use G Suite and OneDrive -the correct variants- for sharing data with third parties. Keep in mind all other requirements for sharing with people outside of our organisation. If you need help, contact the Service Desk ICT.

  • What is the best way to do exchange personal data with third parties?

    To securely send files to one or more people, we recommend using SURFfilesender. SURFfilesender offers end-to-end encryption and has the possibility to send very large files. Remember to enable encryption when sending a file.

    When third parties want to send you a file with personal data, SURFfilesender is also the best choice. If you know the person who wants to send you the data, you can send an invitation via SURFfilesender.

    If that other person is someone at the university, you can use email. Traffic between your email client and our servers is encrypted. Data is stored on certified secure storage.

    In all cases be sure to check the recipients. Even though the transfer of data is secure, if the recipient is not the intended one it still is a data breach. SURFfilesender offers the possibility to remove recipients from the list before the have downloaded the file. Email does not offer this.

    We advice against the use of physical media. There is a great risk of losing those media. If that is the case, it will be a data breach. Even if the media is encrypted, there is a chance of a data breach. All this depends on the strength of the password.

    An additional problem with the use of physical media is that it is not certain whether the computer writing to the media is safe. If it is infected, the media may also be infected, after which the infection is transferred to the other computer.

  • What information should I include in a privacy statement or provide in another way to persons whose personal data I will process?

    The following information must be provided to data subjects (terms in bold are explained on this page):

    • Contact details of the controller and DPO;
    • The purposes and legal basis of the processing operation;
      • if legitimate interest is used as legal basis: what legitimate interest does it involve and why does this interest override the interests and fundamental rights to privacy of data subjects? 
    • The (categories of) receivers of personal data;
    • Will the personal data be transferred outside the EEA or to an international organisation and if so, on what legal ground?
    • The retention period of personal data;
    • The rights of data subjects;
    • In case a data subject has given consent for a processing operation: the right of that data subject to withdraw his/her consent for that processing operation;
    • The possibility for data subjects to lodge a complaint with the Dutch Privacy Authority (Autoriteit Persoonsgegevens)
    • If and why the data subject is obliged to provide personal data and what consequences it will have if the data subject does not provide the personal data;
    • If you will use automated decision making, including profiling;
    • In case the personal data are collected from another organisation: the source of the personal data and, if applicable, whether they come from public sources.

    The information must be transparent and provided in clear and simple words.

  • In what situations do you need to enter into a data processing agreement?

    Words in bold are explained on this page.

    When one party, the controller, asks another party to process personal data on behalf of the controller.

    The organisation that determines the means and purposes of the processing of personal data, is the controller. This organisation determines what will be done with the personal data and how. To determine who is the controller, you can check if one of the following applies:

    • Factual influence: which party is actually making the decisions? Which party determines the purpose and the way personal data is processed? Which party is following up on instructions? Is there a relationship of authority, for example employer-employee?
    • Legal authority: the law explicitly dictates that the organisation must or may process certain personal data.
    • Implicit authority: the law does not explicitly state that the organisation must or may process certain personal data, but it does seem obvious.

    When the controller asks another party to process personal data on behalf of the controller, this other party is considered the processor. In this situation, the parties must enter into a data processing agreement.

    If the controller transfers personal data to another party, it does not necessarily mean this other party is a processor; therefore, a data processing agreement is not always required. This other party can for example also determine the means and purposes of the processing of personal data. In those situations, this party is also controller and the parties must not enter into a data processing agreement. However, it might be recommended to enter into another agreement. Contact your privacy contact person (PCP) or the data protection officer (DPO). Contact your PCP or the DPO as well when you are not sure whether a data processing agreement is required or when you are not sure who is controller and who is processor.  

  • Can I transfer personal data to a party outside the UT?

    Words in bold are explained on this page.

    Short answer (explanation below): You may only do so when the data subject has consented to this, the transfer is based on a legal obligation or when the purpose of the transfer is compatible with the purpose for which the personal data are initially collected. The transfer must be based on a legal ground and data subjects must be informed about the transfer to a third party.

    Explanation: Each processing operation (a transfer of personal data is also a processing operation) must be based on a legal ground. Furthermore, a legitimate purpose of the transfer is required. In the event the personal data are initially collected for an other purpose (instead of the transfer), the purpose of the transfer must be compatible with the purpose for which the personal data are initially collected. To determine whether this is the case, take the following in consideration:

    • Each connection with the purpose for which the personal data are initially collected;
    • The relationship between data subjects and data controller;
    • The nature of the personal data (for example: does it involve special categories of personal data?);
    • The (potential) consequences of the transfer of the personal data;
    • Whether appropriate safeguards are in place (for example: encryption or pseudonymization);
    • The expectations of data subjects.

    Furthermore, data subjects must be informed about the transfer to a third party prior to that transfer (for example by means of a privacy statement).

  • Am I allowed to process personal data of minors?

    In case a processing operation is based on consent and you wish to process personal data of children under the age of 16, consent is required from the person who bears parental responsibility for the child.

    Prior to processing personal data, you must inform data subjects about what you will do with their personal data. This is often done in a privacy statement. When processing personal data of minors, you must make sure the privacy statement is easy to understand for children.