FAQ GDPR - general questions and answers

You should immediately report this to cert@utwente.nl. For more information on how the UT handles data breaches, please see our procedure for handling data breaches.

You should immediately report this to cert@utwente.nl. Specify whether the hard disk was encrypted and whether the device was properly password protected.

For more information on how the UT handles data breaches, please see our procedure for handling data breaches.

When personal data is pseudonymized, you secure the data in a way that the data is no longer directly retraceable to an individual. Certain elements from the personal data may  be deleted or the data can be coded, in which case the key can be stored in another location. Pseudonymization is a security measure. When personal data is pseudonymized, they are still personal data. The data may no longer be directly retraceable, but indirectly you can still identify an individual with the pseudonymized data. Therefore, you have to comply with the GDPR.

When personal data is anonymized, you can no longer trace back to an individual, even in case you would have additional data. In this case, the data are no longer personal data and the GDPR does not apply.

IMPORTANT NOTE: the anonymizing of personal data is a way of processing personal data; until the moment the data is fully anonymized, it still is personal data. Only after anonymizing, the GDPR no longer applies.

Be careful when anonymizing PDF documents. Drawing tools, used to draw a box over the sensitive information, don't usually hide the information. These boxes are easily removed to reveal the original information. The University advises to use Acrobat Pro. Acrobat Pro has the Redact tools to remove or redact sensitive images and text. Redacted and removed information will not be retrievable in the saved document.

More information is available on the Adobe site.

If the UT wants to make/keep a copy of someone's proof of identity, then the UT must explain why a copy/scan is necessary or based on what legal obligation a full copy/scan must be made. 

In case this cannot be based on a legal obligation, but the UT still wants to make a copy/scan, the UT must assure that this copy/scan does not include any special categories of personal data or a social security number (BSN). The UT should point out that you should cover your photo and social security number. You can use an ID-cover or the KopieID app. On a hardcopy document, you can make sure certain data will be unreadable yourself. 

When your photo and social security number are covered, the ID still shows personal data. When processing this, the UT also needs to be able to show that this is necessary and it must be based on a legal ground. This also means that the UT should investigate whether it is possible to reach the purpose in another way using less personal data. 

The University has agreements with SURFnet for the use of SURFdrive, with Google about the use of G Suite, including Google drive, and with Microsoft for the use of OneDrive for Business. They all comply with the GDPR and can therefore be used for storing data. 

The employee can therefore make a choice from the various solutions, taking into account the reason he wants to use the storage for. In all cases, pay attention to how synchronization is handled. All providers offer the possibility to synchronize files with the workplace. Therefore, that computer must also be adequately secured with, at minimal, encryption of the storage media in and connected to the workplace.

Please note that the above only applies to the G Suite and OneDrive variants for which the university has a contract with Google and Microsoft. If in doubt, do not use it and contact the Service Desk ICT.

You can also use G Suite and OneDrive -the correct variants- for sharing data with third parties. Keep in mind all other requirements for sharing with people outside of our organisation. If you need help, contact the Service Desk ICT.

To securely send files to one or more people, we recommend using SURFfilesender. SURFfilesender offers end-to-end encryption and has the possibility to send very large files. Remember to enable encryption when sending a file.

When third parties want to send you a file with personal data, SURFfilesender is also the best choice. If you know the person who wants to send you the data, you can send an invitation via SURFfilesender.

If that other person is someone at the university, you can use email. Traffic between your email client and our servers is encrypted. Data is stored on certified secure storage.

In all cases be sure to check the recipients. Even though the transfer of data is secure, if the recipient is not the intended one it still is a data breach. SURFfilesender offers the possibility to remove recipients from the list before the have downloaded the file. Email does not offer this.

We advice against the use of physical media. There is a great risk of losing those media. If that is the case, it will be a data breach. Even if the media is encrypted, there is a chance of a data breach. All this depends on the strength of the password.

An additional problem with the use of physical media is that it is not certain whether the computer writing to the media is safe. If it is infected, the media may also be infected, after which the infection is transferred to the other computer.

The following information must be provided to data subjects (terms in bold are explained on this page):

• Contact details of the controller and DPO;
• The purposes and legal basis of the processing operation;
  • if legitimate interest is used as legal basis: what legitimate interest does it involve and why does this interest override the interests and fundamental rights to privacy of data subjects? 
• The (categories of) receivers of personal data;
• Will the personal data be transferred outside the EEA or to an international organisation and if so, on what legal ground?
• The retention period of personal data;
• The rights of data subjects;
• In case a data subject has given consent for a processing operation: the right of that data subject to withdraw his/her consent for that processing operation;
• The possibility for data subjects to lodge a complaint with the Dutch Privacy Authority (Autoriteit Persoonsgegevens); 
• If and why the data subject is obliged to provide personal data and what consequences it will have if the data subject does not provide the personal data;
• If you will use automated decision making, including profiling;
• In case the personal data are collected from another organisation: the source of the personal data and, if applicable, whether they come from public sources.

The information must be transparent and provided in clear and simple words.

Words in bold are explained on this page.

When one party, the controller, asks another party to process personal data on behalf of the controller.

The organisation that determines the means and purposes of the processing of personal data, is the controller. This organisation determines what will be done with the personal data and how. To determine who is the controller, you can check if one of the following applies:

• Factual influence: which party is actually making the decisions? Which party determines the purpose and the way personal data is processed? Which party is following up on instructions? Is there a relationship of authority, for example employer-employee?
• Legal authority: the law explicitly dictates that the organisation must or may process certain personal data.
• Implicit authority: the law does not explicitly state that the organisation must or may process certain personal data, but it does seem obvious.

When the controller asks another party to process personal data on behalf of the controller, this other party is considered the processor. In this situation, the parties must enter into a data processing agreement.

If the controller transfers personal data to another party, it does not necessarily mean this other party is a processor; therefore, a data processing agreement is not always required. This other party can for example also determine the means and purposes of the processing of personal data. In those situations, this party is also controller and the parties must not enter into a data processing agreement. However, it might be recommended to enter into another agreement. Contact your privacy contact person (PCP) or the data protection officer (DPO). Contact your PCP or the DPO as well when you are not sure whether a data processing agreement is required or when you are not sure who is controller and who is processor.  

Words in bold are explained on this page.

Short answer (explanation below): You may only do so when the data subject has consented to this, the transfer is based on a legal obligation or when the purpose of the transfer is compatible with the purpose for which the personal data are initially collected. The transfer must be based on a legal ground and data subjects must be informed about the transfer to a third party.

Explanation: Each processing operation (a transfer of personal data is also a processing operation) must be based on a legal ground. Furthermore, a legitimate purpose of the transfer is required. In the event the personal data are initially collected for an other purpose (instead of the transfer), the purpose of the transfer must be compatible with the purpose for which the personal data are initially collected. To determine whether this is the case, take the following in consideration:

• Each connection with the purpose for which the personal data are initially collected;
• The relationship between data subjects and data controller;
• The nature of the personal data (for example: does it involve special categories of personal data?);
• The (potential) consequences of the transfer of the personal data;
• Whether appropriate safeguards are in place (for example: encryption or pseudonymization);
• The expectations of data subjects.

Furthermore, data subjects must be informed about the transfer to a third party prior to that transfer (for example by means of a privacy statement).

In case a processing operation is based on consent and you wish to process personal data of children under the age of 16, consent is required from the person who bears parental responsibility for the child.

Prior to processing personal data, you must inform data subjects about what you will do with their personal data. This is often done in a privacy statement. When processing personal data of minors, you must make sure the privacy statement is easy to understand for children.

The following questions need to be answered:

1.       What is the purpose of processing personal data?

2.      Can the processing of personal data be based on a legal basis?

3.      Where are the personal data stored and/or processed?

a.       In case this is outside the EEA (in a third country): what additional measures have been taken?

4.       Whose personal data will be processed? Who are the data subjects?

5.       What personal data will be processed? Will you process special categories of personal data and if so, what exception is applicable to justify processing special categories of personal data?

6.       Personal data may not be stored longer than necessary for the purpose of processing. What retention period is applicable for the personal data? Please explain.

7.       After the retention period, will the personal data be deleted automatically or manually? When manually: how can you assure that his will actually happen?

8.       The processing activity must be included in the register of processing activities. Therefore, an Excel-sheet for SMILE must be completed (this can be requested with the data protection officer). This must be done prior to the processing activity.

9.       What is the UT’s role? (Controller / processor / joint controller?)

10.   Is the principle of data minimization taken into account?

11.   Are appropriate technical and organisational measures implemented to protect the personal data?

12.   Is another party involved with the processing of personal data and if so, what is the role of that party? Is it necessary to enter into a data processing agreement or another agreement?

13.  Are data subjects properly informed about the processing activities prior to those processing activities (for example by means of a privacy statement)?

14.  Are the privacy rights of data subjects respected? Under certain conditions, a data subject is entitled to:

a.      Access to his or her personal data;

b.      Correction of his or her personal data;

c.       Deletion of his or her personal data;

d.      Restriction of the processing of his or her personal data;

e.      Portability of his or her personal data;

f.        Objection to the processing of his or her personal data.

15.   Is it necessary to perform a DPIA? If so, this must be done prior to the processing activity.

16.   Are the principles of ‘Privacy by Design’ and ‘Privacy by Default’ applied to the processing activity?