Privacy: personal data

FAQ GDPR and research

GDPR and research: frequently asked questions


Can I use a private device to send and receive e-mail relating to the University of Twente?

Yes, but the device must be properly secured. It must be properly password protected, it should not be shared with others and your laptop’s hard disk must be encrypted.

What should I do if I lose my device containing personal details of the University of Twente (through loss or theft)?

You should immediately report this to Specify whether the hard disk was encrypted and whether the device was properly password protected.


Are there guidelines for students who carry out surveys within the framework of research?

Explanatory notes:
Sometimes students carry out a survey as part of their graduation assignment without having implemented the education methodology.

The supervisor is responsible for making sure students comply with the privacy policy.

More information is available on the Cyber Safety website, under Privacy, including the Privacy Rules Guideline.

How should we handle graduation research by students using personal data?

Some graduation assignments require the processing of personal data.
If the student is going to participate in an existing project, the processing has already been registered by the responsible employee and is known by the Data Protection Officer team. In that case, the student does not need to take any further action.
However, if the research leads to a new processing, the student must register the processing, where the supervisor is recorded as the contact person. Report the processing via the registration button for processing on, here you will also find the accompanying manual.
In any graduation study involving personal data, the supervisor must inform the student of internal appointments and safe practices and indicate the GDPR (General Data Protection Regulation). The supervisor points out to the student what is expected of him / her when working with personal data. More information about this, such as the guidelines privacy rules and the poster Personal data research protocol’ is available at the Cyber Safety website

Data that are collected at the UT for business goals, is sometimes of interest to researchers. How should we deal with the request from a researcher to use these data?

The GDPR states that the use of collected data for statistic or scientific research are compatible lawful processing operations, if the right measures are taken. We need to anonymize the data and we need to minimize the use of data in relation to the purpose of the research. We also need to erase the data as soon as possible. It is important to record the processing in the register of processings. Maybe a DPIA (Data Protection Impact Assessment) is necessary. Furthermore, we need to inform the data subjects about the use of their data for research.