UTServicesLISACyber safetyPrivacy: personal dataGeneral Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

The UT processes personal data. Therefore, the UT has to comply with the General Data Protection Regulation (GDPR) (the European privacy law).

It is possible that you will process personal data on behalf of the UT, for instance in scientific research. In those events, you also have to comply with the GDPR. 

The main features of the GDPR are discussed below.

Processing personal data

First you have to establish whether you are processing personal data.


Ask yourself: does the information you are processing lead back to a person?


Personal data means any information relating to an identified or identifiable natural person (‘data subject’). It entails not only information that directly identifies a person (such as a name or identification number), but also information that can identify a person indirectly (for instance information where names are removed; additional steps need to be taken to be able to identify a person).


You have established that the information entails personal data. Are you going to do something with the personal data? If so, you are processing personal data.


Anything you do with personal data can be seen as processing, such as:

Legal grounds 

So, you are processing personal data. Now you need to determine whether you are doing this lawfully.

Is processing of personal data necessary:

If NO:

If you can answer at least one of the questions above with YES, you have a legal ground for processing. If not, you cannot lawfully process the personal data.


Processing of personal data is only lawful if at least one of the six legal grounds as mentioned in the GDPR applies.

GDPR principles

You can lawfully process personal data. The GDPR has some important principles you need to take into account.


The processing of personal data is necessary and cannot be done in another way that has less impact on the data subjects.

Data subjects need to be transparently informed about the fact that their personal data is being processed, for what purposes and whether their personal data will be transferred to other parties.


Personal data needs to be processed for specific, explicitly defined purposes.


You may only process personal data limited to what is necessary in relation to the purposes for which they are processed.


Personal data needs to be accurate and kept up to date.


Personal data must be deleted or rendered anonymous as soon as identification of data subjects is no longer necessary.


Personal data must be protected by technical and organizational measures.

Data subjects

The GDPR amplifies the position of data subjects regarding the protection of their privacy. Data subjects have certain rights in relation to their personal data:

Privacy by design and privacy by default

Processing of personal data must comply with the ‘privacy by design’ principle. This entails implementing technical and organizational measures to ensure that data protection principles are met in the determination of the means for processing and during the processing itself.

Another design principle that must be met is the ‘privacy by default’ principle. This principle relates to the measures that must be taken to protect data subjects’ privacy, by ensuring that only personal data necessary for the purpose of processing is used.

The GDPR explicitly requires transparency. This means the UT must be able to demonstrate compliance with the GDPR requirements. Transparency is also required for all data subjects: all information must be easily accessible and understandable.

Any new processing operation using a new technology or leading to high risks for data subjects must be preceded by a Data Protection Impact Assessment (DPIA).

Obligation to document

The GDPR obliges every organization to keep processing documentation. For the UT this entails having a complete and up-to-date register of all processing of personal data in our organization. For any processing operation, the legal ground, the purpose limitation, and the outsourced processing must be recorded.

The UT keeps two processing register: one for recurring operations within the UT and one for separate processing operations, for instance research. Processing operations can be included in the register using the registration tool.

Dutch Data Protection Authority

The Dutch Data Protection Authority (Dutch DPA) is responsible for the supervision of compliance with the privacy laws. To fulfil this task, the Dutch DPA investigates possible violations, or, prior to commissioning, judges risky processing activities and codes of conduct. In addition, the Dutch DPA has an advisory role with respect to new laws and regulations and is tasked with informing organizations, for example in the form of policies. The Dutch DPA has international roles as a supervisor in cross-border processing and as a participant in international partnerships. Furthermore, the Dutch DPA is able to impose fines if organizations do not comply with the privacy laws.

More information on the GDPR