GDPR definitions

This page explains some GDPR definitions. When words are bold, this means this is also a definition included on this page.


Adequacy decision

In case you want to transfer personal data to a country outside the European Economic Area (EEA, the territorial scope of the GDPR) (a third country), you are only allowed to do so in case an adequate level of protection is ensured in that third country. This is, amongst others, the case when the European Commission (EC) has issued an adequacy decision for that country. An adequacy decision states that the level of data protection in that country is equivalent to the level of data protection within the EEA


Data are anonymous, in case it is in no way able to trace back to an individual, not even with additional data. In case anonymous data is involved, the GDPR is not applicable. The GDPR is only applicable when it concerns personal data.

Anonymization however is a way of processing personal data. Before the data is anonymous, it concerns personal data. With a certain action, anonymizing, the data become anonymous. Each action with personal data is considered processing.

Anonymization is not the same as pseudonymization.

Appropriate safeguards

When personal data are transferred to a third country, this can be based on appropriate safeguards. Appropriate safeguards can be standard contractual clauses, an approved code of conduct or a certification mechanism.



See: Binding Corporate Rules

Binding Corporate Rules

An instrument within international organisations or multinationals that lays down guarantees for the protection of personal data when personal data is being transferred to third countries.



The party who determines the purposes and means of the processing of personal data.


Data minimisation

This is one of the principles of the GDPR. It means you are not allowed to process more personal data than necessary. You always need to ask yourself whether all personal data you are collecting/processing is really necessary. For example: you buy something in a webshop. You need to enter your address, but also your gender. Your address is necessary to send the items you buy to, but is gender also necessary? Is processing your gender necessary for the purpose? If not, it is not allowed to process this.

Data processing agreement

When a party as controller asks another party to process personal data on behalf of the controller, those parties need to enter into a data processing agreement. Such agreement describes amongst others what (categories of) personal data the processing operation concerns, what (categories of) data subjects, the retention periods of involved personal data, a description of the technical and organizational measurements and whether sub processors are involved.

The UT uses a standard data processing agreement, based on the template of SURF. Are you in need of a data processing agreement or does a data processing agreement need to be reviewed? Please contact your PCP or the DPO.

Data protection impact assessment

The Data protection impact assessment (DPIA) is an instrument to address involved privacy risks in a processing operation prior to that processing operation and to lay down measurements to mitigate those risks. When a processing operation is likely to result in a high privacy risk, a DPIA must be performed. In some cases it is mandatory to perform a DPIA.

A pre-DPIA helps you to decide whether a DPIA is required.

In case you think a DPIA is required, please contact the DPO.

Data protection officer

The data protection officer (DPO; in Dutch: functionaris gegevensbescherming/FG) supervises GDPR compliance within the UT and provides advice.

Data subject

An identified or identifiable natural person. The person whose personal data is being processed.

Data transfer agreement

In certain cases personal data will be transferred to parties outside the UT. In some cases a data processing agreement is required, but this is not always the case. In situations where no data processing agreement is required, it can still be wise to enter into a data transfer agreement in order to ensure that personal data will be safely handled.   


See: Data protection impact assessment


See: Data protection officer


The Dutch GDPR and GDPR execution act supervisor. In Dutch: Autoriteit Persoonsgegevens or AP.



See: General Data Protection Regulation.

GDPR execution act

The GDPR is directly applicable in the Netherlands. At some points in the GDPR, there is room for national choices. In the Netherlands, these choices are laid down in the GDPR execution act (in Dutch: Uitvoeringswet AVG/UAVG).

General Data Protection Regulation

A European regulation with rules for processing personal data. Also referred to as the European privacy law. The General Data Protection Regulation (GDPR) is applicable in the European Economic Area (EEA): all European Union member states plus Iceland, Liechtenstein and Norway. In Dutch: Algemene Verordening Gegevensbescherming or AVG.


Joint controller

In case you determine the means and purpose of the processing activity jointly with another party, you are considered joint controllers.



Processing personal data must be based on a legal basis. The GDPR lists six legal bases:



See: Privacy contact person

Personal data

Any information relating to an identified or identifiable natural person. 


Instrument to help decide whether a DPIA is required. You can find it here


'Privacy by default' is part of privacy by design and demands that the default settings of a service or product are set in the most privacy-friendly way.


'Privacy by design' means that when designing a service or product, privacy is already taken into account with the aim of optimising the protection of personal data. For example, data minimisation and retention periods are taken into account.

Privacy contact person

Each faculty and service department within the UT has appointed at least one privacy contact person (PCP). PCP’s advise within their own unit on privacy aspects and are the first contact person within their unit. The list of PCP’s can be found here.

Privacy statement

When you process personal data, the data subjects whose date you will process must be informed about that prior to that processing. This can be done with a privacy statement. At least the following items must be included in a privacy statement:

The information must be transparent and described in a clear and simple way.


Everything that can be done with personal data is considered processing.


The party who processes personal data on behalf of the controller.


When personal data are pseudonymised, they cannot be traced back to a person without using additional data. Examples are hasing and encryption. Pseudonymised data are personal data.


Personal data may only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. 


REGISTER of processing activities

The UT is obliged to keep a register of processing activities. For research, you can use this tool. For other processing activities, please contact the DPO


The GDPR does not include specific or concrete retention periods for personal data. You must determine the retention period yourself prior to processing personal data. Under the GDPR, you may not hold on to personal data longer than necessary for the purpose of processing. 



See: standard contractual clauses

Special categories of personal data

Special categories of personal data concerns data that are sensitive by their nature. The GDPR provides extra protection for these categories of personal data. In principle, it is not allowed to process these categories of personal data. It concerns the following personal data:

The GDPR contains 10 exceptions to the prohibition on processing special categories of personal data, of which 5 only apply if a legal basis has been created in national law. The 10 exceptions are:

  1. Someone has explicitly given consent for the processing of his / her personal data.
  2. (only if provided by law) The processing is necessary to perform obligations or exercise specific rights of the data subject (in the field of employment law, social security law and social protection law).
  3. Processing is necessary to protect the vital interests of the data subject or of another natural person. This only applies when the data subject is physically or legally unable to give his / her consent.
  4. Data are processed by a foundation, association or other non-profit organization active in the political, ideological, religious or trade union field. Data are processed for legitimate activities and with appropriate safeguards.
  5. The personal data being processed has been made public by the data subject.
  6. Processing is necessary to establish, exercise or defend legal claims. Or data is processed by a court based on legal jurisdiction.
  7. (only if provided by law) The processing is necessary for a considerable public interest.
  8. (only if provided by law) The processing is necessary for purposes of a preventive or (occupational) medical nature (such as assessing fitness for work and / or providing healthcare).
  9. (only if provided by law) The processing is necessary for public health.
  10. (only if provided by law) The processing is necessary for archiving in the public interest, scientific / historical research or statistical purposes.

Standard contractual clauses

Also referred to as SCC. A model contract, approved by the European Commission, to ensure a safe transfer of personal data to and from third countries.

Sub processor

A party engaged by the processor to process personal data on behalf of the controller.


Third country

Third countries are countries outside the European Economic Area (EEA). The EEA concerns all member states of the European Union plus Iceland, Liechtenstein and Norway.

Personal data may only be transferred to third countries if those countries offer an adequate level of data protection. This can be based on an adequacy decision, appropriate safeguards, binding cororate rules or specific exceptions.