This page explains some GDPR definitions. When words are bold, this means this is also a definition included on this page.
In case you want to transfer personal data to a country outside the European Economic Area (EEA, the territorial scope of the GDPR) (a third country), you are only allowed to do so in case an adequate level of protection is ensured in that third country. This is, amongst others, the case when the European Commission (EC) has issued an adequacy decision for that country. An adequacy decision states that the level of data protection in that country is equivalent to the level of data protection within the EEA
Data are anonymous, in case it is in no way able to trace back to an individual, not even with additional data. In case anonymous data is involved, the GDPR is not applicable. The GDPR is only applicable when it concerns personal data.
Anonymization however is a way of processing personal data. Before the data is anonymous, it concerns personal data. With a certain action, anonymizing, the data become anonymous. Each action with personal data is considered processing.
Anonymization is not the same as pseudonymization.
When personal data are transferred to a third country, this can be based on appropriate safeguards. Appropriate safeguards can be standard contractual clauses, an approved code of conduct or a certification mechanism.
See: Binding Corporate Rules
Binding Corporate Rules
An instrument within international organisations or multinationals that lays down guarantees for the protection of personal data when personal data is being transferred to third countries.
The party who determines the purposes and means of the processing of personal data.
This is one of the principles of the GDPR. It means you are not allowed to process more personal data than necessary. You always need to ask yourself whether all personal data you are collecting/processing is really necessary. For example: you buy something in a webshop. You need to enter your address, but also your gender. Your address is necessary to send the items you buy to, but is gender also necessary? Is processing your gender necessary for the purpose? If not, it is not allowed to process this.
Data processing agreement
When a party as controller asks another party to process personal data on behalf of the controller, those parties need to enter into a data processing agreement. Such agreement describes amongst others what (categories of) personal data the processing operation concerns, what (categories of) data subjects, the retention periods of involved personal data, a description of the technical and organizational measurements and whether sub processors are involved.
The UT uses a standard data processing agreement, based on the template of SURF. Are you in need of a data processing agreement or does a data processing agreement need to be reviewed? Please contact your PCP or the DPO.
Data protection impact assessment
The Data protection impact assessment (DPIA) is an instrument to address involved privacy risks in a processing operation prior to that processing operation and to lay down measurements to mitigate those risks. When a processing operation is likely to result in a high privacy risk, a DPIA must be performed. In some cases it is mandatory to perform a DPIA.
A pre-DPIA helps you to decide whether a DPIA is required.
In case you think a DPIA is required, please contact the DPO.
Data protection officer
The data protection officer (DPO; in Dutch: functionaris gegevensbescherming/FG) supervises GDPR compliance within the UT and provides advice.
An identified or identifiable natural person. The person whose personal data is being processed.
Data transfer agreement
In certain cases personal data will be transferred to parties outside the UT. In some cases a data processing agreement is required, but this is not always the case. In situations where no data processing agreement is required, it can still be wise to enter into a data transfer agreement in order to ensure that personal data will be safely handled.
See: Data protection impact assessment
See: Data protection officer
Dutch DATA PROTECTION Authority
The Dutch GDPR and GDPR execution act supervisor. In Dutch: Autoriteit Persoonsgegevens or AP.
See: General Data Protection Regulation.
GDPR execution act
The GDPR is directly applicable in the Netherlands. At some points in the GDPR, there is room for national choices. In the Netherlands, these choices are laid down in the GDPR execution act (in Dutch: Uitvoeringswet AVG/UAVG).
General Data Protection Regulation
A European regulation with rules for processing personal data. Also referred to as the European privacy law. The General Data Protection Regulation (GDPR) is applicable in the European Economic Area (EEA): all European Union member states plus Iceland, Liechtenstein and Norway. In Dutch: Algemene Verordening Gegevensbescherming or AVG.
In case you determine the means and purpose of the processing activity jointly with another party, you are considered joint controllers.
Processing personal data must be based on a legal basis. The GDPR lists six legal bases:
- the data subject has given consent to the processing of his/her personal data for one or more specific purposes;
- processing personal data is necessary for the performance of a contract to which the data subject is party (or in order to take steps at the request of the data subject prior to entering into a contract);
- processing personal data is necessary for compliance with a legal obligation to which the UT is subject;
- processing personal data is necessary in order to protect the vital interests of the data subject or of another person;
- processing personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the UT ;
- processing personal data is necessary for the purposes of the legitimate interests pursued by the UT or by a third party.
See: Privacy contact person
Any information relating to an identified or identifiable natural person.
Instrument to help decide whether a DPIA is required. You can find it here.
PRIVACY BY DEFAULT
'Privacy by default' is part of privacy by design and demands that the default settings of a service or product are set in the most privacy-friendly way.
PRIVACY BY DESIGN
'Privacy by design' means that when designing a service or product, privacy is already taken into account with the aim of optimising the protection of personal data. For example, data minimisation and retention periods are taken into account.
Privacy contact person
Each faculty and service department within the UT has appointed at least one privacy contact person (PCP). PCP’s advise within their own unit on privacy aspects and are the first contact person within their unit. The list of PCP’s can be found here.
When you process personal data, the data subjects whose date you will process must be informed about that prior to that processing. This can be done with a privacy statement. At least the following items must be included in a privacy statement:
- Contact details of the controller and the DPO;
- The purposes and legal basis of the processing activity;
- If you use legitimate interest as legal basis you must also explain what this interest entails and why this interest outweights the privacy of data subjects.
- The (categories of) receivers of personal data;
- Will personal dat be transferred outside the EEA or to an international organisation and if so, on what legal ground?
- The retention period of personal data;
- The rights of data subjects;
- The right of a data subject to withdraw consent for a certain processing activity (if applicable);
- The rights of the data subject to file a complaint with the Dutch Data Protection Authority;
- If and why a data subject is required to provide personal data and what are the consequences if the personal data are not provided;
- If automated decision making, including profiling, is used;
- If the data are provided by another organisation: the source of the personal data, and, if applicable, whether they were derived from public sources.
The information must be transparent and described in a clear and simple way.
Everything that can be done with personal data is considered processing.
The party who processes personal data on behalf of the controller.
When personal data are pseudonymised, they cannot be traced back to a person without using additional data. Examples are hasing and encryption. Pseudonymised data are personal data.
Personal data may only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
REGISTER of processing activities
The GDPR does not include specific or concrete retention periods for personal data. You must determine the retention period yourself prior to processing personal data. Under the GDPR, you may not hold on to personal data longer than necessary for the purpose of processing.
See: standard contractual clauses
Special categories of personal data
Special categories of personal data concerns data that are sensitive by their nature. The GDPR provides extra protection for these categories of personal data. In principle, it is not allowed to process these categories of personal data. It concerns the following personal data:
- Personal data revealing racial or ethnic origin;
- Personal data revealing political opinions;
- Personal data revealing religious or philosophical beliefs;
- Personal data revealing a trade union membership;
- Genetic data;
- Biometric data for the purpose of uniquely identifying a natural person;
- Data concerning health;
- Data concerning a natural person’s sex life or sexual orientation.
The GDPR contains 10 exceptions to the prohibition on processing special categories of personal data, of which 5 only apply if a legal basis has been created in national law. The 10 exceptions are:
- Someone has explicitly given consent for the processing of his / her personal data.
- (only if provided by law) The processing is necessary to perform obligations or exercise specific rights of the data subject (in the field of employment law, social security law and social protection law).
- Processing is necessary to protect the vital interests of the data subject or of another natural person. This only applies when the data subject is physically or legally unable to give his / her consent.
- Data are processed by a foundation, association or other non-profit organization active in the political, ideological, religious or trade union field. Data are processed for legitimate activities and with appropriate safeguards.
- The personal data being processed has been made public by the data subject.
- Processing is necessary to establish, exercise or defend legal claims. Or data is processed by a court based on legal jurisdiction.
- (only if provided by law) The processing is necessary for a considerable public interest.
- (only if provided by law) The processing is necessary for purposes of a preventive or (occupational) medical nature (such as assessing fitness for work and / or providing healthcare).
- (only if provided by law) The processing is necessary for public health.
- (only if provided by law) The processing is necessary for archiving in the public interest, scientific / historical research or statistical purposes.
Standard contractual clauses
Also referred to as SCC. A model contract, approved by the European Commission, to ensure a safe transfer of personal data to and from third countries.
A party engaged by the processor to process personal data on behalf of the controller.
Third countries are countries outside the European Economic Area (EEA). The EEA concerns all member states of the European Union plus Iceland, Liechtenstein and Norway.
Personal data may only be transferred to third countries if those countries offer an adequate level of data protection. This can be based on an adequacy decision, appropriate safeguards, binding cororate rules or specific exceptions.