Privacy Statement Erasmus Universiteit Rotterdam (EUR)

Click here for more information about the Data Protection Officer for the Erasmus University Rotterdam.

This Privacy Statement applies to all activities of Erasmus University Rotterdam (including those carried out via the website(s)) and provides the most relevant information by target group.

Erasmus University Rotterdam (hereinafter referred to as EUR) handles personal data with care and acts within the limits of the General Data Protection Regulation (GDPR).

EUR processes personal data and uses cookies for its websites. In this Privacy Statement, we provide information about the purposes for which personal data are processed, how you can exercise your privacy rights and other information that could be important to you. The cookie statement gives information about our use of cookies.

Who is responsible for your personal data?

EUR is the party responsible for processing your data within the meaning of the General Data Protection Regulation..

Are your personal data protected at EUR?

We value your privacy. So we take security measures to prevent the theft, loss or otherwise unlawful use of your personal data. We protect your data by minimising access rights, using encryption, monitoring use, and applying additional measures to the extent that the current state of the art allows for this.

  • EUR collects personal data from the following seven categories of data subjects:

    1. Students (including prospective students)
    2. Alumni
    3. Research subjects
    4. Members of staff (including PhD students and job applicants)
    5. External parties (including temporary workers)
    6. Visitors to the website
    7. All visitors to the EUR campus, EUR buildings and EUR complexes.

    Below, we set out per category what personal data are processed and for what purposes. The specific personal data are divided into personal data categories as follows. This list of examples is not exhaustive.

    Category

    Examples

    Identification information

    Name, date of birth, place of birth, voices

    Contact information

    E-mail address, residential address, telephone number

    Images

    Photographs, videos

    Financial information

    Bank account number, payments

    Educational information

    Examinations, diplomas, lists of marks, letters from the Examining Board

    Research data

    Questionnaires, datasets

    Employment information

    Curriculum vitae, motivation letters, employment contracts

    Digital information

    Cookies, IP addresses, account logs

    Which personal data

    Identification information
    Contact information
    Images
    Financial information
    Educational information
    Research data
    Employment information
    Digital information

    For which purposes

    Recruitment and selection of new students; student administration; giving, facilitating and recording lectures; assessments; provision of internal and external information; recording results; issuing certificates, diplomas and degrees; concluding and implementing agreements with students; customer involvement, relationship management and marketing; support for those with functional limitations; providing assistance, giving advice and personal guidance to students, both with regard to study issues and psychological, social and/or emotional problems.

    Safety and security, organisational analysis, development and management reports, substantiation for the purpose of accreditation investigations, the ability to carry out audits, financial administration, management of purchasing and payment systems, implementation and management of procedures for IT purposes, legal affairs, internal and external information provision, (market) research, organisational analysis, development and management reporting, handling disputes, complaints, appeal and objection procedures, matters related to the library, physical and digital archiving, employee participation and elections.

    Click here for more information regarding the National Student Survey.

    Which personal data

    Identification information
    Contact information
    Images
    Financial information
    Educational information
    Research data
    Employment information
    Digital information

    For which purposes

    Maintaining contact, sending information and newsletters, sending out questionnaires (also for rankings), organising events, organising global alumni departments, asking for advice or opinions, volunteering or mentoring, fundraising, and recording career developments for the above purposes.

    Financial administration, management of purchasing and payment systems, implementation and management of procedures for IT purposes, legal affairs, internal and external information provision, relationship management, marketing and market research, organisational analysis, development and management reporting, handling disputes, complaints, appeal and objection procedures, matters related to the library, physical and digital archiving.

    Which personal data

    Research data*

    And possibly, depending on the research:

    Identification information
    Contact information
    Images
    Financial information
    Employment information
    Digital information

    For which purposes

    Conducting and publishing the results of academic and scientific research, internal and external information provision, substantiation for integrity investigations, carrying out and managing procedures for IT purposes, complaints, appeal and objection procedures, physical and digital archiving.

    These data are processed in accordance with the law and the ‘Code of Conduct for the use of Personal Data in Scientific Research’ drawn up by the Association of Universities in the Netherlands (VSNU). If it concerns medical information, the codes of conduct that Federa (Foundation Federation of Dutch Medical Scientific Societies) applies are also used (the ‘good conduct’ code and ‘good practices’ code). Where necessary, the university’s ethics committee will evaluate the research project before it begins.

    Which personal data

    Identification information
    Contact information
    Images
    Financial information
    Educational information
    Research data
    Employment information
    Digital information

    For which purposes

    Recording salary claims, concluding and implementing employment contracts, claims settlement, internal and external audits and for the provision of company medical care.

    Financial administration, management of purchasing and payment systems, implementation and management of procedures for IT purposes, legal affairs, internal and external information provision, organisational analysis, development and management reporting, handling disputes, complaints, appeal and objection procedures, physical access to management systems and these management systems, website management and management of the intranet, matters related to the library, physical and digital archiving, employee participation and elections.

    Which personal data

    Identification information
    Contact information
    Financial information
    Digital information

    And possibly, depending on your relationship, mandate and/or employment at EUR:

    Images
    Educational information
    Research data
    Employment information

    For which purposes

    Provision of internal and external information, concluding and implementing agreements with customers, consumers, suppliers and business partners, relationship management, marketing and market research, organisational analysis, development and management reports, complaints procedure, appeal and objection procedures, matters related to the library, physical and digital archiving.

    Which personal data

    Digital information

    For which purposes

    Marketing and market research, complaints, appeal and objection procedures, web content management.

    Which personal data

    Images

    For which purposes

    Safety and security, complaints, appeal and objection procedures, camera surveillance, managing the parking facilities.

  • All processing of personal data has to be based on Article 6 of the GDPR. EUR processes personal data on the basis of the following principles:

    In some cases, we will process your personal data on the basis of your consent. Consent must be freely given, it must be informed and specific to the processing purpose. In addition, you have to (unambiguously) approve the processing by actively taking action. This may consist of ticking a check box, submitting a web form or a verbal acceptance. You can always withdraw your consent. Processing prior to withdrawal of consent is lawful. Examples of the processing that EUR does based on consent include:

    • the sending of information about EUR to interested parties;
    • the processing of special categories of personal data, such as health records and data relating to trade union membership.

    EUR processes personal data if it is necessary for the implementation of an agreement between EUR and other parties. The processing of personal data is part of the conditions accepted by the other party. Examples of the processing that EUR does based on the implementation of an agreement include:

    • implementing the employment contract between EUR and its members of staff;
    • for the purposes of purchasing processes.

    The processing of personal data is permitted on the basis of Dutch or European legislation. A legal obligation does not have to be explicit in the law, but may result from it. Examples of the processing that EUR does based on legal obligations include:

    • Maintaining a student administration for the purpose of awarding degrees pursuant to the Dutch Higher Education and Research Act.
    • The disclosure of personal data about employees to government authorities in order to comply with the employer’s obligations under taxation laws and labour legislation.

    EUR may process personal data in the vital interest of an individual if a situation requires this. A vital interest is at stake if it is essential to process the personal data of a person to save their life or to give them medical treatment and it is not possible to ask that individual for permission to process their personal data. Examples of processing based on vital interest:

    • Sharing personal data with the emergency services if an individual has become unwell on campus and, because of this, is unable to give consent.

    EUR may process personal data based on its general interest given that it is a university entrusted with the public tasks of carrying out scientific research and providing higher education. These processes for the benefit of public tasks are derived from the specific legislation for this purpose (see the Higher Education and Research Act cited above), but can also be mentioned, for instance, in policy documents issued by the Ministry of Education, Culture and Science. An example of the processing that EUR does based on general interest is:

    • Conducting scientific research that is not done based on consent.

    If EUR processes personal data on the basis of a legitimate interest, the (privacy) interests of the data subjects are always weighed against the (legitimate) interests of EUR. This means that the processing must be proportionate and subsidiary and must have no impact or as little negative impact as possible on data subjects. Examples of the processing that EUR does based on legitimate interest include:

  • On EUR’s instructions, third parties may provide certain parts of the services for the implementation of an agreement. We reach agreements with these organisations to ensure that personal data are treated with care and in confidence. These agreements are contractually recorded in data processing and other agreements. If parties are based outside the European Economic Area (EEA), additional and appropriate safeguards will be put in place.

    Your personal data are not hired or sold to third parties. EUR provides personal data to enforcement authorities or fraud control organisations if this is necessary to comply with statutory obligation.

  • EUR does not keep your data for longer than is strictly necessary to realise the purposes for which the data were gathered. Among other things, EUR observes the retention periods provided for in the Dutch Public Records Act (elaborated in the Basic Selection Document for University Education (BSD) for University Education 1985 and in the Selection List for Universities and University Medical Centres 2020), as well as other legislation, for instance tax and labour legislation. If you choose to exercise any of your rights (see below ‘Your rights and exercising these rights’), this may affect the retention period observed for your personal data. 

  • EUR produces or collects images on the EUR campus, in EUR buildings and complexes, and also outside these areas. This is done in the following situations:

    In staged situations in which imagery is produced, those portrayed will be asked for their express, specific written permission. If the situation is not staged, written consent will not be requested. However, the photographer or camera crew can be told that images must not be taken.

    It may be possible to recognise individuals in these images. This means that EUR will be processing personal data for the purposes of:

    • disclosing the images to those present; and/or
    • informing interested parties about EUR activities and/or to give them promotional material.

    The images may be collected by a photographer or camera crew, or by other people present. If no express, specific, written consent is requested, EUR will collect the images on the basis of its legitimate interest. Images are shared with photographers, camera crews, and/or third parties who incorporate the visual material in publications or other communications on EUR’s behalf. Visual material may also be shared with a EUR cooperative arrangement or for journalistic purposes.

    Images are removed from EUR archives and its websites ten years after they are collected, and after thirty years if they are on social media, unless a different retention period is observed if written permission and/or information is provided prior to an event. EUR may also decide that certain images should be retained for archival purposes to give a historical portrayal of the time so that new generations can be shown how EUR has changed over the years.

    EUR uses video conferencing software when facilitating lectures and tutorials, and when contacting or interacting with EUR staff. If visual material is recorded and stored via the video conferencing software, the person organising the call will announce this beforehand.

    It may be possible to recognise individuals in these images. This means that EUR will be processing personal data for the purposes of:

    • disclosing the images to participants; and/or
    • in the context of the curriculum.

    The images (and voice recordings) are collected via the video conferencing software and can be stored on learning management software and/or on the EUR cloud storage services. EUR collects this footage either on the basis of its legitimate interest or on the basis of consent. Images are not shared with third parties (other than software used at EUR), unless express permission has been given.

    Images that are recorded and stored will be removed from the video conferencing software and/or cloud storage services three years after they are collected.

    The EUR campus, buildings and complexes are monitored using camera surveillance. These cameras may be visible or hidden. Camera surveillance can also be used to ensure that examinations are conducted properly and/or to detect cheating during these examinations. Camera surveillance at EUR is regulated by the Regulations on Camera Surveillance and the Online Proctoring Infosheet.

    It may be possible to recognise individuals in these images. This means that EUR will be processing personal data for the purposes of:

    • protecting the health and safety of one or more natural persons;
    • the security at the access to buildings and grounds;
    • the surveillance of goods in the buildings or on the grounds;
    • to record incidents, including while examinations are being taken. EUR may also use online invigilation for examinations that students sit at home.

    The images are collected via a camera system. EUR collects this footage for security purposes using camera surveillance based on its legitimate interest and on general interest in the context of online invigilation. The visual material will not be shared with third parties unless it is in the context of a legal obligation.

    The recorded images are removed four weeks later, or six weeks later if it concerns online invigilation.

    At EUR, people may be asked to provide images of themselves to EUR for various purposes.

    It may be possible to recognise individuals in these images. This means that EUR will be processing personal data for the purposes of:

    • recruitment and selection;
    • student administration, including student cards and yearbooks;
    • to inform interested parties about EUR activities and/or to give them promotional material;
    • conducting scientific research.

    The footage will be collected through receiving e-mails, uploading the footage or physically distributing it to EUR. EUR collects this footage either on the basis of its legitimate interest or on the basis of consent. Images are not shared with third parties, unless express permission has been given.

    Images will be removed from the EUR cloud storage services or from other software ten years after collection, unless a different retention period is observed when written permission is granted.

  • As a data subject, you have various rights under the GDPR. Click here to exercise your rights.

    If you invoke a right, you will be asked to identify yourself. The EUR Privacy Team will handle your query or matters concerning exercising of your rights within 30 days. We may extend our decision-making period by a further two months if we need this time to address your question.

    If processing carried out by or on behalf of EUR is based on your giving your consent, you are entitled to withdraw your consent to the processing of your data at any time. Processing of your personal data prior to withdrawal of consent is lawful.

    You are entitled to know whether your personal data are being processed. If your data are processed, you are entitled to have access to these data.

    You are entitled to change or rectify any inaccurate personal data processed by EUR that concern you. You are also entitled to enter or complete missing data, depending on the purposes of the processing.

    You have the right to restrict the processing of your personal data under the following circumstances:

    • if you dispute the accuracy of the data, in which case we will stop the processing of your data until we have verified its accuracy;
    • if the processing is unlawful and you do not want us to delete your personal data;
    • if, based on your right to object, you have objected to the processing of your personal data and are awaiting the outcome of your objection.

    If EUR has a legitimate interest in processing your personal data (see above in the section entitled ‘On what grounds is the processing of your personal data based?’ in point 5), you have the right to object to the processing for reasons relating to your own specific situation. We will stop processing your personal data unless we can demonstrate a compelling legitimate interest to continue this processing, one that takes precedence over your interests, rights and freedoms, or unless we need the data to establish, exercise or defend a legal claim.

    If you exercise your right to object, EUR will weigh your interests against the interests of EUR or relevant third parties and a decision regarding your objection will be taken.

    In some cases, you have the right to be forgotten, i.e. the right to erasure. This means that we have to delete personal data from our administration and systems. You have the right to be forgotten in the following cases:

    • your personal data are no longer required for the purposes for which they were collected;
    • if the processing was based on consent and you withdraw your consent, and we have no other basis for processing the data;
    • if the personal data were processed unlawfully;
    • if the retention period has expired.

    You are not entitled to have your personal data deleted if EUR has a legal obligation to process your data, or if the data are necessary to establish, exercise or defend a legal claim.

    To the extent that EUR processes your data (using a computerised method) based on your consent or to implement an agreement that we have entered with you, you have the right to receive the data you have given us in a structured, commonly used and machine-readable format. You can also ask us to transfer the data directly to a third party.

    You are always entitled to lodge a complaint with the Dutch Data Protection Authority. However, if you have any problems, questions or comments regarding the processing of your data by EUR, please contact us first at (privacy@eur.nl). We take your privacy very seriously and are happy to be of assistance.

    If you disagree with a decision taken by EUR, you are entitled to submit a notice of objection. The full procedure is given here.

Third-party privacy policies via redirection

The EUR website contains links to other websites that are not controlled by EUR. If you follow these links, EUR cannot accept any responsibility for the way in which these parties handle personal data.

Questions

If you have any specific questions or comments concerning our privacy statement in response to this information, then please feel free to contact us. For this, please use the contact form on the website or send an e-mail to privacy@eur.nl. The EUR data protection officer (DPO) can be contacted at fg@eur.nl.

  • This Privacy Statement was changed lastly in:

    July 2021: Link included to more detailed information about network monitoring

    February 2021: Replaced Privacy Statement with a new version

    June 2018: Removed references to the WBP 

    May 2018: Digital office added for rights of data subjects, and addition to scientific research processing

    March 2018: The EUR reserves the right to add changes to the privacy statement when necessary.