Paragraph 1: General provisions
Article 1: Definitions
In accordance with and in addition to the Personal Data Protection Act (Bulletin of Acts and Decrees 2000, 302), the following definitions apply for the purposes of these Regulations:
the Act: the Personal Data Protection Act;
the Regulations: these Regulations, including the Appendices;
personal details: all details concerning an identified natural person or natural person to be identified;
processing of personal details: every action or every group of actions pertaining to personal information, at least including collecting, recording, classifying, storing, updating, altering, retrieving, consulting, using, providing through sending, circulation or any other form of provision, assembling, relating and protecting, deleting or destroying data;
file: every structured set of personal details, regardless of whether that set of data is centralised or circulated in a manner determined functionally or geographically, which can be accessed according to certain criteria and relates to different persons;
party responsible: Language & Training Centre Erasmus University Rotterdam;
processor: the party that processes the personal details for the party responsible, without being subject
to that party’s direct authority;
staff: persons in the employ of or working for the party responsible;
person concerned: the person to whom personal details relate;
manager: the person who is charged, under the responsibility of the party responsible, with the day-to-day provision for the processing of personal details, the accuracy of the data entered and for the storage, deletion and provision of details;
– user: the person who, under the responsibility of the manager, is authorised to enter, alter and/or delete personal details, or to view any performance of the processing;
Article 2: Scope
These Regulations apply to all partially or fully automated processing of personal details of persons in the employ of or working for the Language & Training Centre of Erasmus University Rotterdam, and to the underlying documents entered in a file. These regulations also apply to non-automated processing of personal details included in a file or intended for inclusion there.
Article 3: Management of the personal details
The parties responsible, the managers and, if applicable, the processors for each individual form of processing or related forms of processing are listed in the Appendices.
Paragraph 2: Legitimate purpose
Article 4: Objectives of processing
The objectives or related objectives of processing are listed in the Appendices for each individual processing action or set of related processing actions.
Article 5: Legal grounds for processing
The legal grounds for processing lie in a) the execution of the employment contract to which the person concerned is party, b) the justified interest of the party responsible, c) a statutory obligation of the party responsible, d) a vital interest of the person concerned, or – only if a), b), c) or d) do not apply
– e) the explicit consent that was granted by the person concerned.
Article 6: Types of personal details entered and the manner of acquisition
a. The Appendices state the types of personal details that are processed, at most, and how these details are obtained, for each individual processing action or set of related processing actions.
b. As far as possible, personal details are obtained from the person concerned.
c. Personal details are not obtained from third parties without the explicit consent of the person concerned.
d. Personal details are processed correctly and with care, in compliance with the law.
e. Personal details are processed only in as far as they are adequate, in view of the objectives listed in the Appendices, serve those purposes and are not excessive.
f. Special personal details are processed in observance of the provisions of Articles 16 to 23 of the Act.
g. The manager makes the necessary provisions to promote the accuracy and completeness of the personal details.
Article 7: Deletion of entered personal details
a. Personal details that are no longer necessary for the objective are deleted as soon as possible.
b. After termination of the employment contract or the performance work for the party responsible, the data are kept for a further two years unless they must be kept for longer in connection with statutory obligations.
c. Deletion implies destruction or a process that ensures that it is no longer possible to identify the person.
Paragraph 3: Direct access to and provision of personal details
Article 8: Direct access to personal details
a. In the interests of the day-to-day provisions for smooth processing operations, only the manager and the users designated by the manager have direct access to personal details.
b. The persons referred to in sub-paragraph 1 who are not already subject to confidentiality obligations on the grounds of their office, occupation or statutory provisions are required to protect the confidentiality of personal details of which they become aware, unless and in as far as they are required to disclose these pursuant to any statutory provision or the necessity for disclosure arises from their duties.
Article 9: Technical work
Persons responsible for the performance of technical work are required to protect the confidentiality of all personal details of which they could have become aware.
Article 10: Provision of personal details
a. The persons in and outside the organisation to whom personal details can be provided in view of the objective and grounds for the processing are shown in the Annexes for each individual processing action or set of related processing actions.
b. The party responsible informs third parties that process personal details in a set manner of the conditions and limitations imposed for this. The party responsible is liable for damage suffered by the person concerned as a result of unlawful use of their personal details by third parties to which the party responsible provided those personal details, unless the damage cannot be attributed to the responsible party.
Article 11: Transfer of personal details to countries outside the European Union
The party responsible does not pass on any personal details to companies or branches in countries outside the European Union that do not have an appropriate level of protection, unless at least one of the following conditions is met:
a. A contract is concluded with the company or branch in compliance with the model contract provisions laid down by the European Commission, which contract has the approval of the data protection official in respect of the processing of personal details;
b. It is necessary to pass on the details in relation to the employment contract between the party responsible and the person concerned;
c. The person concerned has signed a declaration granting the party responsible permission to pass on the personal details. That declaration must be composed in simple, understandable language with specific information on the company concerned or the branch in question, the personal details to be passed on, the purpose of passing on the details and the duration of the period for which that declaration will be used.
Article 12: Further processing of personal details
a. The personal details to be processed undergo further processing only in a manner that is not inconsistent with the purpose for which they were obtained. At least the relationship with the objectives, the nature of the details, the consequences of further processing for the person concerned, the way in which the details are obtained and the assurances for the protection of personal privacy will be taken into account here.
b. Personal details may be processed further when this is necessary in order to comply with a statutory obligation to which the party responsible is subject, with the explicit consent of the person concerned.
Paragraph 4: Obligations of the party responsible, the manager and the processor
Article 13: Security
a. The party responsible draws up guidelines in a security plan for the technical and organisational security for the processing of personal details and submits this plan to the data protection officer for approval.
b. The party responsible sends the adopted security plan to the manager. The manager processes this plan in accordance with the guidelines.
c. If the services of a processor are used, the party responsible records the mutual obligations concerning the handling of personal details in writing in a contract with the processor. The processor processes the details in accordance with its agreed obligations.
Article 14: Duty of disclosure
a. If the party responsible acquires personal details from the person concerned, the party responsible shall notify the person concerned of its identity before the moment of acquisition, as well as the purpose of the processing for which the details are intended, unless the person concerned is already aware of this.
b. If the party responsible acquires personal details from a third party or through observation of the person concerned, the party responsible shall notify the person concerned of its identity at the time of recording, as well as the purpose of the processing for which the details are intended.
c. The party responsible provides the information referred to in sub-paragraphs 1 and 2 in a manner that ensures that the person concerned actually gains access to it.
Paragraph 5: Rights of the person concerned
Article 15: General
a. Every person concerned has a right to information, to access and to correct personal details (improvement, supplementation, deletion and/or blocking) as well as a right of refusal, as formulated in the following Articles of this Paragraph.
b. The exercise of those rights may take place in working hours.
c. The exercise of those rights involves no costs for the person concerned.
d. Persons concerned may provide for support in the exercise of those rights.
e. The manager notifies the persons concerned of the possibilities for legal protection and supervision.
and the role of the Dutch Data Protection Authority (DPA) in this.
Article 16: Right to information
The party responsible informs the person concerned on request, in a timely manner and in full of the purposes of and the way in which their personal details will be processed, of the rules applying for this, the rights of the person concerned in that regard and how those rights can be exercised. The person concerned is also informed of the location at which the documents containing the said rules can be viewed or requested.
Article 17: Right of access
a. The manager shall notify all persons in writing on request, at the earliest opportunity and within four weeks of the receipt of the request, whether personal details concerning them will be processed.
b. If this is the case, the manager will provide the applicant, if required, with a full written review of this, with information on the objective or objectives of the data processing, the data or categories of data to which the processing relates, the recipients or categories of recipients of the data and the origin of the data at the earliest opportunity, and within four weeks of the receipt of the request.
c. The applicant has a right to a copy of the recorded data that concern him or her. He or she is not required to pay for this.
d. If a serious interest of the applicant requires this, the manager will meet the request in a form other than in writing, which is appropriate to that interest.
e. The manager shall provide for proper verification of the identity of the applicant.
f. The manager may refuse to meet a request if and in as far as this is necessary in connection with:
1. the detection and prosecution of criminal offences;
2. serious interests of parties other than the applicant, including the party responsible.
Article 18: Right to correction: improvement, supplementation, deletion and/or blocking
a. In response to a written application from the person concerned, the manager will improve, supplement, delete and/or block processed personal details relating to the applicant, if and in as far as those details are factually incorrect, insufficient for the purpose of the processing, do not serve the purpose or are excessive, or are processed in contravention of a statutory provision in another way. The application contains the changes to be made.
b. The manager notifies the applicant in writing as soon as possible, and within four weeks of receipt of the application, whether he will meet the request. If he is unwilling to do so, or to do so in full, he will state the reasons for this.
c. The manager ensures that a decision to improve, supplement, delete and/or block data is implemented as soon as possible.
d. In the event of improvement, supplementation, deletion and/or blocking, the manager informs third parties of this and ensures that those third parties adjust their files accordingly. The manager shall inform the applicant of the third parties to which he provided that information.
Article 19: Right of rejection
a. If the lawful grounds for a particular processing action lies in the justified interest of the responsible party, the person concerned may lodge an objection with the manager at any time against such processing in connection with his or her special personal circumstances.
b. The party responsible will assess whether this objection is justified within four weeks of its receipt.
c. The manager shall discontinue the processing immediately if the party responsible regards the objection as justified. Objections to processing for commercial or charitable purposes are always justified.
Paragraph 6: Legal protection and supervision
Article 20: Complaints procedure
a. Every person concerned has a right to submit a complaint to the party responsible
1. Against a decision on an application as referred to in Articles 17, 18 and 19;
2. Against a decision in response to notice of an objection as referred to in Article 20; as well as
3. Against the way in which the party responsible, the manager or the processor implements the rules included in these Regulations.
b. The party responsible shall respond to the complaint in writing at the earliest opportunity, stating its reasons, at least within six weeks of receipt of the complaint.
c. The person concerned may provide for support in the submission and handling of his or her complaint.
d. The party responsible may obtain the advice of the DPA.
e. The person concerned may reach the conclusion that the complaint is unfounded or that it is entirely or partially justified.
f. If the party responsible does not honour the complaint or does so only partially, the person concerned may submit a complaint to the DPA. The party responsible informs the person concerned whose complaint has not been honoured, or has been honoured only partially, of this possibility and of the address of the DPA.
g. If the party responsible finds that the complaint is fully or partially justified, he will take one of the following decisions
1. (If the complaint is directed against a decision as referred to in paragraph 1(a):) to honour the request of the person concerned after all, partially or in full;
2. (If the complaint is directed against a decision as referred to in paragraph 1(b):) to honour the objection of the person concerned after all;
3. (If the complaint is directed against the implementation method referred to in paragraph 1(c):) to implement the rules included in the Regulations after all, which may involve actions or refraining from action, including restoration or stopping;
4. To pay compensation for the damage that the person concerned has suffered, including any personal damage.
h. The party responsible shall make its view known to the person concerned in writing.
i. If the party responsible does not respond within six weeks of the submission of the complaint, the person concerned may submit a complaint to the DPA.
Article 21: Supervision of compliance
The DPA is authorised by law to supervise compliance with the provisions of these Regulations
included by law.
Paragraph 7: Other provisions
Article 22: Training
The party responsible shall provide for regular training of the managers and users to ensure that
they understand the processes for processing of personal details, the rules applying to this and
their own role in this.
Article 23: Unforeseen
In cases for which the Regulations do not provide, the party responsible shall decide, if possible
after consultation and with the consent of the data protection officer. In urgent cases, the party responsible will notify the data protection officer after the event.
Article 24: Publication
These Regulations shall be made available for public inspection at the department that manages
Article 25: Changes and additions
1. Changes and additions to the Regulations require the consent of the data protection officer.
Article 26: Entry into force and short title
1. These Regulations come into effect on 1 July 2016.
2. These regulations may be cited as the Privacy Regulations, Language & Training Centre, Erasmus University Rotterdam.