Privacy statement en disclaimer

HKU only processes data that is necessary for the performance of its task as a higher education institution. Our aim is to protect the privacy of all those whose data we process against abuse and inaccuracy.
Privacy statement en disclaimer

Privacy statement

Data will be processed in accordance with the General Data Protection Regulation (GDPR), and based on the HKU Privacy Regulations (Privacyreglement HKU). 


This general privacy statement applies to all data processing operations that take place under the responsibility of HKU.


Within the framework of the GDPR, the Executive Board of HKU is responsible for the processing of personal data by HKU.

Stichting Hogeschool voor de Kunsten Utrecht / HKU

Nieuwekade 1, 3511RV Utrecht

Postbus 1520, 3500BM Utrecht


Target groups

We process data of the following groups:

  • Students
  • Alumni
  • Course participants
  • Employees
  • Hired third parties
  • Partners
  • Course applicants / interested persons
  • Job applicants


We process data for at least the following purposes:

  • Educational logistics
  • Operations & Finance
  • Facility Affairs
  • Human Resources
  • Relationship management
  • Recruitment and selection
  • Protection of safety, health and integrity
  • Research

Your data will only be processed under one of the principles described in the GDPR. In the main, we process your data with your consent, in order to comply with a legal obligation, or because we have a legitimate interest as a higher education institution. Data will only be processed for the purposes for which it was obtained.

Personal data

Amongst other things, we process the following data:

  • Contact details (name, address, postal code and town, email address, telephone number)
  • Gender and date of birth
  • Student number
  • Registration details
  • Study progress data
  • Examination and certification data
  • Attendance information
  • Timetable data
  • Payment details
  • Visual material
  • Account data, login data and usage data
  • Data on health and performance of employees

Where possible, we aim to pseudonymise or anonymise data as much as possible.


Pursuant to the GDPR, you have a number of rights that you can exercise with regard to your personal data:

  • Right to information about processing operations
  • Right of inspection of data
  • Right to rectify inaccurate data
  • Right of deletion of data and 'right to be forgotten'
  • Right to restrict data processing
  • Right to oppose data processing
  • Right to transfer of data (data portability)
  • Right not to be subject to automated decision-making
  • Right to revoke consent given
Requests may be submitted to the Data Protection Officer via

We are obliged to respond to your request within 30 days. Requests will be reviewed by us for reasonableness and feasibility. If we need your data for processing of major importance, we may refuse a request to delete or stop processing. When you submit a request to us to exercise your rights, we may ask you to identify yourself.

Third party data sharing

The starting point is that your personal data will only be used by HKU. In some cases your personal information will be shared with other parties:

  • Public authorities in the event of a legal obligation
  • Third parties (e.g. software suppliers, insurers) who need the personal data to provide their services.

For the sharing of data with third parties, we draw up processor agreements to ensure that the necessary appropriate organisational and technical measures are in place for securely processing of your data.

Data will only be shared outside the EU if there is an adequate level of protection in accordance with European law.

Retention periods

All personal data no longer required for the original purpose will be deleted as soon as possible. Some data is subject to a statutory retention period (e.g. certification data and data for reporting to the tax authorities). This data will only be deleted after this period has expired.

Technical and organisational security

We ensure appropriate and up-to-date technical and organisational security to protect the personal data we process against loss or any form of unlawful processing. For the processing of sensitive personal data, we draw up integrity rules and codes of conduct.

Data protection officer

If you have any questions, please contact Teije ter Maat, HKU's Data Protection Officer (DPO), via The DPO advises on privacy legislation and monitors compliance within HKU. The DPO is also the contact person for the national supervisor, the Dutch Data Protection Authority. The DPO is independent and reports to the Executive Board.

Read more about data breaches

Version: August 2019

HKU is entitled to amend the content of this privacy statement at any time.


HKU cannot be held liable for the content of the information on its websites or in its newsletters, or for the consequences of the use thereof. The content may be changed without notice.

No rights can be derived from the information displayed on, the student portal, the employee portal, webs, student projects and electronic newsletters. No guarantee is given for the faultless and uninterrupted functioning of the HKU websites.