Data will be processed in accordance with the General Data Protection Regulation (GDPR), and based on the HKU Privacy Regulations (Privacyreglement HKU).
Scope
This general privacy statement applies to all data processing operations that take place under the responsibility of HKU.
Responsibility
Within the framework of the GDPR, the Executive Board of HKU is responsible for the processing of personal data by HKU.
Stichting Hogeschool voor de Kunsten Utrecht / HKU
Nieuwekade 1, 3511RV Utrecht
Postbus 1520, 3500BM Utrecht
030-2091509
Target groups
We process data of the following groups:
- Students
- Alumni
- Course participants
- Employees
- Hired third parties
- Partners
- Course applicants / interested persons
- Job applicants
Objectives
We process data for at least the following purposes:
- Educational logistics
- Operations & Finance
- Facility Affairs
- Human Resources
- Relationship management
- Recruitment and selection
- Protection of safety, health and integrity
- Research
Your data will only be processed under one of the principles described in the GDPR. In the main, we process your data with your consent, in order to comply with a legal obligation, or because we have a legitimate interest as a higher education institution. Data will only be processed for the purposes for which it was obtained.
Personal data
Amongst other things, we process the following data:
- Contact details (name, address, postal code and town, email address, telephone number)
- Gender and date of birth
- Student number
- Registration details
- Study progress data
- Examination and certification data
- Attendance information
- Timetable data
- Payment details
- Visual material
- Account data, login data and usage data
- Data on health and performance of employees
Where possible, we aim to pseudonymise or anonymise data as much as possible.
Rights
Pursuant to the GDPR, you have a number of rights that you can exercise with regard to your personal data:
- Right to information about processing operations
- Right of inspection of data
- Right to rectify inaccurate data
- Right of deletion of data and 'right to be forgotten'
- Right to restrict data processing
- Right to oppose data processing
- Right to transfer of data (data portability)
- Right not to be subject to automated decision-making
- Right to revoke consent given
We are obliged to respond to your request within 30 days. Requests will be reviewed by us for reasonableness and feasibility. If we need your data for processing of major importance, we may refuse a request to delete or stop processing. When you submit a request to us to exercise your rights, we may ask you to identify yourself.
Third party data sharing
The starting point is that your personal data will only be used by HKU. In some cases your personal information will be shared with other parties:
- Public authorities in the event of a legal obligation
- Third parties (e.g. software suppliers, insurers) who need the personal data to provide their services.
For the sharing of data with third parties, we draw up processor agreements to ensure that the necessary appropriate organisational and technical measures are in place for securely processing of your data.
Data will only be shared outside the EU if there is an adequate level of protection in accordance with European law.
Retention periods
All personal data no longer required for the original purpose will be deleted as soon as possible. Some data is subject to a statutory retention period (e.g. certification data and data for reporting to the tax authorities). This data will only be deleted after this period has expired.
Technical and organisational security
We ensure appropriate and up-to-date technical and organisational security to protect the personal data we process against loss or any form of unlawful processing. For the processing of sensitive personal data, we draw up integrity rules and codes of conduct.
Data protection officer
If you have any questions, please contact Teije ter Maat, HKU's Data Protection Officer (DPO), via fg@hku.nl. The DPO advises on privacy legislation and monitors compliance within HKU. The DPO is also the contact person for the national supervisor, the Dutch Data Protection Authority. The DPO is independent and reports to the Executive Board.
Version: August 2019
HKU is entitled to amend the content of this privacy statement at any time.