Personal data protection regulations
Wageningen University & Research handles personal data carefully, reliably and transparently. We consider integrity to be self-evident. We protect the personal data of our staff members, students and relations.
Within Wageningen University & Research (WUR), personal data are processed in various ways. These regulations describe the tasks, responsibilities and procedures with regard to the processing of personal data within WUR and apply to all data processing operations within WUR. The overarching policy and underlying principles have been laid down in the Policy Document on the Processing of Personal Data. These regulations use the same terms as those used in the applicable privacy legislation. The applicable legislation is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, or ‘GDPR’) and the GDPR Implementation Act.
The Executive Board of Wageningen University and the Executive Board of Wageningen Research Foundation are jointly responsible for the processing of personal data at WUR. The risk management of privacy protection and information security falls under principle 9 of the WUR Code of Good Governance.
Personal data protection regulations
What personal data do we process?
WUR processes many different types of personal data. This is limited to those personal details that are necessary for the purposes of the processing operations. Additionally, WUR processes personal details in the manner that is the least intrusive for those involved.
The type of personal data that WUR processes depends on your relationship with WUR: WUR processes all details of our staff members that are necessary for the proper fulfilment of the employment contract; WUR processes all details of our students that are necessary for the proper completion of the study programme; WUR processes all details of our clients, suppliers and other relations that are necessary for the execution of agreements.
The data processing overviews below provide a clear summary of the personal data we process:
Why do we process personal data?
At WUR, personal data are processed for the following purposes:
1. Educational purposes
Such as implementing, adjusting and monitoring internal and external educational processes, including the application, enrolment and deregistration of students, PhD students, external students, contract education participants, course participants and alumni; offering education; administering tests, student examinations and interim examinations; offering facilities to students, and preventing fraud.
2. Research purposes
Such as acquiring, executing and monitoring internal and external research and contract research, including the recording of information from test subjects and communication about research.
3. Internal administration purposes
Such as implementing, adjusting and monitoring processes related to the current, future or former relationship, such as personnel policies, the payment of salary and fringe benefits, the calculation and collection of tuition fees, examination fees and other financial contributions, the provision of financial and administrative support to students and staff members and the safeguarding of legal rights. The protection of WUR’s data also falls under this purpose.
4. Contractual purposes
Such as entering into, implementing and terminating agreements with clients, contractors, partners, suppliers and buyers.
5. Purposes related to well-being
Such as providing advice, guidance and support and contributing in other ways to the physical and mental well-being of students and staff members, and to the security of property, people, grounds and buildings.
6. Purposes related to relationship management
Such as relationship and alumni management activities carried out by WUR, including preparing, sending and receiving information and organising and attending events, for example for partners, students and alumni.
What are the legal bases for processing personal data?
At WUR, personal data are processed on the following legal bases:
1. Consent
This is the legal basis for processing your personal data for well-being and relationship management purposes and for some research purposes, such as research involving data subjects.
2. Agreement
The fulfilment of a contract with you is the legal basis for educational, administrative and contractual purposes, insofar as these do not fall within the scope of the performance of a statutory task or the performance of a task in the public interest.
3. Statutory task
The performance of a statutory task or duty by WUR forms the legal basis for most educational purposes in accordance with the Higher Education and Research Act (WHW), but it is also an important basis for our administrative operations.
4. Vital interest
Protecting your vital interests or the vital interests of others is the legal basis for certain well-being purposes, such as camera surveillance in the event of incidents on the WUR campus.
5. Public interest
The performance of a task of public interest is the legal basis for many research projects, such as statutory research tasks or other research that serves a public interest. Public interest also serves as a basis for educational and well-being purposes.
6. Legitimate interest
The representation of the legitimate interests of WUR or of a third party is the legal basis for all the aforementioned purposes, insofar as the processing of data does not fall under any other purpose and insofar as the interest outweighs the importance of protecting your personal data. This applies in particular to certain marketing activities and research projects.
When data subjects are asked to share their personal data, WUR will clarify for each situation whether the provision of the data is necessary or mandatory as well as the possible consequences if the data are not provided.
Which additional rules apply to specific processing operations?
For some specific processing operations, additional rules apply in addition to these regulations. This concerns the following:
1. Research
WUR complies with the Association of Dutch Universities’ (VSNU) code of conduct for the use of personal data in scientific research.
2. Events
When you register for an event organised by WUR, WUR processes, based on your consent, the personal data that you provide when registering and during any subsequent contact. These data are necessary for the administration of your registration and for organising the event. These data are deleted as soon as possible after the event, unless you give your permission for further processing, such as subscribing to WUR’s newsletters.
3. Use of our websites
When using WUR websites, personal data and cookies may be collected. The rules with regard to the processing of personal data via the websites and applications can be found in the Privacy & Cookie Statement.
4. Online meeting tools
The use of online meeting tools and the recording of meetings by and of staff and students are subject to specific rules, which can be found in our Online meeting tools policy.
5. Camera surveillance
Camera surveillance takes place on the grounds and in the buildings of WUR for security purposes. The rules with regard to camera surveillance are stated in the Regulations for Camera Surveillance.
6. Use of WUR facilities
The Network Regulations for Staff and the Network Regulations for Students set out the rules for using WUR’s network facilities, equipment, software and data. Both regulations stipulate that WUR is authorised to investigate misuse of facilities and to process personal data for that purpose.
In addition to these specific regulations, WUR has guidelines, best practices and standards for the processing of personal data in specific situations. This information is available on the intranet (login required) and from the WUR’s privacy team.
How do we protect your data?
WUR treats all personal data confidentially and applies a high-risk classification to special categories of personal data. The security of personal data at WUR and by the processors it engages takes place on the basis of generally accepted standards and best practices. The information security policy outlines WUR’s principles on information security, including security-by-design and security-by-default. The general standards NEN-ISO/IEC 27001 (Information and security requirements for management systems) and NEN- ISO/IEC 27002 (Code for information security) are used as best practices for information security.
WUR has secured access to personal data by taking appropriate electronic and physical measures to protect such data from unauthorised access and unlawful processing. The specific security measures are always proportionate to the nature of the personal data and the respective risk classification. WUR’s security efforts comprise the following measures:
- Personal data and the applications that are used to process personal data are protected at all levels of the information chain against the risks of loss of availability, breach of personal data integrity and unlawful processing (including hacking, phishing and ransomware, etc.).
- Personal data are encrypted and processed in pseudonymised form where possible, in particular where personal data are processed in research projects.
With whom do we share your data?
Personal data may be shared with persons or organisations outside WUR in various situations.
First of all, WUR engages processors who process personal data under the responsibility of WUR. This includes software suppliers, hosting providers, maintenance companies and security firms. WUR has concluded agreements with these processors concerning the processing and protection of WUR’s personal data.
WUR can also transfer personal data to its partners and institutions, such as other educational and governmental institutions, collaborative partners, internship organisations, student housing corporations and student and study associations.
WUR exercises caution when sharing personal data and assesses each transfer in accordance with the principles of the GDPR. WUR makes agreements with all recipients regarding the processing and protection of personal data.
How do we handle the transfer of your data outside the EEA?
How long do we store your data?
Personal data will not be kept longer than is necessary for the purposes for which they are used. Retention periods can sometimes be legally established, such as in the case of financial data and study results. WUR’s retention and archive policy is based on the Selection List for Universities and University Medical Centres (2020).
WUR will delete the personal data it processes upon expiry of the applicable retention period or, if the personal data are intended for historical, statistical or scientific purposes, archive them in a secure manner, pseudonymised or anonymised where possible.
How can you exercise your rights?
A data subject may request access to and the correction, addition, deletion, transfer or blocking of the personal data relating to them. Such a request can be submitted by following the procedure described on the Integrity and privacy page of WUR. A request regarding the personal data of minors must be submitted by their legal representative.
A response to the request will be made within four weeks. The reply will indicate whether the request is well-founded and, if so, what follow-up actions will be taken and within what time period. Every first application can be submitted free of charge. In the event of misuse, the applicant will be charged for the costs incurred by WUR in connection with the request.
For the processing of personal data in research, specific rules apply regarding the rights of those involved. WUR will provide more detailed information about this prior to your participation.
How can you submit a question, complaint or objection?
In some cases, you may lodge an objection to the processing of your personal data by WUR, if this processing took place on the grounds of:
- the completion of a public legal task;
- the representation of the legitimate interest of WUR or of a third party to whom the data are provided;
- processing for scientific, historical, or statistical purposes, unless it concerns research that is of public interest;
- using the personal data for direct marketing and profiling purposes.
In addition to the above-mentioned opportunities to submit requests and objections, anyone can submit a complaint about the processing of personal data by WUR.
The complaint or objection can be submitted digitally to the WUR’s privacy team. An objection or complaint regarding the personal data of minors must be submitted by their legal representative.
A complaint or appeal will be replied to within four weeks. If possible, the reply will indicate whether the objection or complaint is well-founded and, if so, which follow-up actions will be taken and within which time frame. If the appeal or complaint is well-founded, WUR will take the necessary steps to terminate the processing operation. In the event of misuse, the submitter will be charged for the costs incurred by WUR in connection with the complaint or objection.
Who is our Data Protection Officer?
The WUR’s Data Protection Officer monitors compliance with privacy legislation and issues advice on its application.
The WUR’s Data Protection Officer can be contacted via email.
These regulations shall replace all previous regulations regarding the protection of personal data and may be referred to as Regulations for the Protection of Personal Data at Wageningen University & Research. The regulations have been approved by the participational bodies and were adopted on 8 March 2022.
In all cases that are not covered by these regulations, the Executive Board of WUR will have the final say.