Protecting Personal Data

Data processing  

We only process personal data based on lawful grounds, primarily to fulfill its public tasks in academic education and research. Additionally, we may process personal data for the following reasons and only with individual consent: 

• To fulfill contractual obligations 
• To comply with legal obligations 
• To protect vital interests of individuals or third parties 
• To serve UM's or a third party's legitimate interest 

For further processing, we ensure the new purpose aligns with the original one for collecting the data. This is in accordance with the General Data Protection Regulation (GDPR), which permits further processing of personal data for historical, statistical, or scientific purposes if compatible with the original purpose. 

Privacy regulations/ General Data Protection Regulation (GDPR) 

The GDPR harmonises privacy legislation in all EU states. In line with the GDPR, we established our own policy rules (PDF) and Regeling Functionaris Gegevensbescherming (PDF, Dutch only). If you work with, or have saved files containing personal data, it’s important to understand this law. 
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens or AP) supervises the implementation of GDPR, offers information and advice. 

Read the full text of GDPR (PDF) and find the complete overview of our privacy statements.

More information about working with personal data and G.DPR in general:

Retention periods personal data 

UM follows a strict policy of retaining personal data only for as long as necessary to fulfill its processing purposes. Each type of processing has a defined retention period, with specific terms. 

In certain instances, UM is obligated by law to retain data. For instance, under the Public Records Act (Archiefwet), we must retain students' degree certificates for a period of 30 years. The retention periods based on this Act are outlined in the Selectielijst Universiteiten en Universitair Medische Centra 2020 (Dutch only). 

Recipients of personal data 

UM ensures only those individuals who need to process your personal data have access to it. In addition, we may share data with parties outside of UM under the following circumstances:  

• Third parties associated with UM (e.g. Limburg University Fund or Maastricht Academic Hospital) 
• Government bodies (e.g. the Education Executive Agency (DUO)).  
•  Other educational institutions 

Third parties (e.g. suppliers of software used for processing personal data) 

International processing 

We may share your personal data with international (EU) parties. If so, UM ensures your personal data are treated with care and processed securely. 

If a country's level of protection is deemed inadequate by the European Union and the relevant organisation is not subscribed to the EU-US Privacy Shield, UM will establish an agreement with the relevant party based on standard data protection provisions set by the European Commission or take other appropriate measures in accordance with the GDPR. For more information, please contact: 

Maastricht University 
attn. Data Protection Officer 
PO Box 616 
6200 MD Maastricht 
privacy@maastrichtuniversity.nl 

Data leaks; personal data security 

A data breach occurs when unauthorized parties gain access to or modify personal data, potentially causing harm to the individuals involved. In the event of a suspected data breach, it is imperative for UM to promptly report it to the Dutch Data Protection Authority (AP) within 72 hours. 

Use this form to report a data breach. 

Has your laptop, phone, or other device been stolen, or do you suspect a virus or other security incident? Please notify the Servicedesk ICTS immediately: servicedesk-ICTS@maastrichtuniversity.nl or call 043 - 388 55 55 (8:00 - 17:00 during working days).  

Visit Information Security to learn about our current policy, the Acceptable Use Policy we all must adhere to, and find helpful tips and tricks regarding passwords, email, and use of tablets and smartphones. 

For general cybersecurity tips please visit UM Cybersecurity.