UM General Privacy Statement

Introduction
Protecting your privacy is important to Maastricht University (UM) and UM therefore treats your data with care. UM is the controller of your personal data. This privacy statement explains how UM handles personal data. Your personal data may be collected and processed for a specific purpose. If this specific purpose is not expressly specified in this privacy statement, you will be informed in advance about this specific purpose in a separate privacy statement.

Contact details
If you have a query about this privacy statement or you want to know more about how UM handles personal data, or if you have a complaint, please contact:

Maastricht University
attn. Data Protection Officer
Postbus 616 6200 MD Maastricht
privacy@maastrichtuniversity.nl

You can also contact UM’s Data Protection Officer directly by emailing fg@maastrichtuniversity.nl.

What personal data does UM process?
UM always has a purpose for protecting personal data, and does not process more data than is necessary for that purpose. A general overview of these purposes can be found further on in this privacy statement.

UM receives personal data directly from you or from a third party that is authorised or required to share this personal data with UM.

An overview of the categories of (special) personal data that UM may process is set out below:

Category of personal data	Examples
Name and address details	name, address, postal code, town/city
Age-related data	age and date of birth
Contact details	email address(es) and telephone number(s
Gender
Nationality	Second/third nationality, place of birth
Education and professional experience	CV, certificates, diplomas
Financial data	IBAN, credit card details, salary, income, statements of expenses.
Identification data	BSN number, ID document number, passport photo
Student file-related data	Academic progress, marks, completed education, degree programme, assessments, matching, student ID, binding study advice, incident record, allocations from funds (e.g. student assistance fund).
Alumni-related data	Email address, telephone number, address for correspondence, nationality, language preference, academic details, career information, information on interaction with UM (e.g. participation in events), details of relationship status, subscription to newsletters, alumni circle institutions, personal data shared for a specific purpose (e.g. dietary requirements), financial information relating to sponsorship.
Account data	Login details, social media accounts, IP addresses.
Location data	Logging data, IP address, building access data
Usage data for UM facilities	Logging data, IP address, location data.
Biometric data	Passport photo
Photos and video images	Visual materials, promotional materials, camera images.
Medical data	Data relating to illness and absence, data relating to physical or mental disabilities, special circumstances in the context of study delay.
Academic research	Data (created) in the context of academic research.

Sensitive personal data are data that are special in nature. For example, these can be data that reveal your race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or sexual orientation. The term sensitive personal data also includes data about your health, genetic data or biometric data through which you can be identified (e.g. a fingerprint). UM only processes sensitive data when it is permitted to do so by law.

Purposes
UM processes personal data for the following purposes:

educational activities;
alumni activities;
academic research;
operational management.

Education
In the context of its educational activities, UM processes the personal data of (prospective) students for the following purposes:

to establish the identity of students and potential students;
to inform potential students about UM’s degree programmes;
to recruit new students and to promote UM;
to perform matching;
to perform administrative proceedings relating to applications, enrolment/registration and
termination of enrolment/registration, and to calculate, record and collect tuition and exam fees;
to assess previous education and to manage draws, matching and selection;
to register students for courses and examinations and to record attendance;
to offer and provide educational resources, IT facilities and catering facilities;
to support students with a disability;
to record lectures;
to make digital content available through the university library;
to measure and improve the quality of education and educational facilities;
to prepare policy decisions in the field of education and to create management information for
UM’s management bodies;
to offer additional education, work placements, career preparation and other extracurricular
activities;
to organise and hold university elections;
to record academic results, test and examination results and to award degree certificates;
to advise and support students and to assess special circumstances in the context of a binding
study advice;
to advise on and process complaints, objections and appeals;
to comply with the statutory duty to retain alumni degree certificates;
to keep the university’s buildings secure;
to keep information and IT facilities secure and to ensure that they function effectively.

Alumni activities
In the context of alumni activities, UM processes the personal data of alumni for the following purposes:

to obtain funds from alumni;
to maintain digital and other contact with alumni;
to conduct research into and amongst alumni;
to offer services to alumni.

Staying in touch
After graduation, UM stays in touch with its alumni via the email address they provided when registering. The alumnus may unsubscribe from such messages at any time.

Analytics
To provide alumni with relevant information, data that have been made available by them to UM can be analyzed if the alumnus in question has registered for this. This analysis involves looking at preferences, interests and behavior like the participation of an alumnus in activities organized for alumni. This type of processing has no legal consequences for alumni.

Research
UM may process your personal data in the context of academic research. UM does this in the public interest, in the interests of UM’s partners and/or in the legitimate interests of UM itself. You will always be specifically informed about this and, where necessary and required by law, will be asked for your consent.

Operational management
In the context of its operations, UM processes personal data for the following purposes:

to prepare policy decisions in the field of operations and to create management information for UM’s management bodies;
to organise and hold university elections;
to process complaints, objections and appeals and to deal with other legal matters;
to keep financial records and to draw up and approve annual accounts and budgets;
to take photos and record videos during events;
to carry out marketing activities
to perform (internal) audits;
to train new employees and to maintain the quality of the customer service;
to draw up UM’s annual reports;
to complete accreditation and certification processes;
to offer and provide products and services;
to purchase products and services and to manage contracts;
to secure, maintain and run the university’s buildings;
to secure information and ensure the proper functioning of IT facilities;
to cooperate in police investigations;
to inform the contacts of students and staff in the event of an emergency;
to keep a record of incidents and reports concerning (suspected) domestic violence and/or child abuse;
to compile user statistics for UM’s facilities.

UMcard
The UMcard enables use of the facilities offered by UM and, where relevant, Maastricht academic hospital (azM). Every student receives a UMcard on enrolment. The UMcard is used within UM as a proof of identity. The UMcard can be used for the following purposes:

access control (buildings and car parks);
payments;
library applications;
identification;
statistic data regarding its to efficiently utilize UM buildings and grounds;
monitoring of UMcard abuse.

Camera surveillance
UM uses cameras for the following purposes:

to protect the health and safety of staff, students and visitors to UM;
to safeguard access to UM buildings and sites;
to protect property present in UM buildings or on UM sites;
to record incidents;
to regulate traffic flows for students, staff and visitors to UM.

Newsletter
UM sends UM news and messages from the Executive Board and/or the dean of your faculty to students by email on a weekly basis. You cannot unsubscribe from these newsletters unless you are an alumnus.

UM also sends out other newsletters. You can subscribe to receive these newsletters. If you subscribe to such a newsletter, you will receive it at the email address you have specified until such time as you unsubscribe. This option is provided in the newsletters themselves.

In order to be able to measure the efficiency and relevance of the above-mentioned newsletters, statistics are kept on the interaction between the recipients and the information sent.

UM Magazine
UM greatly values its partnerships. So, if you are partner of UM, UM will send you the UM Magazine by post on a regular basis. You can unsubscribe to the UM Magazine at any time. To do so, please email UM at magazine@maastrichtuniversity.nl or call +31 43 388 5222.

ICT facilities, including the (Wi-Fi) network
If you use UM’s ICT facilities, including the (Wi-Fi) network, personal data, such as the identification number (MAC address) and technical characteristics of your device, your login code and your IP address, are collected automatically. These data are only used to monitor the integrity and security of the ICT facilities and to prevent abuse. It will be deleted after six months, unless a longer retention period is necessary to deal with an incident. The conditions governing use of the ICT facilities are set out in detail in the Acceptable Use Policy (AUP).

If you use ICT facilities for illegal activities or otherwise in contravention of the provisions of the AUP, in addition to other measures, access by your device to UM’s network may be blocked.

UM’s website

Cookies
The UM website uses cookies. Cookies are small text files that are placed on your computer, mobile phone or tablet when you consult pages on the UM website. The next time you visit the UM website, the information stored in this cookie can be read by UM’s servers. Like virtually all websites, the UM website uses cookies to offer you the best possible user experience when you visit our website.

UM uses cookies:

so you only have to set specific preferences during and between visits to the UM website once;
to make the website faster;
so you can share certain pages via social media, such as Facebook and Twitter;
to enable it to analyse website usage;
to enable it to optimise the site and improve its contents.

You can learn more about the cookies that UM uses in UM’s Cookies Policy.

Secure connection
Whenever you visit the UM website, a secure connection is established between your device and the UM website.

Recording lectures
As a service to its students, UM can record lectures so that students can watch them later. This can be an audio or an audio and video recording.

Students are kept out of the picture as much as possible by placing cameras in a fixed place and alerting students to the recording in advance.

If you are recognizable in a recording of a lecture and you object to this, you can report this in writing to the MediaSite administrator of your faculty. Where possible, the administrator of MediaSite in your faculty will take measures to make you unrecognisable in the recording.

The system that makes it possible to watch recorded lectures keeps track of user statistics, such as how long a lecture has been watched and by whom. The faculty key-user has access to these statistics, but only provides them in anonymised form to others, including lecturers. UM has a legitimate interest in keeping these statistics, because they are used to improve the service to students and measures have been taken to reduce the impact on students’ privacy to a minimum

Recordings of lectures will only be made available to students enrolled in the course to which the lecture relates; they will not be made publicly available to everyone.

Guest lecturers
Guest teachers are asked by means of a consent form for their consent to make a recording . This consent may be withdrawn at any time. Withdrawal of consent has no retroactive effect.

Recording calls
When you contact the UM, more specifically the Student Service Centre, by telephone your conversation may be recorded. S is announced in advance. Telephone conversations are recorded to train (new) employees, but also to monitor the quality of the telephone conversations.

UM has a legitimate interest in recording telephone conversations, because the recordings enable UM to improve its service, while the infringement on student privacy is limited. The recordings are retained for six months and then automatically deleted.

Taking photos and recording video
During events and meetings organized by UM photos may be taken and videos may be recorded. This is announced in advance and / or on site by the UM.

Depending on the circumstances under which the photos and videos are made, UM has a legitimate interest (journalistic purpose) in taking such photos and videos. In other cases, consent will be requested for making and publishing video recordings.

Lawful basis for the processing of personal data by UM
Whenever UM processes your personal data, it does so with a lawful basis for processing. A lawful basis for processing is the grounds for processing personal data.

UM primarily processes your personal data to perform its public tasks in the field of the provision of academic education and research. However, UM may also process your personal data:

to perform a contract with you;
to comply with a statutory obligation;
to protect your vital interests or the vital interests of a third party;
to serve the legitimate interests of UM or a third party;
with your consent.

Further processing
The basic principle is that UM uses personal data for the purpose for which the data was collected. In some cases, UM uses the personal data collected for other purposes too. These purposes must always be compatible with the original purpose of processing. Before further processing takes place, UM therefore carefully considers whether the new purpose is compatible with the original purpose of processing.

According to the General Data Protection Regulation (GDPR), further processing of personal data for historical, statistical or scientific purposes is compatible with the original purpose of processing.

Retention periods
UM does not keep personal data for longer than is necessary to achieve the purpose of processing. UM has defined a retention period for each type of processing. If this retention period can be extended, the terms under which it may be extended are also specified.

In some cases, UM is subject to a statutory duty of retention. Pursuant to the Public Records Act (Archiefwet), for example, UM is required to keep students’ degree certificates for 30 years. The retention periods based on the Public Records Act are specified in the Basic Selection Document for Academic Education (Basisselectiedocument Wetenschappelijk Onderwijs).

Personal data can also be kept for a longer period for historical, statistical and scientific purposes. If you would like to know the retention period for a specific type of processing, please contact UM as follows:

Maastricht University
attn. Data Protection Officer
PO Box 616
6200 MD Maastricht
privacy@maastrichtuniversity.nl

You can also contact UM’s Data Protection Officer directly by emailing fg@maastrichtuniversity.nl.

Recipients of personal data
UM has taken steps to ensure that only those individuals who need to process your personal data have access to it. In addition, UM may share data with parties outside of UM under the following circumstances:

Third parties associated with UM
UM may share personal data with parties that are associated with or affiliated to UM, e.g. the Limburg University Fund or Maastricht Academic Hospital. Where required by law, written contracts concerning the processing and security of personal data have been concluded with these parties.

Government bodies
UM may share personal data with other government bodies where required to do so by law, e.g. the Education Executive Agency (DUO). Personal data may also be shared with other government bodies on the grounds of other compelling legitimate interests, e.g. the reporting of a theft or assistance with an (police) investigation.

Other educational institutions
UM may share your personal data with other educational institutions where this is necessary for the provision of education jointly with that institution or for the performance of academic research in conjunction with that institution. UM concludes written agreements with these parties concerning the processing and security of personal data.

Third parties
UM shares data with third parties where this is necessary for the performance of its tasks, e.g. suppliers of software that is used to process personal data or other service providers that need personal data to provide their services. UM concludes written agreements with these parties concerning the processing and security of personal data.

International processing
UM may share your personal data with a party outside of the European Union or an international organisation. UM will ensure that your personal data are treated with care outside of the EU, and that they are processed securely.

Some countries have been designated by the European Union as countries with an adequate level of data protection. In other words, the statutory level of data protection is, at minimum, as high as it is within the EU. In that case, UM does not need to take additional measures.

The EU has not designated the United States as a country with an adequate level of protection. Parties may, however, subscribe to the EU-US Privacy Shield. Under this framework, they demonstrate, through self-certification, that their level of data protection is adequate. In that case, UM does not need to take additional measures.

If the level of protection in a country is regarded by the European Union as inadequate and the relevant organisation has not subscribed to the EU-US Privacy Shield, UM will conclude an agreement with the relevant party based on standard data protection provisions laid down by the European Commission or it shall take other appropriate measures in accordance with the GDPR. To find out more about this, please contact UM as follows:

Maastricht University
attn. Data Protection Officer
PO Box 616
6200 MD Maastricht
privacy@maastrichtuniversity.nl

You can also contact UM’s Data Protection Officer directly by emailing fg@maastrichtuniversity.nl.

Your rights
Privacy legislation gives you a number of rights in relation to your personal data. Your rights, as well as how to exercise them, are set out below.

Exercising your rights
If you wish to exercise one of the rights described below, please fill out the GDPR request form. You can also email privacy@maastrichtuniversity.nl or contact the Data Protection Officer directly at fg@maastrichtuniversity.nl.

UM will inform you, within a month of receiving your request, whether and, if so, how your request will be dealt with. This time limit may be extended by one month on two occasions. If the time limit is extended, you will be notified in good time that this is the case.

ID
In order to be sure that information is shared with the right person, UM may ask you for proof of ID when you exercise your rights. If you are providing proof of your identity in the form of an identity document, it is advisable to use the KopieID App to make a secure copy of the document. This is an app created by the government that allows you to add a watermark to the copy of your identity document and to delete data that are not required. UM requires you, at the very least, to render your BSN number and passport photo and the so-called Machine Readable Zone at the bottom of the document illegible.

Charges for exercising your rights
Exercising your rights under the new privacy legislation is free of charge. If you request additional copies, however, UM may charge you an administrative fee. You will be advised of this in advance.

If your request is manifestly unfounded or excessive, particularly if you repeatedly submit a request, UM may charge an administrative fee for processing your request or refuse to accept the request. You will be advised of this in writing.

Right of access
You have the right to know whether your personal data are being processed by UM. If they are, you also have the right to know what data are being processed, for what purpose, whether and with whom they are being shared and how long they will be retained. You have no right of access to other people’s personal data. Furthermore, the right of access can be limited to protect the rights and freedoms of others, including the including trade secrets or intellectual property and in particular the copyright protecting the software.

Right to rectification
If the personal data relating to you that UM is processing are found to be incorrect, you have the right to have these data corrected. If the personal data relating to you that UM is processing are found to be incomplete, you have the right to have these data completed.

Right to erasure
You have the right to have personal data relating to you that UM is processing erased, but only in the following circumstances:

Your personal data are no longer necessary for the purpose for which they were being processed.
You have withdrawn your consent and UM has no other lawful basis for continuing to process your personal data.
You have objected to the processing and UM has no compelling legitimate grounds for continuing to process your personal data.
It has been proven that your personal data have been processed unlawfully.
UM has a legal obligation to erase your personal data.

You do not have the right to erasure in the following circumstances

The processing of your personal data are necessary to exercise the right of freedom of expression and information.
UM has to process your personal data in the context of a legal obligation and/or a task carried out in the public interest.
The processing of your personal data is necessary for public health purposes in the public interest.
The processing of your personal data is necessary for archiving purposes in the public interest, scientific research or statistical purposes, and erasure of the data is likely to render impossible or seriously impair the achievement of these purposes.
UM requires your personal data for the establishment, exercise or defence of a legal claim.

Right to restrict processing
You have the right to stop UM from processing your personal data (temporarily), without it being deleted. You only have this right in the following circumstances:

You contest the accuracy of the personal data processed by UM.
Your data have been processed unlawfully, but you do not want the data to be deleted.
UM no longer needs your personal data, but you need it in order to establish, exercise or defend a legal claim.
You have objected to the processing of your personal data by UM and are waiting for UM’s response.

If processing is restricted, your personal data will continue to be stored by UM. UM will only process personal data in respect of which processing has been restricted:

with your consent;
to establish, exercise or defend a legal claim;
to protect another person’s rights;
for reasons of important public interest.

Right to data portability
If personal data are processed on the basis of your consent or for the performance of a contract, you have the right to have these personal data transferred to a third party. The processing must be digital. In addition, transfer of the data must not adversely affect the rights of others.

Right to object
If UM processes your personal data on the basis of a task carried out in the public interest or on the basis of its legitimate interests, you can object to this. UM will then weigh up the various interests once again. If, having weighed up all the interests involved, UM believes that it has compelling legitimate grounds for continuing to process your personal data, your objection will be rejected. The same applies if your personal data are necessary for the establishment, exercise or defence of a legal claim.

Rights related to automated individual decision-making, including profiling
In principle, UM does not make decisions based solely on automated individual decision-making, including profiling. An exception to this is the automatic blocking of ICT facilities where the integrity and security of these facilities is at stake. In this event, UM will endeavour to reach a solution with you as quickly as possible.

Right to withdraw your consent
If your personal data are processed on the basis of your consent, you can withdraw this consent at any time. The withdrawal of your consent does not have retroactive effect.

Complaints
If you have a complaint about the way UM processes your personal data, please contact UM using the contact details below.

Maastricht University
attn. Data Protection Officer
PO Box 616
6200 MD Maastricht
privacy@maastrichtuniversity.nl

You can also contact UM’s Data Protection Officer directly by emailing fg@maastrichtuniversity.nl.

Additionally, you can submit a complaint to the Dutch Data Protection Authority. Details of how to do this can be found on the Data Protection Authority’s website.

Changes to this privacy statement
This privacy statement will be revised from time to time to ensure that it remains up to date. In the event of major changes, you will be notified.

Specific privacy statements
Your personal data may be processed for a specific purpose. In that case, a separate privacy statement might have been drawn up for that specific processing activity. An overview of privacy statements for specific processing: