Privacy Statement TU/e
Version August 16, 2018
Eindhoven University of Technology respects the privacy of students, employees and other persons whose personal data it processes.
TU/e processes personal data for purposes including the provision of research & valorization, education and its operational management, within the framework of statutory obligations and to protect legitimate interests of TU/e and third parties.
TU/e acknowledges that the personal data which it processes are valuable for the data subjects and that careless treatment of personal data by TU/e may result in infringements of privacy and may lead to other disadvantages or damage to data subjects.
TU/e is an internationally prominent university, specialized in science & technology with high-quality education and research. It stands to reason that TU/e should also be a reliable education and research institute, a reliable employer and a reliable cooperation partner and commissioning authority, also as regards the protection of personal data.
The TU/e Executive Board states that:
- TU/e assumes responsibility for the careful treatment of the personal data which it processes;
- TU/e will comply with applicable legislation and regulations, such as the General Data Protection Regulation (GDPR);
- TU/e will be transparent proactively about the processing of personal data, the purpose of such processing and the manner of its execution;
- TU/e applies privacy-by-design and privacy-by-default as starting points in the processing of personal data; and
- TU/e will adequately protect the personal data for whose processing it is responsible.
Scientists from TU/e conduct research into privacy and related subjects. TU/e uses the resulting knowledge in the setup and implementation of the policy.
(Contact details) Data Protection Officer
Data Protection Officer (DPO)
General questions and/or complaints in connection with (the processing of) personal data can be reported via firstname.lastname@example.org. This mailbox is managed jointly by the Chief Information & Security Officer, the Privacy & Security Officer and the Data Protection Officer.
A register will be kept of questions or complaints with a (potentially) significant impact. If the personal data of the data subject(s) or the business processes, the finances or the reputation of TU/e are seriously jeopardized, in any case the Executive Board and the Data Protection Officer will be notified.
The University has appointed Ms. A.H.J. (Annuska) van den Eijnden as Data Protection Officer. As an independent, internal supervisor and advisor she is charged with the supervision of the compliance with the applicable legislation in the area of personal data. The Data Protection Officer can be reached via telephone number 040-2476079 and/or email address email@example.com.
Computer Emergency Response Team (CERT)
The core task of the CERT is the detection and correction of incidents, more specifically the signaling and handling of information security incidents on the basis of predetermined categories and prioritization. If criteria are satisfied, the CERT alerts the local or central TU/e emergency team. Incidents that cannot be handled within the scenarios and frameworks are escalated to the Chief Information Security Officer (CISO).
The CERT can be reached via telephone number 040 - 247 5678 and email address firstname.lastname@example.org
Duty to report data leaks
There is a data leak when there is a breach of the security of personal data which leads to any unauthorized processing of the data. This may be a theft of a laptop, a USB stick that has been left on the train or an email that has been sent to the wrong person. Data leaks must be reported to the supervisor within 72 hours after their discovery and in some cases the data subject(s) must also be informed.
A data leak may arise both within and outside TU/e. Anyone who notices a (possible) data leak or suspects that they themselves are part of a data leak must contact the hotline for data leaks of personal data TU/e via email@example.com. A report of a (possible) data leak must be made as soon as possible. A register will be kept of every data leak and its handling.
Rights of data subjects
The General Data Protection Regulation (GDPR) gives Data Subjects rights with which they can exercise control over the Processing of their Personal Data. A request for information, inspection, rectification, addition, removal or restriction of the Processing can be submitted in writing to firstname.lastname@example.org. This mailbox is managed jointly by the Chief Information & Security Officer, the Privacy & Security Officer and the Data Protection Officer.
The university ensures that the information and communication is provided to the Data Subject in a concise, easily accessible and understandable way and in clear and plain language. The language will be attuned to the target group.
A request from a Data Subject will be responded to in writing as soon as possible, but no later than within four weeks after its submission. Hereby the Data Subject will in any case be notified about the action that has been taken on the request. If the time period of four weeks is not reasonably feasible, the Data Subject will be informed thereof within this period. In that case the university will take action on the request of the Data Subject within two months after the expiry of the first period.
In the provision of the relevant information the university ensures that the identity of the person making the request is ascertained properly. To this end TU/e can ask for extra information.
A request for the exercise of one of the rights as elaborated in this chapter by a Data Subject, being a Minor, a person subject to a guardianship order or for whose benefit an administration or a mentorship has been granted, is made by that person’s legal representative. A reaction by TU/e will also be sent to this legal representative.
Right to object
For Data Subjects there are two grounds for objecting to a Processing:
1. In connection with his or her personal circumstances, every Data Subject can object to Processing at the university, if this Processing takes place pursuant to
a) the performance of a task carried out in the public interest or within the context of the exercise of official authority of the Controller, or
b) the pursuit of the legitimate interest of TU/e or of a Third Party to which the data are provided.
In case of objection TU/e will in principle cease the further Processing. If TU/e can show that its compelling legitimate interests override the interests or fundamental rights and the fundamental freedoms of the Data Subject, the Processing will be continued. If the objection is legitimate, TU/e will (free of charge) take the measures that are required to stop processing the Personal Data for the relevant purposes.
2. In a Processing for the purpose of ‘direct marketing’, a Data Subject will have the right to object at any time. In case of objection TU/e will immediately stop the Processing for direct marketing purposes (free of charge) and not resume this.
If the Data Subject is of opinion that the legal provisions regarding the privacy protection or the provisions of these regulations are not enforced correctly towards him or her, he or she can lodge a complaint in writing with the Data Protection Officer, email@example.com
If TU/e has rejected a request and/or TU/e has rejected the Data Subject’s request, the Data Subject can:
- file a complaint with a supervisory authority, the Personal Data Authority (www.autoriteitpersoonsgegevens.nl);
- initiate application proceedings before the subdistrict court. The application must be lodged with the subdistrict court within six weeks of receipt of the response from TU/e. If TU/e has not responded to the Data Subject’s request within the set period, the application must be lodged within six weeks after expiry of that period. It is not necessary for an application to be lodged by a lawyer;
- start an objection procedure, in conformity with the General Administrative Law Act [Algemene wet bestuursrecht; Awb]. An objection procedure must always be started within 6 weeks after notification of a decision from the university. Appeal against a decision on an objection lies to the District Court.
With a view to the safety and security of persons, buildings, sites and properties of TU/e camera monitoring is used. This is also done for the registration of incidents: behaviors, disruptions, accidents or other events that impair or threaten the property, security or integrity of buildings, sites, persons and/or goods;The camera footage is not used for any other purposes than those mentioned above. Investigating officers can by order of the Public Prosecution Service gain access to the footage in so far as this is necessary for the performance of their legal duties
Footage is retained for a maximum of four weeks, unless it involves an incident, request, objection or complaint. In those cases the relevant footage is retained as long as is necessary for its settlement. Immediately afterwards the footage will then be removed.