Kast met ordners, foto Viktor Talashuk

Handling personal data with care

How does Tilburg University account for its data processing?

The GDPR places more responsibility on organizations to demonstrate that they comply with the privacy rules. By complying with this accountability, they make an important contribution to the protection of people's fundamental right to privacy.

Such internal, sometimes external, benefits can be requested using the form 'incidental benefits'.

Data Protection Impact Assessment

In certain situations, the university may be required to carry out a Data Protection Impact Assessment (DPIA). This is a tool that can be used, for example, when building ICT systems and creating data files, to map out the privacy risks of the associated data processing(s) in a structured and clear manner and to take appropriate measures to reduce the chance of the risks and their impact.

A DPIA does not have to be carried out for every data processing operation. A DPIA is only mandatory if a data processing operation is likely to pose a high privacy risk to the data subjects (the persons whose data are being processed).

This is in any case a case of misconduct: 

  • Systematic and comprehensive personal aspects are evaluated, including profiling.
  • Special personal data are processed on a large scale.
  • Large-scale and systematic tracking of people in a publicly accessible area (e.g. with camera surveillance).

Apart from these three situations, the AVG does not provide an overview of high-risk processing.

The European privacy regulators have drawn up 9 criteria. As a rule of thumb, you can stipulate that you must carry out a DPIA if your processing satisfies 2 or more of the following 9 criteria, unless a similar DPIA has already been carried out in our organisation.

  1. Assess people on the basis of personal characteristics.
  2. Automated decisions.
  3. Systematic and large-scale monitoring.
  4. Sensitive data.
  5. Large-scale data processing.
  6. Linked databases.
  7. Data on vulnerable persons.
  8. Use of new technologies.
  9. Blocking of a right, service or contract.

In addition, the Personal Data Authority (AP) has a list of processing operations for which a DPIA is mandatory.

The implementation of a DPIA is assigned to the data controller. In practice this means that the person who is going to carry out the processing also carries out the DPIA. To achieve a good DPIA, it is in many cases desirable to carry out the DPIA with a multidisciplinary team. In addition, advice must be obtained from the FG.  

More information