When are you allowed to query and process data?

This means that you must have a good reason to process personal data. The AVG lists 6 reasons. The legal name for those reasons is fundamentals. You therefore need a basis to be able to process personal data. It is Tilburg University's responsibility to assess which basis applies to the processing. This basis must therefore be determined before starting to process data.

The 6 bases

The GDPR contains the following 6 principles for processing personal data:

• You have permission from the person you are dealing with.
• It is necessary to process data in order to execute an agreement.
• It is necessary to process data because Tilburg University is legally obliged to do so.
• It is necessary to process data in order to protect vital interests.
• It is necessary to process data in order to perform a task of general interest or public authority.
• It is necessary to process data in order to protect the legitimate interests of Tilburg University.

Make sure that you are able to substantiate why the chosen basis applies. The basis must in any case be stated in the notification form for the processing register. For more information about this, see the page on Tilburg University's obligations.

Exception: special and criminal data

Please note that these rules only apply to 'ordinary' personal data. Do you want to process special personal data, such as data about someone's health? Or criminal data? That is prohibited. Unless you meet a number of strict requirements. In that case, having a basis is not enough. More information can be found on the page Which personal data should I handle with care?

Personal use

Processing personal data for purely personal use is always permitted. Think for example of a birthday calendar or a file with addresses of family and friends.