GDPR

GDPR principles

When are you allowed to query and process data? Every time you process personal data, it is an invasion of the privacy of the people it concerns. Therefore, the processing of personal data may only be done in accordance with the principles set forth in the AVG.

The GDPR principles determine, among other things, that:

  • no more data may be collected than necessary;
  • the data must always be stored securely and
  • they should be removed when the purpose for which they were collected has been achieved.

These requirements are further elaborated in the AVG in twelve principles, the so-called Fair Information Principles. These principles concern, for example, the legality and correctness of registrations, the rights of those involved and the university's obligations to take appropriate security measures.

It is the responsibility of Tilburg University and its employees to ensure that these principles are complied with at all times.

The 6 principles

The most important duty resulting from the GDPR is to guarantee the principle of legitimacy in all data processing. That includes that the reason for processing personal data must be legitimate. The AVG lists 6 reasons to be able to process personal data. It is the responsibility of Tilburg University to assess which principle applies to a processing operation. So that principle must be determined before starting to process data.

The GDPR contains the following 6 principles for processing personal data:

  1. You have permission from the person you are dealing with.
  2. It is necessary to process data in order to execute an agreement.
  3. It is necessary to process data because Tilburg University is legally obliged to do so.
  4. It is necessary to process data in order to protect vital interests.
  5. It is necessary to process data in order to perform a task of general interest or public authority.
  6. It is necessary to process data in order to protect the legitimate interests of Tilburg University.

Make sure that you are able to substantiate why the chosen basis applies. The basis must in any case be stated in the notification form for the processing register. For more information about this, see the page on Tilburg University's obligations.

Exception: special and criminal data

Please note that these rules only apply to 'ordinary' personal data. Do you want to process special personal data, such as data about someone's health? Or criminal data? That is prohibited. Unless you meet a number of strict requirements. In that case, having a principle is not enough. More information can be found on the page 'Which personal data should I handle with care?'

Personal use

Processing personal data for purely personal use is always permitted. Think for example of a birthday calendar or a file with addresses of family and friends.