Sleutel in hand, foto CMDR Shane

Privacy statement

Tilburg University is a data controller within the meaning of the General Data Protection Regulation (GDPR). As set out in this privacy statement, the university is therefore open about the way in which data are processed by Tilburg University and its processors. It is of paramount importance that the university complies with the requirements set by the GDPR at all times.

How does Tilburg University inform about its processing of personal data?

Tilburg University complies with the  codes of conduct of Universiteiten van Nederland (Association of universities in the Netherlands), including the Code of conduct for using personal data in research. Tilburg University regularly aligns its policies and procedures with the opinions of personal data protection authorities, such as the Dutch Data Protection Authority and the European Data Protection Board (EDPB).

In the Privacy Statement Tilburg University informs those concerned about the processing of personal data. On the basis of this statement, a student, employee or other person involved may decide whether or not to enter into an agreement with the university or to make use of the services offered by the university. The privacy statement contains, among other things, information about the categories of personal data that are processed, the purposes for which these data are processed, the processing principles on the basis of which this is done, and the retention periods. In addition, data subjects are made aware of their rights arising from the GDPR. 

In case of fairly specific processing based on the consent of a data subject, the data subject should be explicitly informed about the processing by means of an informed consent that also refers to the general privacy statement of Tilburg University. This is regularly required for academic research and additional services based on consent.

Privacy Statements

Research

When conducting research with personal data, the GDPR (General Data Protection Regulation) applies and data subjects have the right to be informed about the use of their personal data. Usually, the data subject (i.e. participant in the research) is informed and gives consent at the time the data is collected. However, for some research projects, it is also possible that personal data are used that have not been collected directly from the data subject but, for example, by web scraping.

The data subject still has the right to be informed about the use of their personal data. It might also be that informing the data subject directly is impossible, would involve a disproportionate effort, or is likely to render impossible or seriously impair the research. In those cases, the data subjects will be informed via publicly available information about these research projects on this page in the form of privacy statements.

The necessary aspects with regard to privacy and security have been laid down in a processing agreement between Tilburg University and Qualtrics. The data collected through Qualtrics is stored in Europe, and Qualtrics adheres to a number of important international standards for continuity and privacy.

What rights do I have?

As a data subject, you have rights of access, rectification, forgetting, restriction of processing, transferability of data and the right to object and complain to a supervisory authority.

Right of access

The General Data Protection Regulation gives people more control over their personal data. They have the right to ask what data Tilburg University has about them. They are permitted to ask to see this data.

In the Tilburg University data register you can see which data we process for each category of data subjects, for what purposes this data is processed, how we have obtained this information and to whom we provide the data.

Tilburg University strives for greater transparency. Via our portals, more information is visible and can be updated by datasubjects themselves.

More information

For further information on the Tilburg University procedures, see the document Request to Access Personal Data.

Right to rectification

The General Data Protection Regulation gives people the right to have inaccurate personal data rectified or to add additional information to their personal data.

Every organization is responsible for ensuring that the personal data processed is accurate and that it is updated when necessary.

If, in view of the purpose for which it is being processed, personal data is incorrect, the organization concerned is obliged to take all reasonable measures to rectify or supplement this data. If an organization has provided third parties with inaccurate or incomplete personal data, it must also pass on the amended or additional data to these third parties.

Tilburg University strives for greater transparency. Via our portals, more information is visible and can be updated by datasubjects themselves.

More information

For more information about the procedures of Tilburg University, see the request to rectify personal data.

Right to be forgotten

Article 17 of the General Data Protection Regulation includes what is known as the right to be forgotten. According to this right, organizations must erase personal data in a certain number of cases if a data subject (the person whose data the organization is processing) requests this.

The right to be forgotten does not always apply. The right to be forgotten is applicable in a number of clearly-defined situations only.

The General Data Protection Regulation gives people the right to have inaccurate personal data rectified or to add additional information to their personal data.

More information

For more information about the procedures of Tilburg University, see the request to erase personal data.

Right to restriction of processing

In certain situations, the General Data Protection Regulation gives people the right to restrict the use of their data. The right to restriction of processing applies in situations that meet one of the following criteria:

  • The data may be inaccurate
  • The processing is unlawful
  • The data is no longer needed
  • The data subject has objected

More information

For more information about the procedures of Tilburg University, see the request to restrict processing of personal data.

Right to transfer data

The General Data Protection Regulation gives people in certain situations the right to receive the personal data in a structured, current and machine-readable form for the transfer to another controller. If technically possible, Tilburg University provides this transfer to the other organization itself. The right to data portability applies in situations that meet the following criteria:

  • Data is obtained on the basis of permission or agreement.
  • The processing is automated.

More information

For more information about the procedures of Tilburg University, see the request to transfer personal data.

Right to object

The General Data Protection Regulation gives people the right to object to the processing of their personal data. If an organization processes personal data for the purposes of performing a task in the public interest or on the grounds of a legitimate interest, data subjects have the right to object to the processing of this data. If someone objects to the processing of his or her personal data, the organization must refrain from processing the data.

If someone objects to the processing of his or her personal data, the organization must refrain from processing the data, unless there are grounds that outweigh the interest of the person concerned. This consideration does not apply to direct marketing.

More information

For more information about the procedures of Tilburg University, see the object to the processing of personal data.

Right to file a complaint with a supervisory authority

The General Data Protection Regulation gives people the right to file a complaint with a supervisory authority.

If you have followed the usual procedures of request and / or objection and you are not satisfied by the followed procedure of the answer, you can submit a complaint to a supervisory authority.
The first point of contact for complaints is the internal supervisor, the Data Protection Officer.
The contact details can be found here (see 'Data Protection Officer').

Based on article 36 UAVG you can also submit a complaint to the external supervisory authority, the Dutch Data Protection Authority.

Contact

Questions

If you have any questions about the protection of your personal data, please feel free to contact our privacy team via e-mail privacy@tilburguniversity.edu.

Data protection Officer

Data Protection Officer is Mr. M.R.G. Herregodts. email: fg@tilburguniversity.edu.

Tilburg University 

Visiting addressPostal addressPhone
Warandelaan 2Postbus 90153+31 13 466 9111
5037AB Tilburg5000 LE Tilburg