Privacy regulations

The General Data Protection Regulation (GDPR) came into force on 25 May 2018. From then on, stricter rules apply to working with personal data. For us to comply with GDPR and avoid substantial fines, everyone's cooperation is necessary. In line with the GDPR, Maastricht University (UM) has established its own policy rules and "Regeling Functionaris Gegevensbescherming" (Dutch only). Are you working with or have you saved files containing personal data? Then it is important to understand what the new law means for you. For questions you can contact your supervisor or the information manager of your unit or department.


The new General Data Protection Regulation (GDPR) harmonises privacy legislation in all EU member states, thus better protecting the privacy of all EU citizens. Organizations operating in the EU will be bound by the same restrictions regarding personal data and privacy.

General information about GDPR

General information about GDPR

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens or AP) has the task of supervising the implementation of GDPR; they also offer additional information and advice.
 Read the full text of GDPR

What is changing?

  • Strengthening privacy rights. GDPR strengthens privacy rights, requiring e.g. data subjects’ consent for the use of personal data in certain cases.
  • Extension of privacy rights. Privacy rights will be extended: the right to be forgotten e.g. sometimes allows for an individual’s personal data to be corrected or removed.
  • The GDPR also creates more responsibilities for organizations, such as the registration requirement and accountability. In addition, penalties can be imposed along with other sanctions.

What is UM doing about it?

UM wants to record all processing of personal data in a registry, the reason that they are used and ensure high levels of security. Raoul Winkens is the appointed Data Protection Officer (DPO). He will monitor compliance within UM. Do you have a question about the processing of your personal data? Send an email to or call 043-3883010.

Watch the video for more information about working with personal data and GDPR in general:

What is personal data?
Roughly speaking, it is any information that is traceable to a person, such as name and address, email address, IP address, telephone number, student or personnel number, study results or bank account numbers.

What is covered by UM’s obligation to register processing of personal data?

The registration requirement covers, for example:
specific details from registrations at departmental or faculty level regarding, e.g., personnel policy, internships, student or PhD programmes, letters, lists and reports that contain personal data, registration details o f people participating in events further processing of data taken from existing systems or databases used at UM (SAP, LMS, Syllabus + etc.).

What, for example, is not covered?

  • registrations for the departmental barbecue
  • personal contacts in your address list (but always keep security in mind)

What is expected of employees now?

  make an inventory of any such processing
  determine how important, useful, necessary they are
 together with your information manager, what has to be included


Are you going to create a form or a survey in which you ask the participants for all kinds of personal data? Then first read the do's and don'ts before you get started.

More information on n the area of personal data in scientific research can be found here 'The GDPR dos and don’ts of personal data in scientific research'. 

Data leaks

We speak of a data breach if there is a chance that personal data may be accessed or modified by unauthorized parties and that the data subjects may experience (serious) damage.

If there is a (presumed) data breach, UM must report this to the Dutch Data Protection Authority (AP) within 72 hours, so direct action is necessary

Has your laptop or mobile phone been stolen or have you detected a virus?

Has your phone, tablet or laptop been stolen, or have you noticed a data breach, virus infection, phishing mail or other security incident? Report this as soon as possible to Servicedesk ICTS via or call 043 - 388 55 55 (on working days, 8.00 - 17.00). UM must report the data leak to all those affected, i.e. the people whose data has been leaked. If there is a (presumed) data breach, UM must also report this to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens or AP) within 72 hours.

Prevention is better than cure

By safely handling personal data, you can contribute to safe and reliable processing of personal data within UM. Check for the current policy, the Acceptable Use Policy that we all have to comply with and tips and tricks about passwords, e-mail, the use of tablets and Smartphones, etc

General tips about cyber security

UM participates in the CyberSave Yourself campaign currently being developed within SURF. On you can find a lot of information as well as a game.

Questions about the processing of your personal data?

If you have specific questions about your personal data that are (possibly) processed by UM, then you can ask your regular contact person. Do you have general questions? Send an e-mail to

Data leak

Use this form to report a data breach.

To be mentioned in such a report:

  • when and where did the incident occur?
  • what type of personal data and how many people are involved?
  • has encryption and/or pseudonymization (coding of data subjects) been used?
  • have strong passwords been used and have they now been modified?