Data protection & Privacy

The GDPR is the European law that sets out the rules and conditions organisations must comply with when processing personal data. This applies to processing activities within the European Economic Area (EEA), as well as to organisations that process personal data of residents of countries within the EEA.

As a European law with direct effect, the rules and conditions of the GDPR apply directly to organisations.

In line with the GDPR, UM has translated these rules and conditions into its own UM Policy on the Processing of Personal Data and the Working Procedures of the Data Protection Officer. Within UM, we operate in accordance with these internal regulations. The Data Protection Officer (DPO) supervises internal compliance with the GDPR and the UM policy, provides advice and is the contact person for the national supervisory authority, the Data Protection Authority (Autoriteit Persoonsgegevens, AP). 

The AP supervises the implementation of the GDPR on a national level and provides information and advice.

Individuals whose personal data is processed by Maastricht University (UM) have the right to exercise certain rights regarding the processing of their personal data. Below is an explanation of how the data subjects can exercise these rights and what they entail.

To exercise any of the rights listed below, you can complete the GDPR request form. It is also possible to contact the GDPR Team UM in writing, after which your request will be processed. The UM GDPR Team can be reached via email.

UM will respond to your GDPR request as soon as possible, and in any case within one month of receipt. This period may be extended once by an additional two months. If the period is extended, you will be informed in a timely manner.

• Right of access
  A data subject has the right to request from UM confirmation of whether its personal data is being processed.
   
• Right to rectification
  A data subject can request that UM rectify any inaccurate personal data. If personal data is incomplete, individuals also have the right to have it completed.
   
• Right to erasure (‘right to be forgotten’)
  A data subject may request that UM erases its personal data. UM may not always be able to comply immediately, as in some cases there is a legal obligation to retain personal data for a certain period.
   
• Right to restrict processing
  In certain situations, a data subject may obtain from UM the temporarily restriction of processing without deleting the personal data.
   
• Right to data portability
  In specific situations, a data subject may request that UM transmits its personal data to another party, provided it concerns digital processing.
   
• Right to object
  A data subject may object to the processing of its personal data. UM must then reassess whether the processing activities can continue.
   
• Right not to be subject to automated individual decision-making, including profiling
  A data subject generally has the right not to be subject to a decision based solely on automated processing, including profiling. An exception is automatic blocking of IT facilities if the integrity and security of those facilities are at risk. In such cases, a solution will be sought as soon as possible in consultation with the data subject.
   
• Right to withdraw consent
  If UM processes personal data based on a data subject’s consent, that consent can be withdrawn at any time. Withdrawal of consent does not affect processing carried out before the withdrawal.

Maastricht University (UM) secures (personal) data to ensure that the integrity and confidentiality of individuals is protected as effectively as possible. If something goes wrong with security, this is called a security incident. When personal data is involved in such an incident, it is considered a personal data breach (commonly referred to as a data leak).

This can happen, for example, if a device containing personal data is stolen, or if a document with personal data is accidentally shared with someone who is not authorised to see it.

In these situations, we immediately take all possible measures to minimise any potential harm to the individuals concerned.

A data breach occurs when unauthorised persons actually gain access to personal data, resulting in accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of or access to that personal data. If the breach could potentially harm the individuals involved, UM is required to report it to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) within 72 hours.

More information
For more information on how UM handles personal data, see the UM Privacy Statements.

Questions:
Questions regarding the processing of personal data by UM can be submitted to the GDPR Team UM: privacy@maastrichtuniversity.nl

Complaints:
Complaints about the processing of personal data by UM can be submitted to the Data Protection Officer:
Maastricht University
Attn: Data Protection Officer
P.O. Box 616
6200 MD Maastricht
fg@maastrichtuniversity.nl

GDPR requests:
To submit a GDPR request: GDPR request form

Reporting a security incident / data breach:
Reports can be made via:

• Telephone: ICTS Service Desk: 043 - 388 55 55 (8:00 - 17:00 on weekdays)
• Email: ICTS Service Desk: servicedesk-ICTS@maastrichtuniversity.nl
• Email: CISO Team: security@maastrichtuniversity.nl
• Email: GDPR Team UM: privacy@maastrichtuniversity.nl

Questions about information security:
See UM Cybersecurity.