Your rights

Exercising your rights
If you wish to exercise one of the rights described below, please please fill out the GDPR request form. You can also email privacy@maastrichtuniversity.nl or contact the Data Protection Officer directly at fg@maastrichtuniversity.nl.

UM will inform you, within a month of receiving your request, whether and, if so, how your request will be dealt with. This time limit may be extended by one month on two occasions. If the time limit is extended, you will be notified in good time that this is the case.

ID
In order to be sure that information is shared with the right person, UM may ask you for proof of ID when you exercise your rights. If you are providing proof of your identity in the form of an identity document, it is advisable to use the KopieID App to make a secure copy of the document. This is an app created by the government that allows you to add a watermark to the copy of your identity document and to delete data that are not required. UM requires you, at the very least, to render your BSN number and passport photo and the so-called Machine Readable Zone at the bottom of the document illegible.

Charges for exercising your rights
Exercising your rights under the new privacy legislation is free of charge. If you request additional copies, however, UM may charge you an administrative fee. You will be advised of this in advance.

If your request is manifestly unfounded or excessive, particularly if you repeatedly submit a request, UM may charge an administrative fee for processing your request or refuse to accept the request. You will be advised of this in writing.

Right of access
You have the right to know whether your personal data are being processed by UM. If they are, you also have the right to know what data are being processed, for what purpose, whether and with whom they are being shared and how long they will be retained. You have no right of access to other people’s personal data. Furthermore, the right of access can be limited to protect the rights and freedoms of others, including the including trade secrets or intellectual property and in particular the copyright protecting the software. UM has a right to request you to specify to which information or processing activity your request pertains.

Right to rectification
If the personal data relating to you that UM is processing are found to be incorrect, you have the right to have these data corrected. If the personal data relating to you that UM is processing are found to be incomplete, you have the right to have these data completed.

Right to erasure
You have the right to have personal data relating to you that UM is processing erased, but only in the following circumstances:

• Your personal data are no longer necessary for the purpose for which they were being processed;
• You have withdrawn your consent and UM has no other lawful basis for continuing to process your personal data;
• You have objected to the processing and UM has no compelling legitimate grounds for continuing to process your personal data;
• It has been proven that your personal data have been processed unlawfully;
• UM has a legal obligation to erase your personal data.

You do not have the right to erasure in the following circumstances:

• The processing of your personal data are necessary to exercise the right of freedom of expression and information;
• UM has to process your personal data in the context of a legal obligation and/or a task carried out in the public interest;
• The processing of your personal data is necessary for public health purposes in the public interest;
• The processing of your personal data is necessary for archiving purposes in the public interest, scientific research or statistical purposes, and erasure of the data is likely to render impossible or seriously impair the achievement of these purposes;
• UM requires your personal data for the establishment, exercise or defence of a legal claim.

Right to restrict processing
You have the right to stop UM from processing your personal data (temporarily), without it being deleted. You only have this right in the following circumstances:

• You contest the accuracy of the personal data processed by UM;
• Your data have been processed unlawfully, but you do not want the data to be deleted;
• UM no longer needs your personal data, but you need it in order to establish, exercise or defend a legal claim;
• You have objected to the processing of your personal data by UM and are waiting for UM’s response.

If processing is restricted, your personal data will continue to be stored by UM. UM will only process personal data in respect of which processing has been restricted:

• with your consent;
• to establish, exercise or defend a legal claim;
• to protect another person’s rights;
• for reasons of important public interest.

Right to data portability
If personal data are processed on the basis of your consent or for the performance of a contract, you have the right to have these personal data transferred to a third party. The processing must be digital. In addition, transfer of the data must not adversely affect the rights of others.

Right to object
If UM processes your personal data on the basis of a task carried out in the public interest or on the basis of its legitimate interests, you can object to this. UM will then weigh up the various interests once again. If, having weighed up all the interests involved, UM believes that it has compelling legitimate grounds for continuing to process your personal data, your objection will be rejected. The same applies if your personal data are necessary for the establishment, exercise or defence of a legal claim.

Rights related to automated individual decision-making, including profiling
In principle, UM does not make decisions based solely on automated individual decision-making, including profiling. An exception to this is the automatic blocking of ICT facilities where the integrity and security of these facilities is at stake. In this event, UM will endeavour to reach a solution with you as quickly as possible

Right to withdraw your consent
If your personal data are processed on the basis of your consent, you can withdraw this consent at any time. The withdrawal of your consent does not have retroactive effect.