The General Data Protection Regulation (GDPR) came into force on 25 May 2018. From then on, stricter rules apply to working with personal data. For us to comply with GDPR and avoid substantial fines, everyone's cooperation is necessary. Based on the GDPR, Maastricht University (UM) has established its own policy rules. Are you working with or have you saved files containing personal data? Then it is important to understand what the new law means for you. For questions you can contact your supervisor or the information manager of your unit or department.
Why the new law?
The new General Data Protection Regulation (GDPR) replaces the Data Protection Directive. The law harmonises privacy legislation in all EU member states, thus better protecting the privacy of all EU citizens. Organizations operating in the EU will be bound by the same restrictions regarding personal data and privacy.
General information about GDPR
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens or AP) has the task of supervising the implementation of GDPR; they also offer additional information and advice.
Read the full text of GDPR
What is changing?
- Strengthening privacy rights. GDPR strengthens privacy rights, requiring e.g. data subjects’ consent for the use of personal data.
- Extension of privacy rights. Privacy rights will be extended: the right to be forgotten e.g. allows for an individual’s personal data to be corrected or removed.More responsibility for organizations
- The new law also creates more responsibilities for organizations, such as the registration requirement. In addition, penalties of up to 20 million euros can be imposed.
What is UM doing about it?
UM has started a process to comply with the law. Important steps are the recording of all processing of personal data, the reason that they are used and high levels of security. Raoul Winkens was appointed as Data Protection Officer (DPO) on 1 January. He will monitor compliance within UM. Do you have a question? Send an email to fg[at]maastrichtuniversity[dot]nl or call 043-3883010.
Watch the video for more information about working with personal data, the upcoming changes and GDPR in general:
What is personal data?
Roughly speaking, it is any information that is traceable to a person, such as name and address, email address, IP address, telephone number, student or staff number, study results or bank account numbers.
What is covered by UM’s obligation to register processing of personal data?
The registration requirement covers, for example:
specific details from registrations at departmental or faculty level regarding, e.g., personnel policy, internships, student or PhD programmes, letters, lists and reports that contain personal data, registration details o f people participating in events further processing of data taken from existing systems or databases used at UM (SAP, Eleum, Syllabus + etc.).
What, for example, is not covered?
- registrations for the departmental barbecue
- personal contacts in your address list (but always keep security in mind)
What is expected of employees now?
make an inventory of any such processing
determine how important, useful, necessary they are
together with your information manager, what has to be included
We speak of a data breach if there is a chance that personal data may be accessed or modified by unauthorized parties and that the data subjects may experience (serious) damage.
If there is a (presumed) data breach, UM must report this to the Dutch Data Protection Authority (AP) within 72 hours, so direct action is necessary
Has your laptop or mobile phone been stolen or have you detected a virus?
Has your phone, tablet or laptop been stolen, or have you noticed a data breach, virus infection, phishing mail or other security incident? Report this as soon as possible to Servicedesk ICTS via Servicedesk-ICTS[at]maastrichtuniversity[dot]nl or call 043 - 388 55 55 (on working days, 8.00 - 17.00).
UM must report the data leak to all those affected, i.e. the people whose data has been leaked. If there is a (presumed) data breach, UM must also report this to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens or AP) within 72 hours.
Prevention is better than cure
By safely handling personal data, you can contribute to safe and reliable processing of personal data within UM. Check www.maastrichtuniversity.nl/informationsecurity for the current policy, the Acceptable Use Policy that we all have to comply with and tips and tricks about passwords, e-mail, the use of tablets and Smartphones, etc
General tips about Cyber security
UM participates in the CyberSave Yourself campaign currently being developed within SURF. On www.cybersafeyourself.nl you can find a lot of information as well as a game.
Questions about the processing of your personal data?
If you have specific questions about your personal data that are (possibly) processed by UM, then you can ask your regular contact person. Do you have general questions? Send an e-mail to privacy[at]maastrichtuniversity[dot]nl.
Use this form to report a data breach.
To be mentioned in such a report:
- when and where did the incident occur?
- what type of personal data and how many people are involved?
- has encryption and/or pseudonymization (coding of data subjects) been used?
- have strong passwords been used and have they now been modified?