Privacy policy

As a Saxion stakeholder, such as employee, student, guest, visitor, or external partner, the General Data Protection Act (GDPR) [AVG] provides you with the right to know which of your personal data are being processed by Saxion, how, and why.

• Right of access: you have the right to request a complete summary of the personal data Saxion has stored about you. Using the web form, you can request a summary and indicate the specific data you would like to review.
• Right to rectification: if you feel the data which Saxion has recorded about you is factually incorrect, incomplete, or irrelevant, you can request that a correction be made to the personal data.
• Right to object: under certain circumstances, you have the right to object to Saxion’s use of your data. This can only be done if Saxion processes your data based on a general or joint interest and not if Saxion is legally required to do so.
• Right to erasure: in certain cases, you have the right to request that your data be erased. This means that you can request that Saxion remove all data related to you. This right applies in the following situations: 
  • No longer required: Saxion no longer needs your personal data for the purposes for which they were collected or processed. 
  • Withdrawal of consent: you previously provided express consent to Saxion for the use of your data but are now withdrawing that consent. 
  • Objection: you object to the processing of your data. For example, pursuant to Art. 21 of the GDPR, there is an absolute right to object to direct marketing in this case. 
  • Unlawful processing: Saxion is unlawfully processing your personal data. For example, there may be no legal basis for the processing.
• Right to restriction: the processing of your personal data will be stopped temporarily. For example, you can exercise this right if you are unsure the data Saxion is processing is correct. A “request for restriction” will not result in the deletion of your personal data. In this case, the data must be kept available so that the restriction you have requested can be removed at a later time. 
• Right to data portability: you have to the right to the “portability” of your personal data. You can receive a copy of your personal data in the format used by Saxion to process it via automated means, so that it can be reused and provided to other organisations.

Please, make a choice:

• I have an active Saxion login account (i.e. you are either a Saxion student or employee with access to Saxion-systems)
• I do not have an active Saxion login account (i.e. you are not currently studying or working at Saxion)

Please note: before your request can be processed, you must provide proof of identity at a Saxion location within four weeks of submission. This enables Saxon to ensure that the personal data requested is only provided to the correct person. If you have not provided proof of identity within four weeks, Saxion will delete the request. Saxion will respond to your request no later than four weeks after you provide proof of identity.

•  

Saxion processes personal data carefully and according to the principles of the GDPR, as well as to any related legislation if required. For the purposes of meeting this objective, Saxion has established several of its own basic principles. 
 

• Legality: the processing of personal data is based on one of the legal reasons specified in Article 6 of the GDPR. Consequently, Saxion complies with all legal and standard frameworks (in this case, Dutch and EU rules) when processing personal data and clearly defines its responsibility and the responsibility of others with regard to personal data. Saxion also uses and upholds the codes of conduct applicable to its sector.
• Fairness and transparency: personal data are only processed in a way that is fair and transparent to stakeholders. This means that it should be clear to what extent and in what way the personal data are processed. Information and communication regarding this must be easily accessible and understandable. 
• Personal data are only processed for well-defined, specific and justified purposes that have been explicitly described and recorded before any processing begins. 
• Purpose limitation: personal data are not further processed in a way that is not compatible with the purposes for which the data was acquired. 
• Minimum data processing: when processing personal data, the quantity and type of data is limited to personal data necessary for the specific purpose. With regard to this purpose, the data must be sufficient, relevant, and not excessive. Personal data processing is done in the least intrusive manner and must be in reasonable proportion to the intended purpose.
• Accuracy: Saxion takes measures to ensure that the processing of personal data is as correct and current as possible.
• Integrity and confidentiality: personal data are adequately protected in accordance with the applicable security standards.
• Storage limitation: Saxion does not process personal data for longer than necessary for processing purposes. In this regard, Saxion observes the applicable retention and destruction periods. 
• Accountable and auditable: Saxion can demonstrate compliance with all policy objectives in accordance with the applicable legal provisions. Internal supervision and monitoring safeguards this accountability obligation and is enforceable in accordance with legal principles.
• Access to personal data is restricted by authorisations when necessary.

Saxion receives or collects personal data when these are required for providing services, performing transactions, providing information, or granting access. The data we collect are always adjusted to the purpose indicated, meaning we do not collect any more information than we need to achieve a specific objective. We may collect data on the following stakeholder types:

• Students
• Staff members, including applicants and former staff members
• Prospective students (incoming)
• Alumni and former students (outgoing) 
• External parties, including guest staff members

In most cases, the personal data will be provided by the stakeholders themselves. Within the university of applied sciences, these data can be sent out from an internal source system or retrieved by a different system if necessary. We also receive personal data from third-party systems.

The personal data collected from you will be used by the university of applied sciences for business operations and for performing legal tasks and obligations as necessary for education and research. The summary below describes the main processes Saxion may use to collect personal data, the primary components of which are listed for each process:

• Education and educational support: registration and enrolment, degree programme, tracking results and academic progress, guidance and advice, providing learning materials, handling disputes, facilitating audits, graduation, addresses and yearbook, scheduling and the digital testing system.
• Research and research support: research administration and data.
• Partner management: campaigns, contact, mailing lists and newsletters, degree programmes and graduation dates, focused on prospective students, alumni, and participants in various activities; data for businesses, organisations, and persons with which the university of applied sciences has different types of partnerships (e.g. via contract, processor agreement, or partnership agreement for providing or receiving products and services.)
• Personnel matters: determining salary claims, arranging claims for payments in connection with termination of employment, internal and external audits related to occupational medical care.
• Business operations and finances: financial administration, purchasing system, payment system, IT management, and legal procedures.
• Facilities: access and management systems, camera surveillance, identity management
• Generic: 
  • Web content management
  • Participation
  • Images for university of applied sciences communications
  • Archiving
  • Library system

Records are reported by the unit responsible, whether academic or service-related, to the privacy team. The privacy officer maintains a processing register. This allows Saxion to keep a complete summary of the records.

In principle, Saxion only collects and processes basic personal data, such as name/address information, date of birth, contact details (e-mail, telephone number, etc.) for the above-mentioned processes.

Saxion does not process special data, such as medical data, ethnicity data, genetic data or sexual orientation data, unless there is a legal obligation to do so (e.g. for BSN number) or consent has been provided by the stakeholders for specific occasions, such as orientation days and filling student dean positions. Saxion also processes sensitive personal data for specific purposes, such as study results for the sake of tracking academic progress and financial data for accounts receivable and salary administration.

We may also collect your data if you provide this information on Saxion websites for the purposes of staying abreast of various activities at the university.

Saxion also collects personal data in relation to scientific research. This concerns data on research participants. This is also done in accordance with the law and applicable codes of conduct.

This privacy statement describes how Saxion University of Applied Sciences ('Saxion') processes your personal data in the context of Wi-Fi counts. In addition to this privacy statement, Saxion has a privacy policy. The privacy policy describes how our employees should handle personal data. Students and employees can consult the privacy policy on MySaxion at the Information Security & Privacy theme site. 

About Saxion 

Saxion's Executive Board is the data controller within the meaning of the General Data Protection Regulation (GDPR) and is therefore ultimately responsible for the lawful and careful processing of personal data within Saxion. The Executive Board establishes the policy, measures and procedures relating to the processing of personal data.

Saxion is located at M.H. Tromplaan 28, 7513 AB in Enschede. Saxion's postal address is PO Box 70000, 7500 KB Enschede. For questions, please email [email protected]. 

For what purpose does Saxion process my personal data? 

Saxion strives to make more intensive and efficient use of its indoor spaces. Optimising the occupancy of all spaces, requires more data and insight. Wi-Fi counts are being conducted to gain insight into the actual occupancy and use of educational spaces, meeting rooms and office spaces, compared to the planned occupancy and use. Among other things, this data is used to schedule classrooms in a ‘smart’ way, but also to manage Saxion’s buildings in a more efficient, sustainable and cost-effective manner.

What exactly are Wi-Fi counts?

Saxion uses access points located within Saxion’s buildings that detect Wi-Fi signals from mobile devices. Persons entering Saxion’s buildings who are in possession of, for example, a smartphone, tablet, laptop or smartwatch with Wi-Fi functionality enabled are detected by an access point. This access point transmits a limited data set of the detected mobile devices to the application, which then counts and registers the mobile devices and stores their locations.

Are you logged in to the Eduroam network? Then you will be included in the Wi-Fi count. The application will ensure that multiple mobile devices belonging to a single person are filtered, so each person is only counted once.

When looking at the data, Saxion will only be able to see how many people were in a room at a particular time, but we will not know their identity. People who are not logged in to the Eduroam network are not included in the Wi-Fi counts.

Where are the Wi-Fi counts conducted?

The Wi-Fi counts are conducted within Saxion’s buildings in Apeldoorn, Deventer and Enschede, where the Eduroam network is in use.

There are areas within Saxion’s buildings that are excluded from Wi-Fi counts, such as changing rooms, bathroom and shower facilities, first aid rooms, breastfeeding rooms, as well as rest and prayer rooms.

Student housing managed by Saxion, where the Eduroam network is also in use, namely The Heights in Deventer and Ariensplein in Enschede, are also excluded from these Wi-Fi counts.

What personal data does Saxion collect from me? 

If you are logged in to the Eduroam network and present within Saxion’s buildings, the access point will send the following data to the application that registers the Wi-Fi counts:

• IP address
• Their Saxion email address
• MAC address
• Location details

Important:

Your Saxion email address is processed as a unique identifier, as individuals often own multiple mobile devices, such as a mobile phone and a smartwatch. The MAC address of these mobile devices is processed.

If no unique identifier were to be used, all mobile devices would be counted separately in the Wi-Fi counts, which would result in Saxion having inaccurate occupancy data. Using the Saxion email address as a unique identifier ensures that the mobile devices belonging to one person are collectively included as a single entity in the Wi-Fi counts.

Hashing

The IP address, Saxion email address and MAC address are considered indirect personal data. Combining this data may lead to the identification of individuals.

When conducting out Wi-Fi counts, care is taken to ensure that this indirect personal data can no longer be traced back to individuals. This is done by immediately removing the IP address once it is received by the application. After detection by the access points, the email address and MAC address are assigned a so-called ‘hash’.

Hashing is a cryptographic method whereby data of a random nature is converted into a unique character string. Hashing is a one-way process that cannot be reversed.

This involves the use of current, strong hashing algorithms and randomisation, whereby the MAC address is automatically replaced by a randomly generated address. These measures ensure that the data collected via Wi-Fi counts cannot be traced back to individuals.

Only in exceptional cases, and only if the data is combined with other information and analysed in great detail, would it be possible to recognise certain behavioural patterns. Even then, it will be practically impossible to trace it back to a specific person.

Important to note: it is explicitly not Saxion’s goal to identify or track individuals, and the data will not be used for that purpose.

The right not to be included in Wi-Fi counts (opt-out)

To avoid being included in the Wi-Fi counts within Saxion’s buildings, you can disable the Wi-Fi functionality on your mobile devices.

What is Saxion’s legal basis for processing my data in the context of Wi-Fi counts? 

The processing of this data is based on Saxion’s legitimate interest, as referred to in Article 6(1)(f) of the GDPR. This interest refers to gaining insight into the occupancy and use of spaces within Saxion’s buildings, with the aim of managing them in a more efficient, sustainable and cost-effective manner.

How Saxion weighs up interests in the use of Wi-Fi counts

Saxion processes a set of (indirect) personal data for the purpose of Wi-Fi counts within its buildings based on legitimate interest. In doing so, Saxion has carefully weighed up its interests against the rights and freedoms of those involved (the ‘data subjects’). This weighing up is explained in more detail below.

1. Purpose of processing

The processing of this data provides us with insight into the occupancy and use of Saxion’s spaces, with the aim of managing the classrooms, work spaces and other rooms within the buildings in an efficient, sustainable and cost-effective manner.

2. Necessity

In order to obtain a complete and continuous picture of the occupancy and use of Saxion’s spaces in the relatively short term, and thus achieve the aforementioned objectives, it is necessary to continuously generate valid and accurate data that provides insight into the actual spatial occupancy and use of spaces. Without such a data flow, it would take Saxion considerably more time to achieve its objectives.

3. Balancing of interests

Saxion has carefully considered the potential impact on the privacy of those involved. The following factors were considered when balancing the interests:

• Consequences for those involved:

There will be no immediately noticeable consequences for those involved during their presence in Saxion’s buildings. The long-term effects of the Wi‑Fi counts are expected to be positive, as those involved will have access to a pleasant study and work environment that better suits their needs.

• Additional safeguards:

Saxion will take appropriate technical and organisational measures to safeguard the privacy of those involved and the security of data. This includes, where possible, the immediate removal of indirect personal data, as well as the application of hashing and randomisation. Saxion also applies relatively short retention periods for the collected data while access to the application is limited to a minimum number of administrators.

Saxion has taken various measures to inform those involved about the use of Wi‑Fi counts within the buildings. Signs and stickers have been placed outside the buildings to alert everyone to the use of Wi-Fi counts, with a reference to the (online) Saxion privacy statement for more detailed information about the processing of the corresponding data. This privacy statement also informs those involved of the option to opt out, which allows them to exclude themselves from participation in the Wi‑Fi counts.

In addition, an information page about the Wi-Fi counts is available on MySaxion. Those involved at Saxion are periodically informed about the use of Wi-Fi counts via news items on MySaxion.

Finally, those involved are informed of the Wi-Fi counts by means of signs placed at the main reception desks. Upon request, the reception staff can provide a more detailed explanation of Saxion’s privacy statement.

• Expectations of those concerned:

Those entering Saxion’s buildings expect data to be processed the moment they connect to the Saxion Wi-Fi network. However, they do not expect this data to also be used to measure space occupancy for the purpose of achieving Saxion’s intended goals.

• Seriousness of the interference:

When using Wi‑Fi counts within Saxion’s buildings, a limited set of indirect personal data is processed for the purpose of gaining insight into the occupancy and use of spaces. Although this data cannot be directly traced back to individuals, it may give some people the feeling that they are being monitored. This means that the processing of this data may be perceived as an invasion of privacy.

Saxion takes various technical and organisational measures to mitigate any privacy risks. By applying hashing and randomisation, as described under additional safeguards, the possibility of identifying individuals during data collection is virtually eliminated. No identification or profiling of individuals takes place; this is expressly not the aim of Saxion, and the data collected is therefore not used for this purpose.

Although the processing may formally fall within the scope of the GDPR due to the processing of indirect personal data, Saxion assesses the severity of the interference as low to very low, given the measures taken. The impact of the processing of this data on the privacy rights of data subjects is negligible and does not lead to adverse consequences at an individual level.

Special personal data 

No special* personal data is processed during the Wi-Fi counts.

What happens with the data?

The data obtained from the Wi‑Fi counts is temporarily stored within the application. Once it is used for analytical purposes, the dataset is first stripped of the hashed data, leaving only a numerical dataset containing occupancy data.

This dataset is then used to gain insight into the space occupancy and use of the buildings. These results are used for management information, enabling Saxion to make policy decisions in areas such as the scheduling of classrooms, but also to manage Saxion’s buildings in an efficient, sustainable and cost-effective manner.

How long does Saxion retain my personal data? 

Saxion stores the hashed data within the application for a maximum of ten days, after which it is automatically deleted.

What are my rights under the GDPR? 

Under the GDPR, data subjects have rights that allow them to gain insight into how Saxion processes personal data. However, in the case of the Wi‑Fi counts within Saxion, the data can no longer be traced back to individuals, partly due to the use of hashing and randomisation. Although the formal rights of data subjects remain in place, they do not apply in this context, with the exception of the right to object.

Right to object (Article 21 of the GDPR)

Despite the fact that no identifiable personal data is involved, Saxion is well aware of the great importance of transparency and the careful use of personal data. The right to object remains applicable to this specific processing operation.

A data subject may object if they believe that the processing, even in hashed form, may have adverse consequences for them. Saxion will carefully assess each objection, weighing up whether the objection is justified within the context of the legal basis for the processing operation and the technical irreversibility of the hashing and randomisation applied.

How can I exercise these rights? 

Do you have an active Saxion account? Submit your request on the service portal (Information Security & Privacy – GDPR – Exercising your rights under the GDPR). If you do not have a Saxion account you can submit your request via [email protected]. 

Saxion will examine and assess each case individually to determine whether a specific request can be granted. Exercising your rights is free of charge, except in cases of abuse. To process your request, Saxion will need to verify your identity to prevent personal data from being disclosed to the wrong party or incorrect changes being made to your personal data. Once your identity has been verified, Saxion will respond to your request within four weeks. 

How does Saxion protect my personal data? 

Saxion takes appropriate technical and organisational measures to protect personal data against misuse, loss, unauthorised access, unwanted disclosure and unauthorised changes.  

Saxion has taken various measures in connection with the Wi‑Fi counts. This includes, where possible, the immediate removal of indirect personal data, as well as the application of hashing and randomisation.

The collected data is stripped of the hashed data, leaving only a numerical dataset containing occupancy data, which is used for analytical purposes. Within the application, Saxion maintains short retention periods, after which the data is deleted permanently. Furthermore, the application can only be accessed by a small number of employees who require access to the data to fulfil their job.

With whom does Saxion share my personal data? 

Since the indirect personal data obtained via Wi‑Fi counts is, where possible, deleted, hashed or randomised upon entry into the application, it is no longer considered personal data.

The occupancy data collected from the Wi‑Fi counts is used exclusively internally and is not shared with parties outside Saxion.

Transfer to foreign countries 

The data collected from the Wi‑Fi counts is stored in a data centre located within the European Economic Area (EEA).

Questions? Complaints? 

At Saxion, the Data Protection Officer (DPO) supervises and advises on the application of and compliance with the GDPR and Saxion’s privacy policy, as well as the allocation of responsibilities. The statutory tasks and responsibilities of the DPO give this officer an independent position in the establishment and performance of their duties. The DPO will also contribute to raising privacy awareness. The DPO works with and acts as a contact person for the supervisory authority (the Dutch Data Protection Authority). If you believe that your personal data is being processed by Saxion in violation of the GDPR, you can submit a complaint to the DPO via [email protected]. The DPO acts independently and can consult or seek advice from the Dutch Data Protection Authority about your complaint.  

Questions? 

If you have any questions about this privacy statement, please contact us via [email protected].

Changes 

The latest changes to this privacy statement were made on 18 November 2025.

We have appointed a Data Protection Officer (DPO) (Dutch: Functionaris Gegevensbescherming – FG). The DPO is the link between Saxion and the Dutch Data Protection Authority (AP).  

If you feel that your personal data are being processed by Saxion in a way that violates the GDPR, you may contact the DPO. The DPO acts independently and can address your complaint directly or request recommendations from the Dutch Data Protection Authority. The Saxion DPO is registered with the Dutch Data Protection Authority under number FG000531. 

Our DPO is Romeo Kadir and he can be reached at [email protected] and/or [email protected].

If you are not satisfied on how your complaint was handled by the Saxion DPO, you can submit a complaint directly to the Dutch Data Protection Authority. The Dutch Data Protection Authority will handle the complaint or request and come to a decision about it. 

For questions about your privacy or privacy in general at Saxion, you can write to [email protected]. A member of our privacy team will be happy to get in touch with you.