Datenschutz (Englisch)

General

This privacy notice describes how Saxion University of Applied Sciences (hereinafter 'Saxion') processes your personal data. Saxion also has a privacy policy in addition to this privacy notice. The privacy policy describes how our employees are obliged to handle personal data. Students and employees can consult the privacy policy on MySaxion at the ‘Information Security & Privacy’ web page.

About Saxion

Saxion's Executive Board is the data controller within the meaning of the General Data Protection Regulation (GDPR) and is therefore ultimately responsible for the lawful and diligent processing of personal data within Saxion. The Executive Board determines the policy, measures and procedures relating to the processing of personal data.

Saxion is located at M.H. Tromplaan 28, 7513 AB in Enschede. Saxion's postal address is PO Box 70000, 7500 KB Enschede. For questions about this privacy notice or other questions regarding the processing of personal data, please send an email to [email protected].

For what purposes does Saxion process my personal data?

Processing of personal data is necessary for the following purposes:

1. Recruitment of participants
2. Enrolment in a study programme
3. Delivering education
4. Examinations

These key categories include both primary and support processes, for example:

1. Recruiting new students and promoting the University of Applied Sciences.
2. Carrying out administrative tasks relating to enrolment and collection of tuition fees;
3. Assessing study performance and awarding credits.
4. Providing educational resources and IT.
5. Supervising students.
6. Recording study results, exam results and providing academic transcripts, approval of chosen subjects, declarations and certification.

What personal data does Saxion collect about me?

Saxion processes a large amount of data for both primary and supporting processes. Perhaps not all this data applies to you.

• Citizen service number (BSN)
• First and last name
• Place of residence
• Place of birth
• Country of birth
• Nationality
• Gender
• (Saxion) Mobile phone numbers
• Private email address
• Qualifications and certificates
• Previous school data
• Educational history and learning results

Saxion receives your personal data via Studielink if you register there. Studielink is managed by a foundation that facilitates higher education applications at the request of the Education Executive Agency (DUO) and the Dutch applied universities. For more information about Studielink and privacy, visit the Studielink website. In addition, we receive personal data from DUO and the Personal Records Database (BRP).

What is Saxion’s legal basis for being allowed to process my data?

To be entitled to process personal data, Saxion must comply with a legal basis in the GDPR. This legal basis must be determined for each process. Here is an example of each legal basis given in the GDPR:

1. Consent, for example in the case of a student survey on Saxion's services;
2. Performance of a contract, for example the study contract between a student and Saxion;
3. Legal obligation, for example the retention of theses as required by the Archives Act;
4. Task of public interest, for example all activities covered by mainstream education. This is laid down in the Higher Education and Research Act (WHW).
5. Legitimate interest, for example camera surveillance or the use of impression images for videos.

The GDPR contains another basis, namely when the processing of personal data is necessary to protect the vital interests of the data subject or of another natural person. This concerns life-threatening situations when it is necessary to provide certain data for example, to emergency services. 

Sensitive personal data

Sensitive personal data enjoys extra protection under the GDPR because there is a significantly higher privacy risk for data subjects. This involves:

• Personal data showing a person's racial or ethnic origin;
• Personal data showing a person's political opinions
• Personal data showing a person's religious or philosophical beliefs;
• Personal data showing membership of a trade union;
• Personal data about a person's health;
• Personal data about a person's sexual behaviour or orientation;
• Genetic data;
• Biometric data (intended for the unique identification of a person).

Saxion only processes sensitive personal data of students if the additional conditions of the GDPR have been met.

How long does Saxion retain my personal data?

Selection List Applied Universities or tax and labour laws). The retention period is determined by Saxion per processing. If you want to know the retention period of a specific processing act, you can contact Saxion at: [email protected].

What are my rights under the GDPR?

When Saxion processes your personal data, you have the following rights under the GDPR:

• Right of access: you have the right to inspect your personal data that Saxion processes
• Right to rectification: you have the right to correct or complete the personal data that Saxion processes about you if it is incorrect or incomplete.
• Right of objection: you can object to the processing of your personal data. You can also object to personally targeted advertisements.
• Right to erasure: you can request Saxion to delete your personal data.
• Right to withdraw your consent: if you have given Saxion permission to process personal data, you can always withdraw this consent.
• Right to data portability: if it is technically possible, you have the right to have the personal data that Saxion processes about you transferred to a third party.
• Right to restriction of processing: in some cases you can request Saxion to restrict the processing of your personal data. This may also be a temporary restriction.

How can I exercise these rights?

Do you have an active Saxion account? Submit your request through the Service Portal (Information Security & Privacy – GDPR – Exercising your rights under the GDPR). If you do not have a Saxion account you can submit your request at: [email protected].  Saxion will examine and assess each case individually to determine whether a specific request can be granted. Exercising your rights is free of charge, except in cases of abuse. To process your request, Saxion needs to verify your identity to prevent personal data from being disclosed to the wrong party or incorrect changes being made to your personal data. Once your identity has been verified, Saxion will respond to your request within four weeks.

How does Saxion protect my personal data?

Saxion takes appropriate technical and organisational measures to protect your personal data against misuse, loss, unauthorised access, unwanted disclosure and unauthorised changes.

Who does Saxion share my personal data with?

Saxion only shares personal data with third parties if this is in accordance with the applicable laws and regulations. This mainly occurs as a result of Saxion’s legal obligations. This involves sharing personal data with, for example, the Tax and Customs Administration, municipalities, the Ministry of Education, Culture and Science, DUO, the Higher Education Inspectorate and the Immigration and Naturalisation Service.

In addition, Saxion engages third parties to provide its services. Saxion will then only provide the personal data that is necessary for the task to be performed. Where necessary, terms are set out in a contract (such as a processor agreement).

Transfer to foreign countries

Most parties to which the Saxion provides personal data are located within the European Economic Area (EEA). A provision can only take place if, among other things, there is a valid legal basis for it and the receiving party complies with the legal requirements of the GDPR.

If personal data is provided to a party outside the EEA, measures will be taken and arrangements made to ensure that the processing is done securely and in line with the GDPR.

Questions? Complaints?

At Saxion, the Data Protection Officer (DPO) supervises and advises on the application of and compliance with the GDPR and Saxion’s privacy policy, as well as the allocation of responsibilities. The statutory tasks and responsibilities of the DPO give this officer an independent position in the establishment and performance of their duties. The DPO will also contribute to raising privacy awareness. The DPO works with and acts as a contact person for the supervisory authority (the Dutch Data Protection Authority). If you believe that your personal data is being processed by Saxion in violation of the GDPR, you can submit a complaint to the DPO at: [email protected]. The DPO acts independently and can consult or seek advice from the Dutch Data Protection Authority regarding your complaint.

Questions?

If you have any questions about this privacy notice, please contact us at: [email protected].

Modifications

The last modifications to this privacy notice were made in July 2025.

General

This privacy notice describes how Saxion University of Applied Sciences (hereinafter 'Saxion') processes your personal data. Saxion also has a privacy policy in addition to this privacy notice. The privacy policy describes how our employees are obliged to handle personal data. Students and employees can consult the privacy policy on MySaxion at the ‘Information Security & Privacy’ web page.

About Saxion

Saxion's Executive Board is the data controller within the meaning of the General Data Protection Regulation (GDPR) and is therefore ultimately responsible for the lawful and diligent processing of personal data within Saxion. The Executive Board determines the policy, measures and procedures relating to the processing of personal data.

Saxion is located at M.H. Tromplaan 28, 7513 AB in Enschede. Saxion's postal address is PO Box 70000, 7500 KB Enschede. For questions about this privacy notice or other questions regarding the processing of personal data, please send an email to [email protected].

In the vast majority of cases that are likely to be relevant to you, Saxion is the (data) controller, as referred to in the GDPR. This means that Saxion determines the purpose of processing your personal data (for example: answering a certain research question) and what means are used to achieve that purpose (for example: interviews, questionnaires or observations). This also means that Saxion has a duty under the GDPR to inform research participants

For what purpose does Saxion process my personal data?

The main purpose of the processing is to answer research questions. What questions or goals can you read in the information letter that accompanies the research in question?

Your contact details may be used to contact and/or maintain contact with you. For example, for asking for feedback on how the research was conducted.

Participant notices and consent forms are retained to ensure the verifiability of the research. For example, Saxion can prove that you have been a research participant and have given permission for the processing of personal data.

What personal data does Saxion collect about me?

Saxion conducts a large quantity of research each year in many different fields. The information letter states which personal data will be processed for the research in question. In general, the following data is processed:

• Name and Contact Details (Who is the participant and how can Saxion contact them?);
• Declaration of consent (to be able to prove that you have voluntarily participated in the research and/or that you have given permission for the processing of your personal data);
• Research data (the data needed in order to answer the research question);
• Demographic data (this data is usually requested in order to show results within a specific context).

What is Saxion’s legal basis for being allowed to process my data?

To be entitled to process personal data, Saxion must comply with a legal basis in the GDPR. The performance of scientific research is in principle governed by one of the following legal principles:

• Public interest – Conducting research is a task entrusted to Saxion in the public interest. This follows from the Higher Education and Research Act (WHW).
• Legitimate interest – when Saxion is commissioned by an external party (government or company) to conduct research that is not primarily aimed at increasing the knowledge of society as a whole.  Saxion must be able to demonstrate that it has a legitimate interest in the relevant research. Before performing such research, we weigh up what comes first: the rights, freedoms and interests of the participants, or our own interests. We will only initiate the research if our own interests outweigh the potential violation of the rights, freedoms and interests of participants.

Sensitive personal data

Sensitive personal data enjoys extra protection under the GDPR because there is a significantly higher privacy risk for data subjects. This involves:

• Personal data showing a person's racial or ethnic origin;
• Personal data showing a person's political opinions
• Personal data showing a person's religious or philosophical beliefs;
• Personal data showing membership of a trade union;
• Personal data about a person's health;
• Personal data about a person's sexual behaviour or orientation;
• Genetic data;
• Biometric data (intended for the unique identification of a person).

Saxion will only process sensitive personal data when it meets the additional conditions in the GDPR.

How long does Saxion retain my personal data?

Saxion does not store your personal data longer than necessary to achieve the purposes for which the data was collected, or as long as specific laws or regulations require. For example, retention periods from the Archives Act (detailed in the Selection List Applied Universities or tax and labour laws). The retention period is determined by Saxion per processing. If you want to know the retention period of a specific processing act, you can contact Saxion at: [email protected].

What are my rights under the GDPR?

The specific rights of research participants are explained in the information letter. The information letter also includes a contact person, whom you may contact as research participant to exercise your rights.

Every research participant has the right in principle to access and if need be, correct the data processed about them in the context of the research.

The information letter that the participant receives at the start of the research describes the purpose of processing data and its legal basis. When the processing is based on consent, the participant has the right to withdraw their consent. The withdrawal of consent does not affect the legality of processing the data before the withdrawal.

The GDPR gives scientific research a special status. For example, the possibility of exercising rights in the context of scientific research may be restricted insofar as such rights threaten to make impossible or seriously impede the achievement of the specific objectives of the research project.

How can I exercise these rights?

Do you have an active Saxion account? Submit your request through the Service Portal (Information Security & Privacy – GDPR – Exercising your rights under the GDPR). If you do not have a Saxion account you can submit your request at: [email protected].  Saxion will examine and assess each case individually to determine whether a specific request can be granted. Exercising your rights is free of charge, except in cases of abuse. To process your request, Saxion needs to verify your identity to prevent personal data from being disclosed to the wrong party or incorrect changes being made to your personal data. Once your identity has been verified, Saxion will respond to your request within four weeks.

How does Saxion protect my personal data?

Saxion takes appropriate technical and organisational measures to protect your personal data against misuse, loss, unauthorised access, unwanted disclosure and unauthorised changes.

Who does Saxion share my personal data with?

Saxion only shares personal data with third parties if this is in accordance with the applicable laws and regulations. This mainly occurs as a result of Saxion’s legal obligations. This involves sharing personal data with, for example, the Tax and Customs Administration, municipalities, the Ministry of Education, Culture and Science, DUO, the Higher Education Inspectorate and the Immigration and Naturalisation Service.

In addition, Saxion engages third parties to provide its services. Saxion will then only provide the personal data that is necessary for the task to be performed. Where necessary, terms are set out in a contract (such as a processor agreement).

Transfer to foreign countries

Most parties to which the Saxion provides personal data are located within the European Economic Area (EEA). A provision can only take place if, among other things, there is a valid legal basis for it and the receiving party complies with the legal requirements of the GDPR.

If personal data is provided to a party outside the EEA, measures will be taken and arrangements made to ensure that the processing is done securely and in line with the GDPR.

Questions? Complaints?

At Saxion, the Data Protection Officer (DPO) supervises and advises on the application of and compliance with the GDPR and Saxion’s privacy policy, as well as the allocation of responsibilities. The statutory tasks and responsibilities of the DPO give this officer an independent position in the establishment and performance of their duties. The DPO will also contribute to raising privacy awareness. The DPO works with and acts as a contact person for the supervisory authority (the Dutch Data Protection Authority). If you believe that your personal data is being processed by Saxion in violation of the GDPR, you can submit a complaint to the DPO at: [email protected]. The DPO acts independently and can consult or seek advice from the Dutch Data Protection Authority regarding your complaint.

Questions?

If you have any questions about this privacy notice, please contact us at: [email protected].

Modifications

The last modifications to this privacy notice were made in July 2025.

General

This privacy notice describes how Saxion University of Applied Sciences (hereinafter 'Saxion') processes your personal data. Saxion also has a privacy policy in addition to this privacy notice. The privacy policy describes how our employees are obliged to handle personal data. Students and employees can consult the privacy policy on MySaxion at the ‘Information Security & Privacy’ web page.

About Saxion

Saxion's Executive Board is the data controller within the meaning of the General Data Protection Regulation (GDPR) and is therefore ultimately responsible for the lawful and diligent processing of personal data within Saxion. The Executive Board determines the policy, measures and procedures relating to the processing of personal data.

Saxion is located at M.H. Tromplaan 28, 7513 AB in Enschede. Saxion's postal address is PO Box 70000, 7500 KB Enschede. For questions about this privacy notice or other questions regarding the processing of personal data, please send an email to [email protected].

For what purpose does Saxion process my personal data?

The main purpose of processing employee data is to enable the performing of the employment or other contract in the broadest sense. This applies both at the start, during and at or after the termination of employment. This includes, for example, drawing up an employment contract, implementing the employment terms and conditions and taking a study programme.

As an employer Saxion also has the legal obligation to keep proper personnel records.

What personal data does Saxion collect about me?

To carry out its tasks, Saxion processes the following personal data of employees:

• name;
• address;
• contact details;
• social networks;
• date of birth;
• citizen service number (BSN)
• all information on
• proof of identity;
• bank account number;
• marital status;
• nationality;
• place of birth;
• gender;
• Certificate of Conduct (Verklaring Omtrent Gedrag)
• Personnel number;
• job title/description;
• salary/reimbursement;
• other information
• relating to the
• form of employment;
• authorisation data;
• other data (free
• entry fields).

Employee as user of an application:

• account information; metadata about system usage (such as time of day, activity).
• From applicants:
• name;
• address;
• contact details;
• social networks;
• Date of birth
• gender;
• Certificate of Conduct (Verklaring Omtrent Gedrag)
• CV;
• letter of motivation;
• salary indication;
• other data (free
• entry fields).

Partner/Children of (former) employees:

• name;
• date of birth;
• address;
• contact details;
• gender.

Emergency contact of (former) employees/trainees

• name;
• date of birth;
• address;
• contact details
• relationship to employee

What is Saxion’s legal basis for being allowed to process my data?

To be entitled to process personal data, Saxion must comply with a legal basis in the GDPR. The following legal basis applies to employee data:

1. For the conclusion and execution of an employment or other contract.
2. to comply with a legal obligation relating to conduct
3. When this is necessary for a legitimate interest of Saxion or a third party.

Sensitive personal data

Sensitive personal data enjoys extra protection under the GDPR because there is a significantly higher privacy risk for data subjects. This involves:

• Personal data showing a person's racial or ethnic origin;
• Personal data showing a person's political opinions
• Personal data showing a person's religious or philosophical beliefs;
• Personal data showing membership of a trade union;
• Personal data about a person's health;
• Personal data about a person's sexual behaviour or orientation;
• Genetic data;
• Biometric data (intended for the unique identification of a person).

Saxion will only process sensitive personal data when it meets the additional conditions in the GDPR.

How long does Saxion retain my personal data?

Saxion does not store your personal data longer than necessary to achieve the purposes for which the data was collected, or as long as specific laws or regulations require. For example, retention periods from the Archives Act (detailed in the Selection List Applied Universities or tax and labour laws). The retention period is determined by Saxion per processing. If you want to know the retention period of a specific processing act, you can contact Saxion at: [email protected].

What are my rights under the GDPR?

When Saxion processes your personal data, you have the following rights under the GDPR:

• Right of access: you have the right to inspect your personal data that Saxion processes
• Right to rectification: you have the right to correct or complete the personal data that Saxion processes about you if it is incorrect or incomplete.
• Right of objection: you can object to the processing of your personal data. You can also object to personally targeted advertisements.
• Right to erasure: you can request Saxion to delete your personal data.
• Right to withdraw your consent: if you have given Saxion permission to process personal data, you can always withdraw this consent.
• Right to data portability: if it is technically possible, you have the right to have the personal data that Saxion processes about you transferred to a third party.
• Right to restriction of processing: in some cases you can request Saxion to restrict the processing of your personal data. This may also be a temporary restriction.

How can I exercise these rights?

Do you have an active Saxion account? Submit your request through the Service Portal (Information Security & Privacy – GDPR – Exercising your rights under the GDPR). If you do not have a Saxion account you can submit your request at: [email protected].  Saxion will examine and assess each case individually to determine whether a specific request can be granted. Exercising your rights is free of charge, except in cases of abuse. To process your request, Saxion needs to verify your identity to prevent personal data from being disclosed to the wrong party or incorrect changes being made to your personal data. Once your identity has been verified, Saxion will respond to your request within four weeks.

How does Saxion protect my personal data?

Saxion takes appropriate technical and organisational measures to protect your personal data against misuse, loss, unauthorised access, unwanted disclosure and unauthorised changes.

Who does Saxion share my personal data with?

Saxion only shares personal data with third parties if this is in accordance with the applicable laws and regulations. This mainly occurs as a result of Saxion’s legal obligations. This involves sharing personal data with, for example, the Tax and Customs Administration, municipalities, the Ministry of Education, Culture and Science, DUO, the Higher Education Inspectorate and the Immigration and Naturalisation Service.

In addition, Saxion engages third parties to provide its services. Saxion will then only provide the personal data that is necessary for the task to be performed. Where necessary, terms are set out in a contract (such as a processor agreement).

Transfer to foreign countries

Most parties to which the Saxion provides personal data are located within the European Economic Area (EEA). A provision can only take place if, among other things, there is a valid legal basis for it and the receiving party complies with the legal requirements of the GDPR.

If personal data is provided to a party outside the EEA, measures will be taken and arrangements made to ensure that the processing is done securely and in line with the GDPR.

Questions? Complaints?

At Saxion, the Data Protection Officer (DPO) supervises and advises on the application of and compliance with the GDPR and Saxion’s privacy policy, as well as the allocation of responsibilities. The statutory tasks and responsibilities of the DPO give this officer an independent position in the establishment and performance of their duties. The DPO will also contribute to raising privacy awareness. The DPO works with and acts as a contact person for the supervisory authority (the Dutch Data Protection Authority). If you believe that your personal data is being processed by Saxion in violation of the GDPR, you can submit a complaint to the DPO at: [email protected]. The DPO acts independently and can consult or seek advice from the Dutch Data Protection Authority regarding your complaint.

Questions?

If you have any questions about this privacy notice, please contact us at: [email protected].

Modifications

The last modifications to this privacy notice were made in July 2025.

General

This privacy notice describes how Saxion University of Applied Sciences (hereinafter 'Saxion') processes your personal data. Saxion also has a privacy policy in addition to this privacy notice. The privacy policy describes how our employees are obliged to handle personal data. Students and employees can consult the privacy policy on MySaxion at the ‘Information Security & Privacy’ web page.

About Saxion

Saxion's Executive Board is the data controller within the meaning of the General Data Protection Regulation (GDPR) and is therefore ultimately responsible for the lawful and diligent processing of personal data within Saxion. The Executive Board determines the policy, measures and procedures relating to the processing of personal data.

Saxion is located at M.H. Tromplaan 28, 7513 AB in Enschede. Saxion's postal address is PO Box 70000, 7500 KB Enschede. For questions about this privacy notice or other questions regarding the processing of personal data, please send an email to [email protected].

For what purposes does Saxion process my personal data?

Saxion processes the data of website visitors for the following purposes:

• recruit prospective students
• improve customer journey
• register online and other events

What personal data does Saxion collect about me?

The following personal data may be processed:

• IP address
• Email address
• Name
• Telephone number

When you visit the Saxion website, cookies are placed. More information can be found here.

What is Saxion’s legal basis for being allowed to process my data?

To be entitled to process personal data, Saxion must comply with a legal basis in the GDPR. The following principles apply to the website:

• Permission given by visitor. If permission is required, then the reason it is needed will be stated on the relevant page. 
• Concluding/performing of a contract, for example enrolment in an event or showing interest in a study programme
• Legitimate interest, e.g. recruiting prospective students

Sensitive personal data

Sensitive personal data enjoys extra protection under the GDPR because there is a significantly higher privacy risk for data subjects. This involves:

• Personal data showing a person's racial or ethnic origin;
• Personal data showing a person's political opinions
• Personal data showing a person's religious or philosophical beliefs;
• Personal data showing membership of a trade union;
• Personal data about a person's health;
• Personal data about a person's sexual behaviour or orientation;
• Genetic data;
• Biometric data (intended for the unique identification of a person).

Saxion will only process sensitive personal data when it meets the additional conditions in the GDPR.

How long does Saxion retain my personal data?

Saxion does not store your personal data longer than necessary to achieve the purposes for which the data was collected, or as long as specific laws or regulations require. For example, retention periods from the Archives Act (detailed in the Selection List Applied Universities or tax and labour laws). The retention period is determined by Saxion per processing. If you want to know the retention period of a specific processing act, you can contact Saxion at: [email protected].

What are my rights under the GDPR?

When Saxion processes your personal data, you have the following rights under the GDPR:

• Right of access: you have the right to inspect your personal data that Saxion processes
• Right to rectification: you have the right to correct or complete the personal data that Saxion processes about you if it is incorrect or incomplete.
• Right of objection: you can object to the processing of your personal data. You can also object to personally targeted advertisements.
• Right to erasure: you can request Saxion to delete your personal data.
• Right to withdraw your consent: if you have given Saxion permission to process personal data, you can always withdraw this consent.
• Right to data portability: if it is technically possible, you have the right to have the personal data that Saxion processes about you transferred to a third party.
• Right to restriction of processing: in some cases you can request Saxion to restrict the processing of your personal data. This may also be a temporary restriction.

How can I exercise these rights?

Do you have an active Saxion account? Submit your request through the Service Portal (Information Security & Privacy – GDPR – Exercising your rights under the GDPR). If you do not have a Saxion account you can submit your request at: [email protected].  Saxion will examine and assess each case individually to determine whether a specific request can be granted. Exercising your rights is free of charge, except in cases of abuse. To process your request, Saxion needs to verify your identity to prevent personal data from being disclosed to the wrong party or incorrect changes being made to your personal data. Once your identity has been verified, Saxion will respond to your request within four weeks.

How does Saxion protect my personal data?

Saxion takes appropriate technical and organisational measures to protect your personal data against misuse, loss, unauthorised access, unwanted disclosure and unauthorised changes.

Who does Saxion share my personal data with?

Saxion only shares personal data with third parties if this is in accordance with the applicable laws and regulations. This mainly occurs as a result of Saxion’s legal obligations. This involves sharing personal data with, for example, the Tax and Customs Administration, municipalities, the Ministry of Education, Culture and Science, DUO, the Higher Education Inspectorate and the Immigration and Naturalisation Service.

In addition, Saxion engages third parties to provide its services. Saxion will then only provide the personal data that is necessary for the task to be performed. Where necessary, terms are set out in a contract (such as a processor agreement).

Transfer to foreign countries

Most parties to which the Saxion provides personal data are located within the European Economic Area (EEA). A provision can only take place if, among other things, there is a valid legal basis for it and the receiving party complies with the legal requirements of the GDPR.

If personal data is provided to a party outside the EEA, measures will be taken and arrangements made to ensure that the processing is done securely and in line with the GDPR.

Questions? Complaints?

At Saxion, the Data Protection Officer (DPO) supervises and advises on the application of and compliance with the GDPR and Saxion’s privacy policy, as well as the allocation of responsibilities. The statutory tasks and responsibilities of the DPO give this officer an independent position in the establishment and performance of their duties. The DPO will also contribute to raising privacy awareness. The DPO works with and acts as a contact person for the supervisory authority (the Dutch Data Protection Authority). If you believe that your personal data is being processed by Saxion in violation of the GDPR, you can submit a complaint to the DPO at: [email protected]. The DPO acts independently and can consult or seek advice from the Dutch Data Protection Authority regarding your complaint.

Questions?

If you have any questions about this privacy notice, please contact us at: [email protected].

Modifications

The last modifications to this privacy notice were made in July 2025.

General

This privacy notice describes how Saxion University of Applied Sciences (hereinafter 'Saxion') processes your personal data. Saxion also has a privacy policy in addition to this privacy notice. The privacy policy describes how our employees are obliged to handle personal data. Students and employees can consult the privacy policy on MySaxion at the ‘Information Security & Privacy’ web page.

About Saxion

Saxion's Executive Board is the data controller within the meaning of the General Data Protection Regulation (GDPR) and is therefore ultimately responsible for the lawful and diligent processing of personal data within Saxion. The Executive Board determines the policy, measures and procedures relating to the processing of personal data.

Saxion is located at M.H. Tromplaan 28, 7513 AB in Enschede. Saxion's postal address is PO Box 70000, 7500 KB Enschede. For questions about this privacy notice or other questions regarding the processing of personal data, please send an email to [email protected].

For what purposes does Saxion process my personal data?

Saxion processes personal data for different purposes when you visit one its locations. For example camera surveillance and security (with the goals of protecting property and the school environment and preventing theft, destruction and nuisance, increasing emotional and physical safety at the University for students, employees and visitors, better analysis of incidents and as a deterrent)

What personal data does Saxion collect about me?

When you visit a Saxion location as a visitor, the following personal data may be processed:

• Footage taken by the surveillance cameras.

What is Saxion’s legal basis for being allowed to process my data?

To be entitled to process personal data, Saxion must comply with a legal basis in the GDPR. In the case of camera surveillance for example, processing is based on the principle of legitimate interest.

Sensitive personal data

Sensitive personal data enjoys extra protection under the GDPR because there is a significantly higher privacy risk for data subjects. This involves:

• Personal data showing a person's racial or ethnic origin;
• Personal data showing a person's political opinions
• Personal data showing a person's religious or philosophical beliefs;
• Personal data showing membership of a trade union;
• Personal data about a person's health;
• Personal data about a person's sexual behaviour or orientation;
• Genetic data;
• Biometric data (intended for the unique identification of a person).

Saxion will only process sensitive personal data when it meets the additional conditions in the GDPR.

How long does Saxion retain my personal data?

Saxion does not store your personal data longer than necessary to achieve the purposes for which the data was collected, or as long as specific laws or regulations require. For example, retention periods from the Archives Act (detailed in the Selection List Applied Universities or tax and labour laws). The retention period is determined by Saxion per processing. If you want to know the retention period of a specific processing act, you can contact Saxion at: [email protected].

What are my rights under the GDPR?

When Saxion processes your personal data, you have the following rights under the GDPR:

• Right of access: you have the right to inspect your personal data that Saxion processes
• Right to rectification: you have the right to correct or complete the personal data that Saxion processes about you if it is incorrect or incomplete.
• Right of objection: you can object to the processing of your personal data. You can also object to personally targeted advertisements.
• Right to erasure: you can request Saxion to delete your personal data.
• Right to withdraw your consent: if you have given Saxion permission to process personal data, you can always withdraw this consent.
• Right to data portability: if it is technically possible, you have the right to have the personal data that Saxion processes about you transferred to a third party.
• Right to restriction of processing: in some cases you can request Saxion to restrict the processing of your personal data. This may also be a temporary restriction.

How can I exercise these rights?

Do you have an active Saxion account? Submit your request through the Service Portal (Information Security & Privacy – GDPR – Exercising your rights under the GDPR). If you do not have a Saxion account you can submit your request at: [email protected].  Saxion will examine and assess each case individually to determine whether a specific request can be granted. Exercising your rights is free of charge, except in cases of abuse. To process your request, Saxion needs to verify your identity to prevent personal data from being disclosed to the wrong party or incorrect changes being made to your personal data. Once your identity has been verified, Saxion will respond to your request within four weeks.

How does Saxion protect my personal data?

Saxion takes appropriate technical and organisational measures to protect your personal data against misuse, loss, unauthorised access, unwanted disclosure and unauthorised changes.

Who does Saxion share my personal data with?

Saxion only shares personal data with third parties if this is in accordance with the applicable laws and regulations. This mainly occurs as a result of Saxion’s legal obligations. This involves sharing personal data with, for example, the Tax and Customs Administration, municipalities, the Ministry of Education, Culture and Science, DUO, the Higher Education Inspectorate and the Immigration and Naturalisation Service.

In addition, Saxion engages third parties to provide its services. Saxion will then only provide the personal data that is necessary for the task to be performed. Where necessary, terms are set out in a contract (such as a processor agreement).

Transfer to foreign countries

Most parties to which the Saxion provides personal data are located within the European Economic Area (EEA). A provision can only take place if, among other things, there is a valid legal basis for it and the receiving party complies with the legal requirements of the GDPR.

If personal data is provided to a party outside the EEA, measures will be taken and arrangements made to ensure that the processing is done securely and in line with the GDPR.

Questions? Complaints?

At Saxion, the Data Protection Officer (DPO) supervises and advises on the application of and compliance with the GDPR and Saxion’s privacy policy, as well as the allocation of responsibilities. The statutory tasks and responsibilities of the DPO give this officer an independent position in the establishment and performance of their duties. The DPO will also contribute to raising privacy awareness. The DPO works with and acts as a contact person for the supervisory authority (the Dutch Data Protection Authority). If you believe that your personal data is being processed by Saxion in violation of the GDPR, you can submit a complaint to the DPO at: [email protected]. The DPO acts independently and can consult or seek advice from the Dutch Data Protection Authority regarding your complaint.

Questions?

If you have any questions about this privacy notice, please contact us at: [email protected].

Modifications

The last modifications to this privacy notice were made in July 2025.

This privacy notice describes how Saxion University of Applied Sciences ('Saxion') processes your personal data in the context of Wi-Fi counts. Saxion also has a privacy policy in addition to this privacy notice. The privacy policy describes how our employees are obliged to handle personal data. Students and employees can consult the privacy policy on MySaxion at the Information Security & Privacy web page. 

About Saxion 

Saxion's Executive Board is the data controller within the meaning of the General Data Protection Regulation (GDPR) and is therefore ultimately responsible for the lawful and careful processing of personal data within Saxion. The Executive Board establishes the policy, measures and procedures relating to the processing of personal data.

Saxion is located at M.H. Tromplaan 28, 7513 AB in Enschede. Saxion's postal address is PO Box 70000, 7500 KB Enschede. For questions, please email [email protected]. 

For what purpose does Saxion process my personal data? 

Saxion strives to make more intensive and efficient use of its indoor spaces. Optimising the occupancy of all spaces, requires more data and insight. Wi-Fi counts are being conducted to gain insight into the actual occupancy and use of educational spaces, meeting rooms and office spaces, compared to the planned occupancy and use. Among other things, this data is used to schedule classrooms in a ‘smart’ way, but also to manage Saxion’s buildings in a more efficient, sustainable and cost-effective manner.

What exactly are Wi-Fi counts?

Saxion uses access points located within Saxion’s buildings that detect Wi-Fi signals from mobile devices. Persons entering Saxion’s buildings who are in possession of, for example, a smartphone, tablet, laptop or smartwatch with Wi-Fi functionality enabled are detected by an access point. This access point transmits a limited data set of the detected mobile devices to the application, which then counts and registers the mobile devices and stores their locations.

Are you logged in to the Eduroam network? Then you will be included in the Wi-Fi count. The application will ensure that multiple mobile devices belonging to a single person are filtered, so each person is only counted once.

When looking at the data, Saxion will only be able to see how many people were in a room at a particular time, but we will not know their identity. People who are not logged in to the Eduroam network are not included in the Wi-Fi counts.

Where are the Wi-Fi counts conducted?

The Wi-Fi counts are conducted within Saxion’s buildings in Apeldoorn, Deventer and Enschede, where the Eduroam network is in use.

There are areas within Saxion’s buildings that are excluded from Wi-Fi counts, such as changing rooms, bathroom and shower facilities, first aid rooms, breastfeeding rooms, as well as rest and prayer rooms.

Student housing managed by Saxion, where the Eduroam network is also in use, namely The Heights in Deventer and Ariensplein in Enschede, are also excluded from these Wi-Fi counts.

What personal data does Saxion collect from me? 

If you are logged in to the Eduroam network and present within Saxion’s buildings, the access point will send the following data to the application that registers the Wi-Fi counts:

• IP address
• Their Saxion email address
• MAC address
• Location details

Important:

Your Saxion email address is processed as a unique identifier, as individuals often own multiple mobile devices, such as a mobile phone and a smartwatch. The MAC address of these mobile devices is processed.

If no unique identifier were to be used, all mobile devices would be counted separately in the Wi-Fi counts, which would result in Saxion having inaccurate occupancy data. Using the Saxion email address as a unique identifier ensures that the mobile devices belonging to one person are collectively included as a single entity in the Wi-Fi counts.

Hashing

The IP address, Saxion email address and MAC address are considered indirect personal data. Combining this data may lead to the identification of individuals.

When conducting out Wi-Fi counts, care is taken to ensure that this indirect personal data can no longer be traced back to individuals. This is done by immediately removing the IP address once it is received by the application. After detection by the access points, the email address and MAC address are assigned a so-called ‘hash’.

Hashing is a cryptographic method whereby data of a random nature is converted into a unique character string. Hashing is a one-way process that cannot be reversed.

This involves the use of current, strong hashing algorithms and randomisation, whereby the MAC address is automatically replaced by a randomly generated address. These measures ensure that the data collected via Wi-Fi counts cannot be traced back to individuals.

Only in exceptional cases, and only if the data is combined with other information and analysed in great detail, would it be possible to recognise certain behavioural patterns. Even then, it will be practically impossible to trace it back to a specific person.

Important to note: it is explicitly not Saxion’s goal to identify or track individuals, and the data will not be used for that purpose.

The right not to be included in Wi-Fi counts (opt-out)

To avoid being included in the Wi-Fi counts within Saxion’s buildings, you can disable the Wi-Fi functionality on your mobile devices.

What is Saxion’s legal basis for processing my data in the context of Wi-Fi counts? 

The processing of this data is based on Saxion’s legitimate interest, as referred to in Article 6(1)(f) of the GDPR. This interest refers to gaining insight into the occupancy and use of spaces within Saxion’s buildings, with the aim of managing them in a more efficient, sustainable and cost-effective manner.

How Saxion weighs up interests in the use of Wi-Fi counts

Saxion processes a set of (indirect) personal data for the purpose of Wi-Fi counts within its buildings based on legitimate interest. In doing so, Saxion has carefully weighed up its interests against the rights and freedoms of those involved (the ‘data subjects’). This weighing up is explained in more detail below.

1. Purpose of processing

The processing of this data provides us with insight into the occupancy and use of Saxion’s spaces, with the aim of managing the classrooms, work spaces and other rooms within the buildings in an efficient, sustainable and cost-effective manner.

2. Necessity

In order to obtain a complete and continuous picture of the occupancy and use of Saxion’s spaces in the relatively short term, and thus achieve the aforementioned objectives, it is necessary to continuously generate valid and accurate data that provides insight into the actual spatial occupancy and use of spaces. Without such a data flow, it would take Saxion considerably more time to achieve its objectives.

3. Balancing of interests

Saxion has carefully considered the potential impact on the privacy of those involved. The following factors were considered when balancing the interests:

• Consequences for those involved:

There will be no immediately noticeable consequences for those involved during their presence in Saxion’s buildings. The long-term effects of the Wi‑Fi counts are expected to be positive, as those involved will have access to a pleasant study and work environment that better suits their needs.

• Additional safeguards:

Saxion will take appropriate technical and organisational measures to safeguard the privacy of those involved and the security of data. This includes, where possible, the immediate removal of indirect personal data, as well as the application of hashing and randomisation. Saxion also applies relatively short retention periods for the collected data while access to the application is limited to a minimum number of administrators.

Saxion has taken various measures to inform those involved about the use of Wi‑Fi counts within the buildings. Signs and stickers have been placed outside the buildings to alert everyone to the use of Wi-Fi counts, with a reference to the (online) Saxion privacy notice for more detailed information about the processing of the corresponding data. This privacy notice also informs those involved of the option to opt out, which allows them to exclude themselves from participation in the Wi‑Fi counts.

In addition, an information page about the Wi-Fi counts is available on MySaxion. Those involved at Saxion are periodically informed about the use of Wi-Fi counts via news items on MySaxion.

Finally, those involved are informed of the Wi-Fi counts by means of signs placed at the main reception desks. Upon request, the reception staff can provide a more detailed explanation of Saxion’s privacy notice.

• Expectations of those concerned:

Those entering Saxion’s buildings expect data to be processed the moment they connect to the Saxion Wi-Fi network. However, they do not expect this data to also be used to measure space occupancy for the purpose of achieving Saxion’s intended goals.

• Seriousness of the interference:

When using Wi‑Fi counts within Saxion’s buildings, a limited set of indirect personal data is processed for the purpose of gaining insight into the occupancy and use of spaces. Although this data cannot be directly traced back to individuals, it may give some people the feeling that they are being monitored. This means that the processing of this data may be perceived as an invasion of privacy.

Saxion takes various technical and organisational measures to mitigate any privacy risks. By applying hashing and randomisation, as described under additional safeguards, the possibility of identifying individuals during data collection is virtually eliminated. No identification or profiling of individuals takes place; this is expressly not the aim of Saxion, and the data collected is therefore not used for this purpose.

Although the processing may formally fall within the scope of the GDPR due to the processing of indirect personal data, Saxion assesses the severity of the interference as low to very low, given the measures taken. The impact of the processing of this data on the privacy rights of data subjects is negligible and does not lead to adverse consequences at an individual level.

Sensitive personal data 

No special personal data is processed during the Wi-Fi counts.

What happens with the data?

The data obtained from the Wi‑Fi counts is temporarily stored within the application. Once it is used for analytical purposes, the dataset is first stripped of the hashed data, leaving only a numerical dataset containing occupancy data.

This dataset is then used to gain insight into the space occupancy and use of the buildings. These results are used for management information, enabling Saxion to make policy decisions in areas such as the scheduling of classrooms, but also to manage Saxion’s buildings in an efficient, sustainable and cost-effective manner.

How long does Saxion retain my personal data? 

Saxion stores the hashed data within the application for a maximum of ten days, after which it is automatically deleted.

What are my rights under the GDPR? 

Under the GDPR, data subjects have rights that allow them to gain insight into how Saxion processes personal data. However, in the case of the Wi‑Fi counts within Saxion, the data can no longer be traced back to individuals, partly due to the use of hashing and randomisation. Although the formal rights of data subjects remain in place, they do not apply in this context, with the exception of the right to object.

Right to object (Article 21 of the GDPR)

Despite the fact that no identifiable personal data is involved, Saxion is well aware of the great importance of transparency and the careful use of personal data. The right to object remains applicable to this specific processing operation.

A data subject may object if they believe that the processing, even in hashed form, may have adverse consequences for them. Saxion will carefully assess each objection, weighing up whether the objection is justified within the context of the legal basis for the processing operation and the technical irreversibility of the hashing and randomisation applied.

How can I exercise these rights? 

Do you have an active Saxion account? Submit your request through the Service Portal (Information Security & Privacy – GDPR – Exercising your rights under the GDPR). If you do not have a Saxion account you can submit your request at: [email protected]. 

Saxion will examine and assess each case individually to determine whether a specific request can be granted. Exercising your rights is free of charge, except in cases of abuse. To process your request, Saxion will need to verify your identity to prevent personal data from being disclosed to the wrong party or incorrect changes being made to your personal data. Once your identity has been verified, Saxion will respond to your request within four weeks. 

How does Saxion protect my personal data? 

Saxion takes appropriate technical and organisational measures to protect personal data against misuse, loss, unauthorised access, unwanted disclosure and unauthorised changes.  

Saxion has taken various measures in connection with the Wi‑Fi counts. This includes, where possible, the immediate removal of indirect personal data, as well as the application of hashing and randomisation.

The collected data is stripped of the hashed data, leaving only a numerical dataset containing occupancy data, which is used for analytical purposes. Within the application, Saxion maintains short retention periods, after which the data is deleted permanently. Furthermore, the application can only be accessed by a small number of employees who require access to the data to fulfil their job.

With whom does Saxion share my personal data? 

Since the indirect personal data obtained via Wi‑Fi counts is, where possible, deleted, hashed or randomised upon entry into the application, it is no longer considered personal data.

The occupancy data collected from the Wi‑Fi counts is used exclusively internally and is not shared with parties outside Saxion.

Transfer to foreign countries 

The data collected from the Wi‑Fi counts is stored in a data centre located within the European Economic Area (EEA).

Questions? Complaints? 

At Saxion, the Data Protection Officer (DPO) supervises and advises on the application of and compliance with the GDPR and Saxion’s privacy policy, as well as the allocation of responsibilities. The statutory tasks and responsibilities of the DPO give this officer an independent position in the establishment and performance of their duties. The DPO will also contribute to raising privacy awareness. The DPO works with and acts as a contact person for the supervisory authority (the Dutch Data Protection Authority). If you believe that your personal data is being processed by Saxion in violation of the GDPR, you can submit a complaint to the DPO at: [email protected]. The DPO acts independently and can consult or seek advice from the Dutch Data Protection Authority regarding your complaint.  

Questions? 

If you have any questions about this privacy notice, please contact us at: [email protected].

Modifications 

The latest changes to this privacy notice were made on 18 November 2025.

General

This privacy notice describes how Saxion University of Applied Sciences (hereinafter 'Saxion') processes your personal data. Saxion also has a privacy policy in addition to this privacy notice. The privacy policy describes how our employees are obliged to handle personal data. Students and employees can consult the privacy policy on MySaxion at the ‘Information Security & Privacy’ web page.

About Saxion

Saxion's Executive Board is the data controller within the meaning of the General Data Protection Regulation (GDPR) and is therefore ultimately responsible for the lawful and diligent processing of personal data within Saxion. The Executive Board determines the policy, measures and procedures relating to the processing of personal data.

Saxion is located at M.H. Tromplaan 28, 7513 AB in Enschede. Saxion's postal address is PO Box 70000, 7500 KB Enschede. For questions about this privacy notice or other questions regarding the processing of personal data, please send an email to [email protected].

For what purposes does Saxion process my personal data?

Saxion processes the data of course participants for the following purposes:

• registration and administrative handling of participation in the chosen study programme;
• provision of the study programme
• responding to questions from a course participant about the study programme
• sending newsletters

What personal data does Saxion collect about me?

When you join a study programme at Saxion as a course participant the following personal data may be processed:

• Attendance registration
• Name
• Information about the course
• Gender
• Email address
• Exam and examination results
• Contact details
• Citizen Service Number (BSN)
• Qualifications and certificates
• Date of birth
• Country of birth
• Place of birth
• Nationality
• Educational history and learning results
• Payment details
• Identification number
• Copy of ID document

What is Saxion’s legal basis for being allowed to process my data?

To be entitled to process personal data, Saxion must comply with a legal basis in the GDPR. When taking part in a course this is:

• the processing is necessary as part of performing a contract to which the data subject is party, namely the contract between Saxion and the course participant
• Permission: the course participant’s consent serves as the basis for sending a newsletter.

Sensitive personal data

Sensitive personal data enjoys extra protection under the GDPR because there is a significantly higher privacy risk for data subjects. This involves:

• Personal data showing a person's racial or ethnic origin;
• Personal data showing a person's political opinions
• Personal data showing a person's religious or philosophical beliefs;
• Personal data showing membership of a trade union;
• Personal data about a person's health;
• Personal data about a person's sexual behaviour or orientation;
• Genetic data;
• Biometric data (intended for the unique identification of a person).

Saxion will only process sensitive personal data when it meets the additional conditions in the GDPR.

How long does Saxion retain my personal data?

Saxion does not store your personal data longer than necessary to achieve the purposes for which the data was collected, or as long as specific laws or regulations require. For example, retention periods from the Archives Act (detailed in the Selection List Applied Universities or tax and labour laws). The retention period is determined by Saxion per processing. If you want to know the retention period of a specific processing act, you can contact Saxion at: [email protected].

What are my rights under the GDPR?

When Saxion processes your personal data, you have the following rights under the GDPR:

• Right of access: you have the right to inspect your personal data that Saxion processes
• Right to rectification: you have the right to correct or complete the personal data that Saxion processes about you if it is incorrect or incomplete.
• Right of objection: you can object to the processing of your personal data. You can also object to personally targeted advertisements.
• Right to erasure: you can request Saxion to delete your personal data.
• Right to withdraw your consent: if you have given Saxion permission to process personal data, you can always withdraw this consent.
• Right to data portability: if it is technically possible, you have the right to have the personal data that Saxion processes about you transferred to a third party.
• Right to restriction of processing: in some cases you can request Saxion to restrict the processing of your personal data. This may also be a temporary restriction.

How can I exercise these rights?

Do you have an active Saxion account? Submit your request through the Service Portal (Information Security & Privacy – GDPR – Exercising your rights under the GDPR). If you do not have a Saxion account you can submit your request at: [email protected].  Saxion will examine and assess each case individually to determine whether a specific request can be granted. Exercising your rights is free of charge, except in cases of abuse. To process your request, Saxion needs to verify your identity to prevent personal data from being disclosed to the wrong party or incorrect changes being made to your personal data. Once your identity has been verified, Saxion will respond to your request within four weeks.

How does Saxion protect my personal data?

Saxion takes appropriate technical and organisational measures to protect your personal data against misuse, loss, unauthorised access, unwanted disclosure and unauthorised changes.

Who does Saxion share my personal data with?

Saxion only shares personal data with third parties if this is in accordance with the applicable laws and regulations. This mainly occurs as a result of Saxion’s legal obligations. This involves sharing personal data with, for example, the Tax and Customs Administration, municipalities, the Ministry of Education, Culture and Science, DUO, the Higher Education Inspectorate and the Immigration and Naturalisation Service.

In addition, Saxion engages third parties to provide its services. Saxion will then only provide the personal data that is necessary for the task to be performed. Where necessary, terms are set out in a contract (such as a processor agreement).

Transfer to foreign countries

Most parties to which the Saxion provides personal data are located within the European Economic Area (EEA). A provision can only take place if, among other things, there is a valid legal basis for it and the receiving party complies with the legal requirements of the GDPR.

If personal data is provided to a party outside the EEA, measures will be taken and arrangements made to ensure that the processing is done securely and in line with the GDPR.

Questions? Complaints?

At Saxion, the Data Protection Officer (DPO) supervises and advises on the application of and compliance with the GDPR and Saxion’s privacy policy, as well as the allocation of responsibilities. The statutory tasks and responsibilities of the DPO give this officer an independent position in the establishment and performance of their duties. The DPO will also contribute to raising privacy awareness. The DPO works with and acts as a contact person for the supervisory authority (the Dutch Data Protection Authority). If you believe that your personal data is being processed by Saxion in violation of the GDPR, you can submit a complaint to the DPO at: [email protected]. The DPO acts independently and can consult or seek advice from the Dutch Data Protection Authority regarding your complaint.

Questions?

If you have any questions about this privacy notice, please contact us at: [email protected].

Modifications

The last modifications to this privacy notice were made in July 2025.

General

This privacy notice describes how Saxion University of Applied Sciences (hereinafter 'Saxion') processes your personal data. Saxion also has a privacy policy in addition to this privacy notice. The privacy policy describes how our employees are obliged to handle personal data. Students and employees can consult the privacy policy on MySaxion at the ‘Information Security & Privacy’ web page.

About Saxion

Saxion's Executive Board is the data controller within the meaning of the General Data Protection Regulation (GDPR) and is therefore ultimately responsible for the lawful and diligent processing of personal data within Saxion. The Executive Board determines the policy, measures and procedures relating to the processing of personal data.

Saxion is located at M.H. Tromplaan 28, 7513 AB in Enschede. Saxion's postal address is PO Box 70000, 7500 KB Enschede. For questions about this privacy notice or other questions regarding the processing of personal data, please send an email to [email protected].

For what purposes does Saxion process my personal data?

The personal data that Saxion collects from you will be processed by Saxion for the purpose of inviting former students to gatherings, parties or reunions and/or after registration maintain contact for the purpose of organising gatherings.

What personal data does Saxion collect about me?

Saxion processes the following data from you as an alumnus. Perhaps not all the following data applies to you.

• Name
• Information about the study programme taken
• Email address
• Telephone number

What is Saxion’s legal basis for being allowed to process my data?

Saxion can use one of the following principles as basis for processing your data as an alumnus:

• consent, for example to send a newsletter;
• the processing is necessary for the performance of a contract, for example when participating in an event;
• legitimate interest in keeping alumni engaged with Saxion.

Sensitive personal data

Sensitive personal data enjoys extra protection under the GDPR because there is a significantly higher privacy risk for data subjects. This involves:

• Personal data showing a person's racial or ethnic origin;
• Personal data showing a person's political opinions
• Personal data showing a person's religious or philosophical beliefs;
• Personal data showing membership of a trade union;
• Personal data about a person's health;
• Personal data about a person's sexual behaviour or orientation;
• Genetic data;
• Biometric data (intended for the unique identification of a person).

Saxion will only process sensitive personal data when it meets the additional conditions in the GDPR.

How long does Saxion retain my personal data?

Saxion does not store your personal data longer than necessary to achieve the purposes for which the data was collected, or as long as specific laws or regulations require. For example, retention periods from the Archives Act (detailed in the Selection List Applied Universities or tax and labour laws). The retention period is determined by Saxion per processing. If you want to know the retention period of a specific processing act, you can contact Saxion at: [email protected].

What are my rights under the GDPR?

When Saxion processes your personal data, you have the following rights under the GDPR:

• Right of access: you have the right to inspect your personal data that Saxion processes
• Right to rectification: you have the right to correct or complete the personal data that Saxion processes about you if it is incorrect or incomplete.
• Right of objection: you can object to the processing of your personal data. You can also object to personally targeted advertisements.
• Right to erasure: you can request Saxion to delete your personal data.
• Right to withdraw your consent: if you have given Saxion permission to process personal data, you can always withdraw this consent.
• Right to data portability: if it is technically possible, you have the right to have the personal data that Saxion processes about you transferred to a third party.
• Right to restriction of processing: in some cases you can request Saxion to restrict the processing of your personal data. This may also be a temporary restriction.

How can I exercise these rights?

Do you have an active Saxion account? Submit your request through the Service Portal (Information Security & Privacy – GDPR – Exercising your rights under the GDPR). If you do not have a Saxion account you can submit your request at: [email protected].  Saxion will examine and assess each case individually to determine whether a specific request can be granted. Exercising your rights is free of charge, except in cases of abuse. To process your request, Saxion needs to verify your identity to prevent personal data from being disclosed to the wrong party or incorrect changes being made to your personal data. Once your identity has been verified, Saxion will respond to your request within four weeks.

How does Saxion protect my personal data?

Saxion takes appropriate technical and organisational measures to protect your personal data against misuse, loss, unauthorised access, unwanted disclosure and unauthorised changes.

Who does Saxion share my personal data with?

Saxion only shares personal data with third parties if this is in accordance with the applicable laws and regulations. This mainly occurs as a result of Saxion’s legal obligations. This involves sharing personal data with, for example, the Tax and Customs Administration, municipalities, the Ministry of Education, Culture and Science, DUO, the Higher Education Inspectorate and the Immigration and Naturalisation Service.

In addition, Saxion engages third parties to provide its services. Saxion will then only provide the personal data that is necessary for the task to be performed. Where necessary, terms are set out in a contract (such as a processor agreement).

Transfer to foreign countries

Most parties to which the Saxion provides personal data are located within the European Economic Area (EEA). A provision can only take place if, among other things, there is a valid legal basis for it and the receiving party complies with the legal requirements of the GDPR.

If personal data is provided to a party outside the EEA, measures will be taken and arrangements made to ensure that the processing is done securely and in line with the GDPR.

Questions? Complaints?

At Saxion, the Data Protection Officer (DPO) supervises and advises on the application of and compliance with the GDPR and Saxion’s privacy policy, as well as the allocation of responsibilities. The statutory tasks and responsibilities of the DPO give this officer an independent position in the establishment and performance of their duties. The DPO will also contribute to raising privacy awareness. The DPO works with and acts as a contact person for the supervisory authority (the Dutch Data Protection Authority). If you believe that your personal data is being processed by Saxion in violation of the GDPR, you can submit a complaint to the DPO at: [email protected]. The DPO acts independently and can consult or seek advice from the Dutch Data Protection Authority regarding your complaint.

Questions?

If you have any questions about this privacy notice, please contact us at [email protected].

Modifications

The last modifications to this privacy notice were made in July 2025.

General

This privacy notice describes how Saxion University of Applied Sciences (hereinafter 'Saxion') processes your personal data. Saxion also has a privacy policy in addition to this privacy notice. The privacy policy describes how our employees are obliged to handle personal data. Students and employees can consult the privacy policy on MySaxion at the ‘Information Security & Privacy’ web page.

About Saxion

Saxion's Executive Board is the data controller within the meaning of the General Data Protection Regulation (GDPR) and is therefore ultimately responsible for the lawful and diligent processing of personal data within Saxion. The Executive Board determines the policy, measures and procedures relating to the processing of personal data.

Saxion is located at M.H. Tromplaan 28, 7513 AB in Enschede. Saxion's postal address is PO Box 70000, 7500 KB Enschede. For questions about this privacy notice or other questions regarding the processing of personal data, please send an email to [email protected].

For what purposes does Saxion process my personal data?

The personal data that Saxion collects from you is processed by Saxion for the following purposes:

• Purchasing products and ancillary services;
• Financial Administration
• Contact Management (CRM)
• Contract administration and contract management

What personal data does Saxion collect about me?

Saxion may process the following personal data:

• Telephone number
• name and address
• Function
• Bank details
• Account number
• Invoice address
• Financial transactions
• Gender
• IP address
• Email address

What is Saxion’s legal basis for being allowed to process my data?

Saxion can use one of the following principles as basis for processing your data:

• the processing is necessary for the performance of a contract, for example in a service contract;
• legal duty, for example to keep specific data and maintain a sound administration;
• legitimate interest, Saxion has a legitimate interest in processing the data for maintaining a good customer relationship and providing good customer service.

Sensitive personal data

Sensitive personal data enjoys extra protection under the GDPR because there is a significantly higher privacy risk for data subjects. This involves:

• Personal data showing a person's racial or ethnic origin;
• Personal data showing a person's political opinions
• Personal data showing a person's religious or philosophical beliefs;
• Personal data showing membership of a trade union;
• Personal data about a person's health;
• Personal data about a person's sexual behaviour or orientation;
• Genetic data;
• Biometric data (intended for the unique identification of a person).

Saxion will only process sensitive personal data when it meets the additional conditions in the GDPR.

How long does Saxion retain my personal data?

Saxion does not store your personal data longer than necessary to achieve the purposes for which the data was collected, or as long as specific laws or regulations require. For example, retention periods from the Archives Act (detailed in the Selection List Applied Universities or tax and labour laws). The retention period is determined by Saxion per processing. If you want to know the retention period of a specific processing act, you can contact Saxion at: [email protected].

What are my rights under the GDPR?

When Saxion processes your personal data, you have the following rights under the GDPR:

• Right of access: you have the right to inspect your personal data that Saxion processes
• Right to rectification: you have the right to correct or complete the personal data that Saxion processes about you if it is incorrect or incomplete.
• Right of objection: you can object to the processing of your personal data. You can also object to personally targeted advertisements.
• Right to erasure: you can request Saxion to delete your personal data.
• Right to withdraw your consent: if you have given Saxion permission to process personal data, you can always withdraw this consent.
• Right to data portability: if it is technically possible, you have the right to have the personal data that Saxion processes about you transferred to a third party.
• Right to restriction of processing: in some cases you can request Saxion to restrict the processing of your personal data. This may also be a temporary restriction.

How can I exercise these rights?

Do you have an active Saxion account? Submit your request through the Service Portal (Information Security & Privacy – GDPR – Exercising your rights under the GDPR). If you do not have a Saxion account you can submit your request at: [email protected].  Saxion will examine and assess each case individually to determine whether a specific request can be granted. Exercising your rights is free of charge, except in cases of abuse. To process your request, Saxion needs to verify your identity to prevent personal data from being disclosed to the wrong party or incorrect changes being made to your personal data. Once your identity has been verified, Saxion will respond to your request within four weeks.

How does Saxion protect my personal data?

Saxion takes appropriate technical and organisational measures to protect your personal data against misuse, loss, unauthorised access, unwanted disclosure and unauthorised changes.

Who does Saxion share my personal data with?

Saxion only shares personal data with third parties if this is in accordance with the applicable laws and regulations. This mainly occurs as a result of Saxion’s legal obligations. This involves sharing personal data with, for example, the Tax and Customs Administration, municipalities, the Ministry of Education, Culture and Science, DUO, the Higher Education Inspectorate and the Immigration and Naturalisation Service.

In addition, Saxion engages third parties to provide its services. Saxion will then only provide the personal data that is necessary for the task to be performed. Where necessary, terms are set out in a contract (such as a processor agreement).

Transfer to foreign countries

Most parties to which the Saxion provides personal data are located within the European Economic Area (EEA). A provision can only take place if, among other things, there is a valid legal basis for it and the receiving party complies with the legal requirements of the GDPR.

If personal data is provided to a party outside the EEA, measures will be taken and arrangements made to ensure that the processing is done securely and in line with the GDPR.

Questions? Complaints?

At Saxion, the Data Protection Officer (DPO) supervises and advises on the application of and compliance with the GDPR and Saxion’s privacy policy, as well as the allocation of responsibilities. The statutory tasks and responsibilities of the DPO give this officer an independent position in the establishment and performance of their duties. The DPO will also contribute to raising privacy awareness. The DPO works with and acts as a contact person for the supervisory authority (the Dutch Data Protection Authority). If you believe that your personal data is being processed by Saxion in violation of the GDPR, you can submit a complaint to the DPO at: [email protected]. The DPO acts independently and can consult or seek advice from the Dutch Data Protection Authority regarding your complaint.

Questions?

If you have any questions about this privacy notice, please contact us at [email protected].

Modifications

The last modifications to this privacy notice were made in July 2025.