Saxion protects the privacy of all parties involved in its educational and research activities. It considers it to be its duty to handle the personal data of its stakeholders with extreme precision and transparency.
1. Saxion and Privacy
For this reason, Saxion takes organisational and technical measures to prevent violations of the privacy of its current and prospective students as well as alumni, current and former employees and applicants, external parties and temporary employees, guests, and field representatives. Saxion wants to serve as an example for its students, who will have to take on this responsibility in their own professional practice at some point.
2. What are your rights?
As a Saxion stakeholder, such as employee, student, guest, visitor, or external partner, the General Data Protection Act (GDPR) [AVG] provides you with the right to know which of your personal data are being processed by Saxion, how, and why.
- Right of access: you have the right to request a complete summary of the personal data Saxion has stored about you. Using the web form, you can request a summary and indicate the specific data you would like to review.
- Right to rectification: if you feel the data which Saxion has recorded about you is factually incorrect, incomplete, or irrelevant, you can request that a correction be made to the personal data.
- Right to object: under certain circumstances, you have the right to object to Saxion’s use of your data. This can only be done if Saxion processes your data based on a general or joint interest and not if Saxion is legally required to do so.
- Right to erasure: in certain cases, you have the right to request that your data be erased. This means that you can request that Saxion remove all data related to you. This right applies in the following situations:
- No longer required: Saxion no longer needs your personal data for the purposes for which they were collected or processed.
- Withdrawal of consent: you previously provided express consent to Saxion for the use of your data but are now withdrawing that consent.
- Objection: you object to the processing of your data. For example, pursuant to Art. 21 of the GDPR, there is an absolute right to object to direct marketing in this case.
- Unlawful processing: Saxion is unlawfully processing your personal data. For example, there may be no legal basis for the processing.
- Right to restriction: the processing of your personal data will be stopped temporarily. For example, you can exercise this right if you are unsure the data Saxion is processing is correct. A “request for restriction” will not result in the deletion of your personal data. In this case, the data must be kept available so that the restriction you have requested can be removed at a later time.
- Right to data portability: you have to the right to the “portability” of your personal data. You can receive a copy of your personal data in the format used by Saxion to process it via automated means, so that it can be reused and provided to other organisations.
3. How can you exercise your rights?
Please, make a choice:
Please note: before your request can be processed, you must provide proof of identity at a Saxion location within four weeks of submission. This enables Saxon to ensure that the personal data requested is only provided to the correct person. If you have not provided proof of identity within four weeks, Saxion will delete the request. Saxion will respond to your request no later than four weeks after you provide proof of identity.
4. Basic principles
Saxion processes personal data carefully and according to the principles of the GDPR, as well as to any related legislation if required. For the purposes of meeting this objective, Saxion has established several of its own basic principles.
- Legality: the processing of personal data is based on one of the legal reasons specified in Article 6 of the GDPR. Consequently, Saxion complies with all legal and standard frameworks (in this case, Dutch and EU rules) when processing personal data and clearly defines its responsibility and the responsibility of others with regard to personal data. Saxion also uses and upholds the codes of conduct applicable to its sector.
- Fairness and transparency: personal data are only processed in a way that is fair and transparent to stakeholders. This means that it should be clear to what extent and in what way the personal data are processed. Information and communication regarding this must be easily accessible and understandable.
- Personal data are only processed for well-defined, specific and justified purposes that have been explicitly described and recorded before any processing begins.
- Purpose limitation: personal data are not further processed in a way that is not compatible with the purposes for which the data was acquired.
- Minimum data processing: when processing personal data, the quantity and type of data is limited to personal data necessary for the specific purpose. With regard to this purpose, the data must be sufficient, relevant, and not excessive. Personal data processing is done in the least intrusive manner and must be in reasonable proportion to the intended purpose.
- Accuracy: Saxion takes measures to ensure that the processing of personal data is as correct and current as possible.
- Integrity and confidentiality: personal data are adequately protected in accordance with the applicable security standards.
- Storage limitation: Saxion does not process personal data for longer than necessary for processing purposes. In this regard, Saxion observes the applicable retention and destruction periods.
- Accountable and auditable: Saxion can demonstrate compliance with all policy objectives in accordance with the applicable legal provisions. Internal supervision and monitoring safeguards this accountability obligation and is enforceable in accordance with legal principles.
- Access to personal data is restricted by authorisations when necessary.
5. Processing of personal stakeholder data at Saxion
Saxion receives or collects personal data when these are required for providing services, performing transactions, providing information, or granting access. The data we collect are always adjusted to the purpose indicated, meaning we do not collect any more information than we need to achieve a specific objective. We may collect data on the following stakeholder types:
- Staff members, including applicants and former staff members
- Prospective students (incoming)
- Alumni and former students (outgoing)
- External parties, including guest staff members
In most cases, the personal data will be provided by the stakeholders themselves. Within the university of applied sciences, these data can be sent out from an internal source system or retrieved by a different system if necessary. We also receive personal data from third-party systems.
5.1 Processing records
The personal data collected from you will be used by the university of applied sciences for business operations and for performing legal tasks and obligations as necessary for education and research. The summary below describes the main processes Saxion may use to collect personal data, the primary components of which are listed for each process:
- Education and educational support: registration and enrolment, degree programme, tracking results and academic progress, guidance and advice, providing learning materials, handling disputes, facilitating audits, graduation, addresses and yearbook, scheduling and the digital testing system.
- Research and research support: research administration and data.
- Partner management: campaigns, contact, mailing lists and newsletters, degree programmes and graduation dates, focused on prospective students, alumni, and participants in various activities; data for businesses, organisations, and persons with which the university of applied sciences has different types of partnerships (e.g. via contract, processor agreement, or partnership agreement for providing or receiving products and services.)
- Personnel matters: determining salary claims, arranging claims for payments in connection with termination of employment, internal and external audits related to occupational medical care.
- Business operations and finances: financial administration, purchasing system, payment system, IT management, and legal procedures.
- Facilities: access and management systems, camera surveillance, identity management
- Web content management
- Library system
- Images for university of applied sciences communications
Records are reported by the unit responsible, whether academic or service-related, to the privacy team. The privacy officer maintains a processing register. This allows Saxion to keep a complete summary of the records.
5.2 Personal data categories
In principle, Saxion only collects and processes basic personal data, such as name/address information, date of birth, contact details (e-mail, telephone number, etc.) for the above-mentioned processes.
Saxion does not process special data, such as medical data, ethnicity data, genetic data or sexual orientation data, unless there is a legal obligation to do so (e.g. for BSN number) or consent has been provided by the stakeholders for specific occasions, such as orientation days and filling student dean positions. Saxion also processes sensitive personal data for specific purposes, such as study results for the sake of tracking academic progress and financial data for accounts receivable and salary administration.
We may also collect your data if you provide this information on Saxion websites for the purposes of staying abreast of various activities at the university.
Saxion also collects personal data in relation to scientific research. This concerns data on research participants. This is also done in accordance with the law and applicable codes of conduct.
If you feel that your personal data are being processed at Saxion in a way that violates the GDPR, you can submit a complaint to the Data Protection Officer (FG - Functionaris Gegevensbescherming) using the “Complaints and Disputes” reporting service. The FG is your link between Saxion and the external supervising authority, the Dutch Data Protection Authority. The FG acts independently and can discuss your complaint or request recommendations from the Dutch Data Protection Authority. The Saxion FG is registered with the Dutch Data Protection Authority under number FG000531.
If you do not agree with how your complaint was handled by the Saxion FG, you can submit a complaint directly to the Dutch Data Protection Authority. The Dutch Data Protection Authority will handle the complaint or request and come to a decision about it.