This page explains the General Data Protection Regulation (GDPR) and what it means for education and research.

What is the GDPR? 
The GDPR replaced the Dutch Personal Data Protection Act on May 25, 2018. This EU regulation about personal data processing ensures that the same privacy legislation applies throughout Europe. 

The GDPR: 

  • Ensures better rights to individuals whose data is being processed. 
  • Imposes more obligations on organisations and companies that process data. 
  • Gives the supervisory authority (in the Netherlands, this is the 'Autoriteit Persoonsgegevens') the power to impose high penalties if the GDPR is not complied with. 

What is personal data? 
Personal data is all data with which a person can be consciously identified directly or indirectly. Some examples are a person's name, (email) address, telephone number, online search behaviour and IP address. Special personal data, such as sensitive data about religion, race or health, are extra protected. 

What is processing? 
Processing is a broad concept. It includes terms such as collecting, recording, organising, storing, updating, modifying, retrieving, consulting, using, transmitting, distributing and making available. Even looking at someone’s screen is regarded as processing. Processing is therefore basically everything you can do with personal data.

When are you allowed to process collected personal data? 
Processing (using) personal data is only lawful if a lawful basis exists. You have a lawful basis for processing personal data if you meet one of the following conditions: 

  • You have permission from the person concerned. 
  • You have to process the personal data to perform an agreement to which the data subject is a party. 
  • You have to process the personal data to comply with a legal obligation. 
  • You have to process the personal data to protect the vital interests of the data subject or another person. 
  • You have to process the personal data because you are performing a task of public authority or public interest. 
  • You have a legitimate interest in processing the personal data that outweighs the interest of the data subject. 

The above only applies to the specified duration and the specific purpose for which you collected the data. Please note that the data subject may also withdraw their permission. In addition, data subjects have the right to, among other things, inspect, delete, or correct data. 

The GDPR and research 
During your research, you will always have to ask yourself the following questions if you process or want to process personal data: 

  • Do you only use the personal data for the purpose of your research? 
  • Do you have a legal basis for processing the personal data? 
  • Do you only use the data that is necessary to achieve the defined purpose? 
  • Have you informed the data subjects in advance about the purpose of the data processing? 
  • Have you properly secured the personal data, and have you thought about how you store the data, send it (digitally), etc.? 
  • Are the personal data you used still correct? 
  • Do you still need the data after a certain period? If not, delete the data. 

Privacy by design and privacy by default 
The research plan must clearly describe how you will ensure privacy and whether you will take the correct technical and organisational (security) measures for this at every step in the research process. The principle of data minimisation may help here: don not collect (sensitive) data that is not really necessary for the research. 

Data Protection Impact Assessment (DPIA) 
The DPIA is a risk assessment you have to perform before you start processing personal data. The DPIA shows in a structured way the risks of handling personal data during research. Carrying out a DPIA (or having it carried out) is mandatory when personal data is processed on a large scale or systematically evaluated. If in doubt, ask your institution's Data Protection Officer (DPO) or Privacy Contact Person (PCP) whether a DPIA is necessary.

If you have any questions about the information on this page, get in touch with your institution's Auteursrechten-informatiepunt (AIP) [Copyright Information Point].