Skip to content
Logo Amsterdam University of Applied Sciences - link to home page

Privacy statement

This privacy statement was last updated on: 25 April 2024.

Personal data and privacy

The AUAS believes it is important that your personal data is processed carefully. Out of respect for everyone's privacy, we want to clearly inform all data subjects about this. We comply with the applicable laws. Your personal data is protected according to the requirements of the GDPR, the General Data Protection Regulation.

Privacy statement

Q&A about the processing of personal data and the rights under the GDPR.

  1. What is personal data?
  2. What data does the AUAS process?
  3. When is the AUAS permitted to process personal data?
  4. What purpose is served by the processing of personal data?
  5. What laws apply in addition to the GDPR?
  6. Do third parties receive personal data?
  7. How long is personal data kept?
  8. What security measures does the AUAS take?
  9. What are your rights?
  10. Questions about privacy?
  11. Want to report a complaint?

1. What is personal data?

Personal data is any information relating to an identified or identifiable person. This could be for example a name, an address or a phone number. Information about study results also qualify as personal data, such as in the Student Information System (hereinafter: SIS.

What legislation governs the processing of personal data?

The AUAS processes personal data for various purposes and in doing so it has to comply with a number of laws and regulations, such as the General Data Protection Regulation. Other aspects of laws and regulations related to personal data protection also apply, such as a retention obligation. The AUAS complies with this as well.

Who does the AUAS collect personal data from?

The AUAS processes privacy-sensitive data of, for example, students, employees and some service providers. Our aim is to prevent misuse of these data. How do we do that? For more information, see the text under ‘What security measures does the AUAS take?’.

2. What data does the AUAS process?

In order to perform its duties properly, the AUAS processes (or may process) the following data:

General personal data

•    first and last name
•    gender
•    date of birth
•    place of birth
•    address
•    imagery (e.g. photographs)
•    telephone number
•    email address
•    bank account number
•    student number
•    OC&W correspondence number
•    citizen service number (BSN)
•    copy of identification card or passport
•    insurance details
•    study data and study progress data
•    information you provide yourself
•    health data needed for proper guidance of students and employees
•    information of contacts, informal carers and/or legal representatives
•    personal data that are legally required to be provided on the basis of specific legislation, such as ‘de Wet op het hoger Onderwijs en wetenschappelijk onderzoek’.

Special categories of personal data

Special personal data are extra sensitive. Think of health data, for example. Personal data in these categories are processed only when necessary for proper guidance of students and employees. And, of course, only when strictly necessary.

3. When is the AUAS permitted to process personal data?

In order to process your data, a legal basis for doing so is required under the General Data Protection Regulation (GDPR). Below you can read which legal bases are valid under GDPR:

•    consent
•    vital interests
•    legal obligation
•    public task
•    contract
•    legitimate interest

In some cases, the AUAS needs your consent to process your personal data. An example of where we process your data based on your consent is to participate in a study. Consent may be revoked at any time.

There are also cases where the AUAS can use a different basis. This could include:

•    The processing is necessary for the performance of a (study) contract.
•    The processing is necessary to protect your vital interest (in the context of health) or that of another person.
•    The processing is necessary in order to comply with a statutory obligation, such as to provide education and issue diplomas.

4. What purpose is served by the processing of personal data?

The AUAS processes personal data for the benefit of educational activities, business operations and research, including:

•    Registering for a degree programme or course, or appointment of an employee.
•    Processing of study results, study progress and related information.
•    Implementing and improving services to prospective students, students, employees and alumni.
•    Providing further information on various topics concerning the AUAS, study choice, study, alumni or work.
•    Holding elections.
•    Recruitment and selection.
•    Securing and improving our websites.
•    Scientific or historical research or statistical purposes.
•    Employee performance.
•    Internal address books that allow us to contact data subjects.
•    Financial data to process payroll.
•    Use of camera surveillance for security purposes, based on the AUAS's Camera Surveillance Regulations.
•    A statutory obligation.
•    For business operations and improving the quality of services.
•    Answering or handling requests for information or complaints.

5. What laws apply in addition to the GDPR?

The AUAS naturally complies with laws and regulations relating to privacy and information security, such as: 

•    Grondwet
•    Uitvoeringswet Algemene verordening gegevensbescherming
•    Wet op het hoger onderwijs en wetenschappelijk onderzoek
•    arbeidswetgeving en CAO
•    Archiefwet
•    Telecommunicatiewet (Tw)
•    Auteurswet
•    Gedragscodes

6. Do third parties receive personal data?

The AUAS only provides personal data to others with your consent or because the AUAS is required to do so pursuant to a legal obligation. The AUAS does not process personal data for commercial purposes.

Please note: any consent given can be revoked at any time without having to give a reason. Interested in what other rights you have under the GDPR? See the information under heading 9 ‘What are your rights?’

Transfer of personal data to outside the European Economic Area (EEA)

No transfer of Personal Data to outside the EEA will take place unless:

  1. The third country, territory, defined sector in a third country, or the international organisation in question provides an appropriate level of protection, according to the European Commission. To determine an appropriate level of protection, the AUAS uses the general list of countries with an appropriate level of protection published by the European Commission.
  2. Transfers are made on the basis of appropriate safeguards as defined in the GDPR. The AUAS uses the Standard Contractual Clauses as adopted by the European Commission and additional security measures, which are (re)assessed for each intended transfer.
  3. Transfer takes place on the basis of one of the exceptions defined in the GDPR.

7. How long is personal data kept?

Your personal data may not be kept longer than necessary. In this context, the AUAS follows the legal obligations and, insofar as not regulated by law, the Selection List for Universities of Applied Sciences of the Dutch Association of Universities of Applied Sciences. Does the AUAS no longer require the data? Then the organisation deletes them.

8. What security measures does the AUAS take?

To ensure the secure processing of personal data, the AUAS takes appropriate technical and organisational security measures that can prevent unwanted processing of personal data.

We are responsible for your personal data. Among other things, this means that we:

  • Handle all personal data confidentially. We ensure that only designated persons can access them, based on their position and/or valid instructions.
  • Have taken proper security measures to protect your personal data against loss, dishonest access and theft. For instance, we secure the computers and networks to national standards and keep our sites safe. Paper records go into locked filing cabinets and/or are disposed of in locked paper containers. Our employees do not leave data lying around or collect unnecessary data.
  • We delete data when we no longer need them. This way, your personal data does is not available for an unnecessarily long time. 

We use personal data because they are necessary for teaching, conducting research and in connection with the AUAS's business operations. 

9. What are your rights?

Under the GDPR, you have eight rights:

  1. The right to be informed
    Data subjects have the right to clear information about what happens to their personal data. The AUAS will have to inform you what personal data are being processed, why the organisation is processing it, whether the AUAS shares your data with other organisations and if so, with which ones.
  2. The right of access
    This is the right of data subjects to, for example, receive a copy of the personal data the organisation processes about them, with the aim of gaining more control over the processing of their own personal data.
  3. The right to rectification
    The right to have the personal data processed amended if necessary, because it includes inaccurate personal data. (Personal) data may also need to be supplemented.
  4. The right to erasure (‘right to be forgotten’)
    People have the right to be 'forgotten'. But often not all personal data can be erased. For example, if there is a legal duty to use your personal data or keep them for a certain time. When does the right to erasure apply? One reason for this could be that the personal data are no longer needed, the data subject's consent has been revoked, the data subject objects to the use of their personal data (see also right to object), the personal data is being processed without a legal basis and/or the legal retention period has expired.
  5. The right to restriction of processing
    The right to have the processing of your personal data restricted. Several situations are conceivable for this right to be applicable, such as: the personal data may be inaccurate, the processing is unlawful, the personal data is no longer needed and/or a data subject objects to the processing.
  6. The right to object
    The right to object to the data processing on grounds relating to your particular situation. For example: a data subject from the AUAS has participated in a study and later finds out that an acquaintance of his/hers works as a researcher at that organisation and would prefer that their data not be used in the study.
  7. The right to data portability
    The right to have personal data transferred to another party. Students can ask to transfer their own personal data if they wish to terminate their study contract with the AUAS. They can then easily forward these data (or have them forwarded) to another educational institution.
  8. Rights in relation to automated decision making and profiling
    The right to human review of decisions based on automated processing. Some organisations take a decision based on automatically processed (personal) data. The GDPR gives data subjects the right to human involvement in decisions affecting them. For example: a job applicant who has applied to the AUAS has the right to have his/her application assessed by a human and not have the application processed via internet without human intervention. 

Invoking any of these eight rights

You can apply to the AUAS to invoke any of these rights under the GDPR. You can send your request to:

Hogeschool van Amsterdam
t.n.v. het Centrale Privacy Office
Muller-Lulofshuis
Wibautstraat 5a
1091 GH Amsterdam

Or via avg@hva.nl.

As a rule, you will receive a reply to your request within one month. In exceptional cases, the AUAS may extend this period with two months. You will be notified about this in that case.

10. Questions about privacy?

For questions on any GDPR topic, you can contact the AUAS's Central Privacy Team via avg@hva.nl.

You can also send a message to the AUAS's Data Protection Officer via
functionarisgegevensbescherming@hva.nl.

11. Want to report a complaint?

Are you dissatisfied with how the AUAS is handling your personal data? If so, always discuss this with your SLB lecturer or your supervisor. If you are still concerned, report this to the AUAS's Data Protection Officer:
Functionaris Gegevensbescherming.

You can also submit a complaint to the Dutch DPA(opens in new window).