Privacy Statement

TU Delft takes the utmost care with personal data and in doing so acts within the law, including the General Data Protection Regulation (GDPR). This Privacy Statement provides you with information about the purposes for which TU Delft processes personal data and about exercising your privacy rights. We also provide further information that may be of importance to you. In TU Delft's cookie policy you can read which cookies TU Delft uses.

The Privacy Statement applies to all TU Delft activities (including those via the website). Below you will find the most important information on the processing of personal data by TU Delft. If you still have questions after reading this, you can always contact the TU Delft Privacy Team. The contact details can be found at the end of this Privacy Statement.

Data controller and responsibility

TU Delft considers it to be of essential importance that the personal data of its students, researchers, staff and visitors is processed and secured with the utmost possible care. In this Privacy Statement TU Delft explains which personal data is processed by TU Delft and why. You can also read about your rights and about the other parties with whom TU Delft may share your personal data.

What personal data does TU Delft process and for what purposes?

TU Delft collects personal data from a variety of data subjects. TU Delft receives most personal data directly from the data subject, but may also receive personal data via other organisations.

Please see below for each type of data subject which personal data is processed and for what purposes. These overviews of personal data and purposes are based on the most common processes within TU Delft. Information on the incidental or very specific processing of personal data is provided in separate supplementary Privacy Statements.

TU Delft processes the following types of personal data of current and prospective students:

Identification details (such as name and address, date and place of birth, student number, NetID);
Contact details and e-data (such as e-mail address, telephone number, logging, IP addresses);
Health data (such as physical and psychological data in the context of study facilities and study support);
Citizen Service Number (BSN);
Nationality;
Financial data (such as bank account number and tuition fee payments);
Personal characteristics (gender);
Education (e.g. marks, academic progress, student career guidance, internship company, diplomas);
Performance data (e.g. personal feedback, reports);
Image and sound recordings (e.g. photo, video);
Licence plate.

TU Delft uses the personal data of current and prospective students for the following purposes in particular:

Proper progress of the orientation for the programme choice;
Application, selection and enrolment in a degree programme;
Good organisation and progress of the education and examinations;
Tracking and measuring academic progress;
Handling complaints, objection and appeals;
Dealing with data breaches and requests in respect of the rights of data subjects;
Providing effective student career guidance;
Assessing and implementing a request for special facilities for a student with a (physical) disability;
Preventing and investigating suspicions of plagiarism and fraud and taking (legal) measures in case of detected wrongdoing;
Nomination for membership, award or nomination;
Evaluation of the quality and accessibility of education and the organisation of TU Delft;
Conducting surveys on student satisfaction by TU Delft or organisations other than TU Delft;
Monitoring the safety of people, goods and buildings on the campus, including access control and camera surveillance;
Protecting company assets, (personal) data and the intellectual property rights of TU Delft;
Controlling availability, improving and securing capacity of ICT facilities;
Securing TU Delft's ICT facilities, including the prevention of wrongful use;
Controlling the availability of parking facilities;
Reporting domestic violence and sex offences.

TU Delft processes the following types of personal data of alumni:

Name and address details;
Gender;
Contact details (such as e-mail address and telephone number);
Details of the degree programme followed;
Financial data.

TU Delft uses alumni's personal data for the following purposes in particular:

Inviting alumni to TU Delft events;
Approaching alumni for guest lectures;
Fundraising;
Dealing with data breaches and requests in respect of the rights of data subjects.

In this context TU Delft staff members are understood to be: employees with an employment contract, temporary employees, student teaching assistants, seconded staff members, persons who perform work in the context of an assignment, prospective staff members (applicants), former staff members and trainees.

TU Delft processes the following types of personal data of staff:

Identification details (such as name and address, date and place of birth, personnel number, NetID);
Contact details and e-data (such as e-mail address, telephone number, logging, IP addresses);
Health data (as far as necessary in case of incapacity for work);
Copy of identification document and Citizen Service Number;
Nationality;
Trade union membership (for the tax settlement of trade union dues);
Financial data (e.g. bank account number, (salary) payments and expense claims);
Personal characteristics (such as gender and marital status);
Education and training (such as diplomas, work-related training);
Profession and occupation (e.g. CV, type of employment, additional positions);
Performance data (e.g. personal feedback, reports);
Image and sound recordings (such as photo, video);
Licence plate;
Location data (such as teaching timetable, workplace, room reservation).

TU Delft uses the personal data of staff members for the following purposes in particular:

Well-organised recruitment and selection of staff members;
Ensuring good opportunities for staff members to develop themselves;
Correct and efficient staff and salary administration;
Balanced and orderly deployment planning of staff members;
Ensuring a proper staff evaluation system;
Support in case of sickness and absenteeism of staff members;
Consulting the confidential adviser;
Works Council elections;
Handling complaints, objections and appeals from staff members;
Dealing with data breaches and requests in respect of the rights of data subjects;
Conducting surveys by TU Delft or organisations other than TU Delft, for example on equal treatment and staff satisfaction;
Monitoring the safety of people, goods and buildings on the campus, including access control and camera surveillance;
Protecting company assets, (personal) data and the intellectual property rights of TU Delft;
Controlling availability, improving and securing capacity of ICT facilities;
Securing TU Delft's ICT facilities, including the prevention of wrongful use;
Controlling the availability of parking facilities;
Reporting domestic violence and sex offences.

For more information about the personal data that is collected when visiting TU Delft websites, please see the TU Delft cookie policy.

When someone accesses the TU Delft online environment as a visitor or guest (for example, in a Microsoft Teams environment), TU Delft will process the following personal data:

User name;
Log data;
IP address.

TU Delft uses these personal data for the following purposes in particular:

Securing TU Delft's ICT facilities, including the prevention of wrongful use.

TU Delft processes the following personal data of visitors to the campus:

Name and company;
E-mail address;
Camera images;
Licence plate.

TU Delft uses the personal data of visitors for the following purposes in particular:

Visitor reception at the Service Points;
Providing a visitor account for WiFi access;
Monitoring the safety of people, goods and buildings on the campus, including access control and camera surveillance;
Protecting company assets, (personal) data and the intellectual property rights of TU Delft;
Controlling availability, improving and securing capacity of ICT facilities;
Securing TU Delft's ICT facilities, including the prevention of wrongful use;
Controlling the availability of parking facilities.

TU Delft processes the following personal data of participants in scientific research:

Personal data in the informed consent form;
Personal data in research data (exactly which personal data in research data is processed is explained in the informed consent information).

TU Delft uses the personal data of research participants to carry out scientific research.

What is TU Delft's legal ground for processing your personal data?

TU Delft bases all processing of personal data on one of the six legal grounds laid down in the GDPR:

: TU Delft offers some activities that require your consent. This may, for example, include using your e-mail address to send a newsletter, promotional e-mails or for conducting research. Your personal data will only be used if you have given consent for us to do so. In this regard you will always be notified of the purposes for which your data will be used, which data is involved and to whom it will be provided. If you give TU Delft permission to use this personal data, you will also be entitled to withdraw this consent at a later stage. Withdrawal cannot apply retrospectively. The information you receive before you give your consent will tell you how to withdraw your consent. If you no longer have that information, you can also send an e-mail to the Privacy Team. The contact details can be found at the end of this Privacy Statement.

The requirement for permission does not apply if you are sent newsletters or e-mails within the context of your degree programme or employment.
: TU Delft can process personal data to perform a contract to which the data subject is a party, for example an employment contract for staff members or purchasing contracts.
: TU Delft may process personal data because this is required on the basis of legislation. This is the case, for example, when passing on student data to the Education Executive Agency (DUO) or salary data to the Tax and Customs Administration.
: TU Delft may process personal data to carry out a task of public interest or public authority of TU Delft. Under the Higher Education Act, for example, TU Delft has the task of providing academic education and conducting academic research. These are tasks of public interest.
: TU Delft may process personal data to serve a legitimate interest (a compelling interest of TU Delft or a third party). One example is the use of security cameras on the campus to protect people, property and buildings.
: TU Delft may process personal data to protect the vital interests of individuals. An example of this may be a situation where care providers need personal data in order to provide urgently needed medical assistance to the data subject.

Sharing of data with third parties

TU Delft will not sell your personal data to third parties.

Third parties may provide certain services on behalf of TU Delft. TU Delft makes agreements with these data processors in order to guarantee confidential and careful handling of personal data. These agreements are laid down contractually in data processing agreements.

TU Delft also regularly works in partnership with external organisations. Partnerships exist, for example, in the field of education and research. Within those partnerships personal data can be processed and shared with those external partners but only, of course, if the requirements of the GDPR are met.

TU Delft provides personal data to enforcement authorities or organisations combating fraud if this is necessary in order to comply with a statutory obligation or a court decision.

The categories of third parties with which TU Delft shares data include:

Government agencies, such as DUO, the Tax and Customs Administration and the Immigration and Naturalisation Service (IND);
Investigating authorities;
Universities;
Research groups.

Transfer of personal data outside the European Union

In some cases personal data is processed in countries that are not part of the EU, or by suppliers based outside the EU.

TU Delft assesses each transfer of personal data by means of a standard process for the application of appropriate measures in order to guarantee an adequate level of protection for the processing of personal data both within and outside the EU. This process is regularly reviewed and is in line with the latest developments in laws and regulations.

How long is the personal data retained?

TU Delft retains your personal data in accordance with the GDPR. The exact retention period depends on the category of personal data and the purpose for which it is processed. The data is retained in accordance with the statutory retention period and for no longer than is strictly necessary in order to achieve the purposes for which the data was collected.
TU Delft bases its legal retention periods on, among other things, the Basic Selection Document (BSD) for University Education 1985, the Selection List for Universities and University Medical Centres 2020, the Public Records Act and other laws (such as tax and labour laws).

What are your privacy rights?

As a data subject (the person to whom the personal data relates), you have certain rights under the privacy legislation. If you wish to exercise these rights, please send a request to the following e-mail address: privacy-tud@tudelft.nl.

When you make a request a member of the Privacy team will ask you to identify yourself to ensure that only you have access to your own personal data.

Your rights are:

Right to access: you can request an overview and/or inspection of the personal data that we process about you.
Right to rectification: if there are demonstrable mistakes in your personal data or they are incomplete, you can ask for the data to be rectified or added.
Right to 'be forgotten': you can request that your personal data be deleted from the TU Delft files. Such a request may be rejected if TU Delft is legally obliged to retain the data for a longer period.
Right to restrict the processing of your personal data: in certain cases you can ask TU Delft to stop processing your personal data temporarily.
Right to data portability: in certain cases you can request that your personal data be transferred to an organisation designated by you.
Right to object to the processing of your personal data: in certain situations you can object to the processing of your personal data.

In addition, you always have the option of submitting a complaint about the use of your personal data to the Dutch Data Protection Authority. Further information is available on the website of the Dutch Data Protection Authority.

Technical security

TU Delft handles personal data confidentially. TU Delft applies appropriate technical and organisational measures in order to provide optimum protection for your personal data against unauthorised access or use. TU Delft reports any abuse or attempted abuse of personal data.

Third parties’ privacy policy

The TU Delft website includes links to other websites that are not part of TU Delft. TU Delft has no responsibility for the way in which these parties process personal data and therefore advises you to inform yourself of these parties’ privacy policies or to contact them for a more detailed explanation of their policy on the use of personal data.

Questions

If, after reading this information, you have specific questions or comments about TU Delft’s Privacy Statement, please do not hesitate to contact us by sending an e-mail to privacy-tud@tudelft.nl. The TU Delft Data Protection Officer can also be contacted at the e-mail address fg@tudelft.nl.

This Privacy Statement was most recently updated in July 2022.