Process-oriented strategies


Inform data subjects about the processing of their personal data in a timely and adequate manner, for example by:

  • Providing information via an information letter or privacy notice on a project website.
  • Providing verbal explanation before an interview.
  • Obtaining explicit consent via an informed consent procedure.


Give data subjects adequate control over the processing of their personal data, for example by:

  • Specifying a procedure and responsible person in case data subjects want to exercise their data subject rights.
  • Providing data subjects with a contact point (e.g., email address) for questions and exercising their data subject rights.


Commit to processing personal data in a privacy-friendly way, and adequately enforce this, for example by:

  • Using only Utrecht University-approved tools to collect, store, analyse and share personal data.
  • Entering into agreements with third parties if they are working with UU-controlled personal data. Such agreements will make sure everyone will treat the data up to UU-standards.
  • Always keeping your software up-to-date and using a virus scanner on your devices.
  • Appointing someone responsible for regulating access to the data.
  • Always reporting (suspicions of) data breaches. At UU, contact the Computer Emergency Response Team.
  • If needed, drawing up a privacy and/or security policy that specify roles and responsibilities and best practices on how personal data are handled throughout a project.
  • Using a Trusted Third Party when linking individual data from different sources together.


Demonstrate you are processing personal data in a privacy-friendly way, for example by:

  • Registering your research project in the UU processing register (once available).
  • Performing a Privacy Scan and storing it alongside the personal data.
  • Performing a Data Protection Impact Assessment (DPIA) for projects that have a high privacy risk for the data subjects.
  • Keeping information for data subjects and (signed) informed consent forms on file. This is not needed if you can fully anonymise the data: then you should delete the (signed) consent forms as well.