Process-oriented strategies

Inform

Inform data subjects about the processing of their personal data in a timely and adequate manner, for example by:

  • Providing information via an information letter or privacy notice on a project website.
  • Providing verbal explanation before an interview.
  • Obtaining explicit consent via an informed consent procedure.

Control

Give data subjects adequate control over the processing of their personal data, for example by:

  • Specifying a procedure and responsible person in case data subjects want to exercise their data subject rights.
  • Providing data subjects with a contact point (e.g., email address) for questions and exercising their data subject rights.

Enforce

Commit to processing personal data in a privacy-friendly way, and adequately enforce this, for example by:

  • Using only Utrecht University-approved tools to collect, store, analyse and share personal data.
  • Entering into agreements with third parties if they are working with UU-controlled personal data. Such agreements will make sure everyone will treat the data up to UU-standards.
  • Always keeping your software up-to-date and using a virus scanner on your devices.
  • Appointing someone responsible for regulating access to the data.
  • Always reporting (suspicions of) data breaches. At UU, contact the Computer Emergency Response Team.
  • If needed, drawing up a privacy and/or security policy that specify roles and responsibilities and best practices on how personal data are handled throughout a project.
  • Using a Trusted Third Party when linking individual data from different sources together.

Demonstrate

Demonstrate you are processing personal data in a privacy-friendly way, for example by:

  • Registering your research project in the UU processing register (once available).
  • Performing a Privacy Scan and storing it alongside the personal data.
  • Performing a Data Protection Impact Assessment (DPIA) for projects that have a high privacy risk for the data subjects.
  • Keeping information for data subjects and (signed) informed consent forms on file. This is not needed if you can fully anonymise the data: then you should delete the (signed) consent forms as well.

Utrecht University logo

Data Privacy Handbook

The information presented here is provided as is, with no guarantees of accuracy or completeness. For the most up-to-date information, please refer to your privacy officer, the university website or intranet. We cannot be held responsible for any negative consequences due to incorrect interpretation or use, and inconsistencies with policies/views of other institutions.

💡 Give feedback about this page