Universiteit Leiden

nl en

Data processing register

A data processing register is a record of which personal data you process and who you share this data with. If you collect personal data for your research, you must record this in the data processing register.

Data processing register for business processes

The university maintains a central record of the processing of personal data. The university must be able to show that it is taking technical and organisational measures to protect personal data. This takes place in the data processing register, which sets out:

  • what personal data is processed
  • the reason for processing this personal data
  • where the information was obtained
  • who the information is shared with

Data processing register for research

If you are starting a new research project that uses personal data, you must record in the data processing register for researchers how you will process the data. You can use the data management plan (DMP) to describe how you expect to process the data and which agreements you have reached.


For any questions about the data processing register for researchers, please contact your privacy officer or the Privacy Service Point. For general questions and advice on processing personal data and writing a DMP, please contact the Centre for Digital Scholarship.

High-risk personal data processing

Data processing can sometimes imply a high level of risk to the privacy of those involved. This is always the case when:

  • you are processing information on a large scale
  • you are processing sensitive personal data
  • the processing implies a high level of risk to those involved

A 9-question form has been developed to establish whether processing involves a heightened risk. Ask your privacy officer or the Privacy Service Point for this form.

Data Protection Impact Assessment (DPIA)

When there is a heightened risk to privacy, you must assess the (potential) risks before you start processing any data. This is known as a Data Protection Impact Assessment (DPIA). A DPIA must be laid out in writing and must always include the following elements:

  • A systematic description of the data processing and the objectives.
  • An assessment of the proportionality of the processing.
  • An appraisal of the risks to those involved.
  • A summary of the measures taken to mitigate the risks identified. 
  • What does the university do with high-risk processing?
  • When should I do something with high-risk processing?

If you need any help writing a DPIA, please contact the Privacy Service Point.

This website uses cookies.  More information.