Personal data: privacy and the GDPR
As an employee of Leiden University, you probably work with or come into contact with personal data. The concept of ‘personal data’ is core to the General Data Protection Regulation (GDPR). If you work with personal data, you must be able to explain clearly, comprehensively and in simple language how personal data is handled and processed within the organisation. This web page shares information on how to handle personal data properly and what the university does to support you in this.
Special category data
Personal data involves any information that can be traced back to a specific person. This includes not only names, addresses and places of residence, but also bank account numbers, telephone numbers and postal codes with house numbers. Data such as IP addresses, MAC addresses and browser settings are also considered personal data in certain instances. This is the case if you can identify someone based on this data (whether or not in combination with other data). Sensitive data such as a person's race, religion or health are called special category data. They have been awarded extra protection by the legislator.
If you are processing special category data, it is important to carefully consider the following beforehand:
- What data you collect.
- Whether this data can be used in combination with other data to identify a data subject.
- What data you link together.
Consent for personal data processing
Does your work require the collection of personal data? The law provides a number of legal grounds on which this can be done.
- You have the informed consent of the person involved.
- The data processing is necessary for the execution of an agreement.
- The data processing is necessary for compliance with a legal obligation.
- The data processing is necessary for the protection of vital interests.
- The data processing is necessary for the fulfilment of a task of general interest or the exercise of governmental authority.
- The data processing is necessary for the protection of legitimate interests.
One of the above-stated grounds is sufficient for the collection and processing of personal data. When working with special category data, you must also be able to invoke a statutory exemption.
What do you need to process personal data?
Privacy Desk If you have any questions about privacy, please contact the Privacy Desk.
Research Do you process personal data for research purposes? You can find more information and tips on this page for research using personal data.
Data processing register If you process personal data, you must keep a record of this in a processing register. This also applies to research. Under certain conditions, a processing register is not required for one-off processing operations.
Processor agreement If you engage another party to process personal data, a processor agreement is required.
Informed consent In many cases, you need data subjects’ permission to process their personal data. More information can be found here, also about research.
Deletion of personal data People have the right to have their personal data deleted in a number of cases.
Assistance in case of a data breach If you have lost control over stored personal data, this may be considered a data breach. For instance, if your laptop is stolen, or even if you lose a printed list of personal data. Leiden University is required by law to report data breaches within 72 hours to the Dutch Data Protection Authority. You should, therefore, report a data breach to the ISSC Help Desk as soon as possible.