General Data Protection Regulation (GDPR)

This quick reference guide [1] explains GDPR (General Data Protection Regulation) in general and in relation to education and research data.


[1] Sources consulted Wikiwijs SURF privacy in education; College Raymond Snijders; College Raymond Snijders Autoriteit persoonsgegevens (The Dutch Data Protection Authority-DPA)


What is GDPR?

The GDPR replaced the Dutch Data Protection Act on 25 May 2018. This regulation ( GDPR) applies to processing personal data and ensures that the same legislation applies throughout Europe.


  • gives more rights to people whose data is processed;
  • imposes more obligations on organisations and enterprises that process data;
  • Gives the supervisory authority (In the Netherlands this is the Dutch Data Protection Authority) the competence to impose hefty fines in the case of non-compliance with GDPR.

What is personal data?

Any information by which a person can be directly or indirectly identified. Examples include: name, (email) address, telephone number, search behaviour, IP-address, etc.Special categories of personal data, including sensitive data about religion, ethnic origin, health, are subject to additional protection.

What is processing?

This is a broad term. It covers terms such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, etc. Even watching another person’s screen falls under processing. Processing is therefore in fact anything you can do with personal data.

When can you process collected personal data?

Processing (using) personal data is only lawful if you have a legal basis for it. You have a legal basis to process personal data if you meet one of the following conditions:

  • you have permission from the data subject involved;
  • you must process personal data for the implementation of an agreement in which the data subject is a party;
  • you must process personal data to comply with a legal obligation;
  • you must process personal data to protect the vital interests of the person involved or of another person;
  • you must process personal data because you are performing a task in the public interest or with public authority;
  • you have a legitimate interest in processing personal data and this interest outweighs the interest of the data subject.

The above only applies for the specified duration and for the specific purpose for which you collected the data. Please note that the data subject’s consent may also be withdrawn by him or her. The data subjects also have a right to access, erase or rectify their data.

GDPR and research

During your research you will always have to ask yourself the following questions if you process or want to process personal data:

  • Are you using the personal data solely for the purpose of your research?
  • Do you have a legal basis to process the personal data?
  • Are you only using the data required to achieve the stated purpose?
  • Did you inform the data subjects in advance about the purpose of the data processing?
  • Have you secured the personal data properly and considered how you will store the data, send it (digitally), etc.?
  • Are the personal data you are using still accurate?
  • Do you really need the data after a certain period? If not, delete the data.

Privacy by Design and Privacy by Default

The research plan must clearly describe how you will guarantee data protection and whether the correct technical and organisational (security) measures have been taken at every step in the research process. The principle of data minimisation may help with this: do not collect (sensitive) data that is not really needed for the research.

Data Protection Impact Assessment (DPIA)

The DPIA is a risk assessment that should be carried out before processing personal data. The DPIA indicates the risks in relation to dealing with personal data in research in a structured way. A DPIA must be performed if large scale personal data is processed or will be systematically evaluated. If in doubt, ask the Data Protection Officer (DPO) or privacy contact person (PCP) at your institution whether a DPIA is required.

Questions? get in touch with your Copyright Information Point (AIP)

Do you have further questions about this quick reference guide? Please contact one of the members of staff at the Copyright Information Point (AIP) of your institution.

Download deze vuistregels in PDF
Vuistregels AVG
Download Dutch, File extension: PDF (File size: 108 KB)
Download this quick reference guide in PDF
Quick reference guide on the GDPR
Download English, File extension: PDF (File size: 86 KB)