Privacy is not a trivial matter, it is a fundamental right. In a data-driven society, the protection of personal data is a top priority for educational institutes. As such, the protection of your personal data is of paramount importance to us. You can rest assured that your personal data are in good hands.

You should know which personal data we collect on you and what we do with these data. And you must be able to access them quickly and easily. This privacy statement serves to inform you what we do with your data.

Who are we?

We are Stichting NHL Stenden Hogeschool. Here you can read who is the chair of our Executive Board. We are located at Rengerslaan 10 in Leeuwarden, the Netherlands. We are registered with the Chamber of Commerce under number 41002686.


+31 58 2441 441

Data Protection Officer

If you have any questions or complaints about the way in which NHL Stenden University of Applied Sciences handles your personal data, you can email or call our Data Protection Officer.


If, after reading this document and a conversation with the Data Protection Officer, you still have complaints about how NHL Stenden University of Applied Sciences handles your privacy, you can file a complaint with the Dutch Data Protection Authority .

Click here to go to the answer to your question


Why this privacy statement?

We are responsible for processing your personal data. In this privacy statement, we inform you how we handle your personal data, what your rights are, and what you should know about your privacy. These basic principles apply to everyone who contacts us: students, prospective students, alumni, salaried staff, unsalaried staff, external relations and research subjects.

We may occasionally update this privacy statement. You can always find the most recent version on this website. In the event of significant changes to our privacy statement, we will at least inform students and staff directly.

Whose personal data do we record?

NHL Stenden processes personal data about the groups listed below. Which personal data we process for each group, why we process data and what we do with them is described for each group in a data register with explanatory notes.

  • Students
  • Course participants
  • Leads (prospective students)
  • Alumni (former students)
  • Salaried staff
  • Unsalaried staff
  • External relations
  • Research subjects

More information

Why do we process your personal data?

Personal data may only be processed if there is a clear purpose for doing so. These purposes are specified for each group in the data registers. In general, these purposes are related to the fact that we are an educational institute. Education and research are made possible by staff with whom we have an employment contract. Before students start studying at our institute, we would like to inform them and help them with their study choice. After graduation, we would like to stay in touch with them, because they are our ambassadors. Schools hold a central role in society. That is why we also process data on external relations, such as internship companies, umbrella organisations or members of advisory councils.

Is this legal?

We process your personal data on the basis of a number of legal grounds. Sometimes because you have given us your consent, but more often because we are required to do so by law (such as the Higher Education and Research Act) or because we have an educational or other agreement with you. We also often use the legal ground ‘legitimate interest’: processing of your personal data is necessary to fulfil our role in 2020, which overrides the limited breach of your privacy. This always concerns actions you can reasonably expect from an educational institute like ours, such as the digital distribution of recorded lectures via our own internet channels, or passing on email addresses for a student or staff satisfaction survey. Wherever we rely on the legal ground ‘legitimate interest’ you can, if you have good reasons to do so, object to the processing of your personal data. If it concerns mailings that we send to you based on our legitimate interest, you can always simply unsubscribe.

How do we receive your data?

In the majority of cases, we have received the data directly from you because you completed a form with a request for information, because you registered for a study programme, because you started working for us, because you gave us your details when you joined an advisory council, or because you participated in a study by one of our professors or lecturer-researchers.

Students send us registration details via Studielink. These are personal data as they are included in the Dutch population register (Basisregistratie personen) and completed preliminary education data as they appear in the key register of educational institutes (Basisregistratie onderwijs) at DUO. Read more here .

What do we use your personal data for?

We use your personal data for the purposes described in the data registers for each target group We will never sell your personal data and never disclose them to third parties in any other way, except when we are obliged to do so by law and in the exceptional cases listed in the data registers.

Your email address can be used to approach you for studies (such as satisfaction surveys) or to send information that we consider important for you (such as an educational offer). If you do not want this, you can simply unsubscribe. Otherwise, you can always exercise your right to object.

Your data can be used for research purposes. This can include applied scientific research or research that provides information necessary for improving the institute’s operational management.

With which other parties do we work and why?

NHL Stenden also engages third parties to process personal data. These are known as processors. Most processors are cloud providers. In the data registers for each target group, you can find more information on which processors do what for which target group. As stipulated in the GDPR, NHL Stenden enters into processing agreements with these processors. For these agreements, we use the model designed by SURF for higher education These are our most important processors.

Which party?

Which service?

For which groups?


Student information system

Students, course participants

YouForce Visma Raet

Staff information system

Staff members

Microsoft Dynamics

Customer Relations Management

Students, course participants, staff, alumni, external relations


Office365 and Azure Active Directory, among others

Students, course participants, staff members


Library service

Students, course participants, staff members


Filing system

Students, course participants, staff members, external parties


Electronic learning environment

Students, staff members, course participants


Financial package

Students, course participants, external parties, staff members


Extended Single Sign On*

Students, course participants, staff members

Real Open IT

Identity Management System

Staff members, students, course participants


Schedule programme

Students, course participants, staff members

*Extended Single Sign On: a secure service that allows you to log in only once (per session) to your NHL Stenden account and then use a large number of external services purchased via SURF.

NHL Stenden also uses the services of Microsoft and Google.

To which parties do we pass on your data?

To whom?

Based on what?

What (for example*)?

Our international sites

European model contracts as referred to in Article 46, paragraph 2 under c of the GDPR

Registration data, medical information on Grand Tour™ students


Processing agreement <link>

Is specified in the appendix to the processing agreements

Internship organisations

Internship agreement

Student and supervisor contact information

Satisfaction surveys

Legitimate interest

Email accounts and a set of key data on the study programme completed (students) or organisational unit (staff)

Tax authorities

Legal obligation

Of staff members: contact details, staff number, nationality and place of birth, financial data, citizen service number (BSN)


Legal obligation

Of students: registration and graduation data

Online advertising companies

Legitimate interest

Clicking behaviour of visitors to websites

Supplying educational institutions


Contact details, study programme, study results


Legal obligation

Access to almost anything

Community Health Service (GGD)


Contact details, nationality, place of birth, medical information

Evaluating authorities

Legal obligation

Education data of students, education and experience of staff

Government authorities, such as the Education Inspectorate and the Netherlands Court of Audit

Legal obligation

Education data of students

*Please note that these are only examples. The data registers are leading and complete.

NHL Stenden offers some study programmes together with other universities of applied sciences or universities. This is usually based on a common scheme, article 8.1 WHW. In that case, the personal data of the students involved are also processed by the university of applied sciences or university with which we work, under our joint responsibility.

In very special cases (life or death emergencies), NHL Stenden will provide personal data of students or staff to third parties if this is necessary to protect their vital interests, for example in the event of a serious illness, accident, mental disorder, missing person, or threat.

NHL Stenden only provides information about students aged sixteen or older to parents or guardians after permission from the student.

How long do we use and retain your personal data?

We do not retain your personal data any longer than necessary. For leads (prospective students), the retention term is up to four years. For data on students, course participants and staff, the retention term is determined by statutory provisions, as presented in the Selection List for Universities of Applied Sciences. For alumni and external relations, the data as included in the data registers are kept as long as the institute considers this useful or until the data subjects indicate they no longer appreciate contact. Rough research data are retained for ten years. This term may be extended once by another ten years.

For data that can no longer be traced back to persons (such as student numbers per study programme), no destruction periods apply.

See the Selection List for Universities of Applied Sciences for more details.

How safe are your personal data with us?

NHL Stenden has taken technical and organisational measures to properly protect your data.

Only staff that need your data for their work have access to those data.

NHL Stenden has a procedure for reporting and handling data breaches.

How do we secure your personal data?

NHL Stenden has taken appropriate technical and organisational measures to protect your data.

We have taken the following technical measures:

  • We keep the equipment we use up to date;
  • We encrypt our hard drives;
  • Firewall;
  • Virus scanners;
  • End-Point security (NHL Stenden ensures that the central security software is also active on the desktop computers or your school laptop or smartphone);
  • Domain Name Server protection (prevents our network from being hacked or infected);
  • Back-ups for restoring data in the event of physical or technical incidents.
  • Logging and monitoring (logging helps us keep track of who has been in which system and when; by actively monitoring this as well, we can limit the consequences of data breaches and prevent abuse of our network and data)
  • Multi-factor authentication for access by administrators (in addition to your password, you must also enter a second code, as with online banking).

We have taken the following organisational measures:

  • Mandatory use of username and password on all our systems;
  • Information to staff members and students about the importance of protecting personal data;
  • VPN access for use in public spaces (with a Virtual Private Network on you smartphone or via SURF, you are no longer dependent on unsafe public WiFi networks of, for example, McDonald’s or on trains)
  • Use of SURFconext for cloud services. This is a secure service that allows you to log in only once (per session) to your NHL Stenden account and then use a large number of external services purchased via SURF.

What are your rights?

The GDPR gives you a number of rights. If you want to exercise any of these rights, click here and fill in the form. Your request will be answered within a week and - if possible - handled within a month.

Apart from the right to information, the right to access and (sometimes) the ‘right to be forgotten’, you also have a number of other rights. Would you like to know more? Click here.

Right to information. You have the right to know which data about you are processed for which purpose and in which way. NHL Stenden has drawn up a data register for every target group that includes that information. You can find the data registers here. This privacy statement outlines how we handle your personal data.

Right to access your personal data. This starts with the data registers. Often, access is automatic. In the student tracking system (Progress) or the staff information system (Youforce), you can check which personal data about you are retained. But you can also request access to your student file, and external relations can request access to their data in the CRM system. If you do not have direct access to the data yourself, you are entitled to a copy of those data.

Right to rectify your personal data If the personal data that NHL Stenden processes are incorrect, you have the right to have them rectified. For instance if your name is misspelt or because your name has changed after marriage or divorce. Incidentally, diplomas always state female students’ maiden names.

Right to erase your personal data If your data are no longer necessary for the purpose for which they were collected, you have the right to have these data erased. For example, if there is still information about you on the intranet or internet sites of NHL Stenden after you have graduated, we are obliged to delete this information if you ask us to do so. Or if you have given consent to use your photograph on one of our websites but want to retract this (i.e. withdraw your consent), we are obliged to remove your photograph.

Right to data portability. This means that, in certain situations, you can have the data NHL Stenden has on you transferred to, for example, another university of applied sciences. But this is only possible if you give your explicit consent for processing of these data or if there is an agreement.

Right to restriction. In some cases, you can temporarily lock the processing of your personal data. For instance, if you do not want the institute to pass on your contact details for a satisfaction survey. Or if you object to your photograph on a Facebook page of an NHL Stenden study programme.

Right to object. In many cases, NHL Stenden processes your data because it is essential to be able to function properly as an educational institute. Where NHL Stenden relies on this ‘legitimate interest’, you have a right to object, if you have good reasons to do so. Objections to direct marketing actions are always honoured. And if you object to the use of visual material by NHL Stenden on which you are recognisable, we will also remove your image or render it unidentifiable.

Right to waive application of automated decision-making. Decisions about you must be made by people, not by machines. The law refers to the ever advancing algorithms (complex computer decision-making models). NHL Stenden never uses these. If you have any doubts concerning this topic, please contact the Data Protection Officer.

What happens if there is a data breach?

To err is human, and not all systems turn out to be entirely secure. But if a security breach is discovered or if personal information comes to the attention of someone who should not be able to see it (or worse: becomes public knowledge), such a data breach must be reported immediately. This is stipulated in the GDPR. Any suspicion of a data breach in which NHL Stenden is involved can be reported to the designated contact point. Our specialists then investigate whether there actually is a data breach, whether it is serious enough to report to the Dutch Data Protection Authority, and whether the parties whose data have been breached should also be informed.

You can report data breaches here.

Why do we use cookies?

We use cookies on our website. A cookie is a small text file that your browser stores on your hard drive and that sends information from your device to our servers and - in case of tracking cookies - to Google and Facebook, for example.

We use cookies for multiple purposes.

  1. Functional cookies, which are technically necessary to optimise your website experience. These cookies cannot be disabled.
  2. Statistical cookies. Read here what these cookies do. These cookies cannot be disabled.
    The statistical data are stored anonymously (part of the IP address is deleted). These data can, therefore, not be traced back to specific persons. Numbers and categories of visitors are analysed, but never individuals. We are not able to analyse individuals and do not wish to be able to do so.

    Google Analytics
    We use Google Analytics to keep track of how visitors use the website and how effective our marketing campaigns are. Google stores the resulting information, including your computer’s (anonymised) IP address, on servers in anonymised form.

  3. Cookies for personal preferences and advertisements (tracking cookies). These cookies can be disabled if you want. Read here what these cookies do.

    We use these cookies to remember your settings and preferences. This enables us to more effectively match advertisements and banners to your preferences.

    Advertising programmes and Social Media
    We use advertising programmes of Google (Google AdWords and DoubleClick), Twitter, Facebook, LinkedIn, Instagram and AdRoll.

    Via these advertising programmes, places advertising cookies with which visitor information, such as pages viewed, becomes visible to the parties concerned on an anonymous basis.

    We do this using the tracking cookies referred to above or through your email address if you have provided that, for instance on our website. Email address matching requires your consent, which, under the GDPR, you can also withdraw again.

    Google, Twitter, Facebook and AdRoll use these cookies to check whether you have seen or clicked on an advertisement from these platforms before.

    Moreover, the visitor information collected is used to approach visitors to again by means of personalised advertisements.

    Google, Twitter, Facebook and AdRoll may provide this information to third parties if they have the statutory obligation to do so. NHL Stenden cannot influence this.

    More information

    All methods we use to serve our customers more effectively are described in our Privacy Statement and our Cookie Statement. If you prefer that we do not use personal information to send messages, you can exercise your right to object.