Privacy is not a trivial matter, it is a fundamental right. In a data-driven society, the protection of personal data is a top priority for educational institutes. As such, the protection of your personal data is of paramount importance to us. You can rest assured that your personal data are in good hands.

You should know which personal data we collect and what we do with these data. And you must be able to access them quickly and easily. This privacy statement serves to inform you what we do with your data.

Who are we?

We are Stichting NHL Stenden Hogeschool. Here you can read who is the chair of our Executive Board. We are located at Rengerslaan 10 in Leeuwarden, the Netherlands. We are registered with the Chamber of Commerce under number 41002686.


+31 58 2441 441

Data Protection Officer

If you have any questions or complaints about the way in which NHL Stenden University of Applied Sciences handles your personal data, you can email or call our Data Protection Officer.


If, after reading this document and a conversation with the Data Protection Officer, you still have complaints about how NHL Stenden University of Applied Sciences handles your privacy, you can file a complaint with the Dutch Data Protection Authority .

Click here to go to the answer to your question


Why this privacy statement?

We are responsible for processing your personal data. In this privacy statement, we inform you how we handle your personal data, what your rights are, and what you should know about your privacy. These basic principles apply to everyone who contacts us: students, prospective students, course participants, alumni, salaried staff, unsalaried staff, external relations and research subjects.

We may occasionally update this privacy statement. You can always find the most recent version on this website. In the event of significant changes to our privacy statement, we will at least inform students and staff directly.

Whose personal data do we record?

NHL Stenden processes personal data about the groups listed below. Which personal data we process for each group, why we process data and what we do with them is described for each group in a data register with explanatory notes.

  • Students
  • Course participants
  • Leads (prospective students)
  • Alumni (former students)
  • Salaried staff
  • Unsalaried staff
  • External relations
  • Research subjects

More information

Why do we process your personal data?

Personal data may only be processed if there is a clear purpose for doing so. These purposes are specified for each group in the data registers. In general, these purposes are related to the fact that we are an educational institute. Education and research are made possible by staff with whom we have an employment contract. Before students start studying at our institute, we would like to inform them and help them with their study choice. After graduation, we would like to stay in touch with them, because they are our ambassadors. Schools hold a central role in society. That is why we also process data on external relations, such as internship companies, umbrella organisations or members of advisory councils.

Is this legal?

We process your personal data on the basis of a number of legal grounds. Sometimes because you have given us your consent, but more often because we are required to do so by law (such as the Higher Education and Research Act) or because we have an educational or other agreement with you. We also often use the legal ground ‘legitimate interest’: processing of your personal data is necessary to fulfil our role in 2023, which overrides the limited breach of your privacy. This always concerns actions you can reasonably expect from an educational institute like ours, such as the digital distribution of recorded lectures via our own internet channels, or passing on email addresses for a student or staff satisfaction survey. Wherever we rely on the legal ground ‘legitimate interest’ you can, if you have good reasons to do so, object to the processing of your personal data. If it concerns mailings that we send to you based on our legitimate interest, you can always easily unsubscribe.

How do we receive your data?

In the majority of cases, we have received the data directly from you because you completed a form with a request for information, because you registered for a study programme, because you started working for us, because you gave us your details when you joined an advisory council, or because you participated in a study by one of our professors or lecturer-researchers.

Students send us registration details via Studielink. These are personal data as they are included in the Dutch population register (Basisregistratie personen) and completed preliminary education data as they appear in the key register of educational institutes (Basisregistratie onderwijs) at DUO. Read more here.

What do we use your personal data for?

We use your personal data for the purposes described in the data registers for each target group We will never sell your personal data and never disclose them to third parties in any other way, except when we are obliged to do so by law and in the exceptional cases listed in the data registers.

Your email address can be used to approach you for studies (such as satisfaction surveys) or to send information that we consider important for you (such as an educational offer). We do this through email or social media. If you do not want this, you can simply unsubscribe. Otherwise, you can always exercise your right to object.

Your data can be used for research purposes. This can include applied scientific research or research that provides information necessary for improving the institute’s operational management.

With which other parties do we work and why?

NHL Stenden also engages third parties to process personal data. These are known as processors. Most processors are cloud providers. In the data registers for each target group, you can find more information on which processors do what for which target group. As stipulated in the GDPR, NHL Stenden enters into processing agreements with these processors. For these agreements, we use the model designed by SURF for higher education These are our most important processors.

Which party?Which service?For which groups?
ProgressStudent information systemStudents, course participants
YouForce Visma RaetStaff information systemStaff members
Microsoft DynamicsCustomer Relations ManagementStudents, course participants, staff, alumni, external relations
MicrosoftOffice365 and Azure Active Directory, among othersStudents, course participants, staff members
OCLCLibrary serviceStudents, course participants, staff members
DecosFiling systemStudents, course participants, staff members, external parties
BlackboardElectronic learning environmentStudents, staff members, course participants
AfasFinancial packageStudents, course participants, external parties, staff members
SURFconextExtended Single Sign On*Students, course participants, staff members
Real Open ITIdentity Management SystemStaff members, students, course participants
XeduleSchedule programmeStudents, course participants, staff members

*Extended Single Sign On: a secure service that allows you to log in only once (per session) to your NHL Stenden account and then use a large number of external services purchased via SURF.

NHL Stenden also uses the services of Microsoft.

To which parties do we pass on your data?

To whom?Based on what?What (for example*)?
Our international sitesEuropean model contracts as referred to in Article 46, paragraph 2 under c of the GDPRRegistration data, medical information on Grand Tour™ students
ProcessorsProcessing agreementIs specified in the appendix to the processing agreements
Internship organisationsInternship agreementStudent and supervisor contact information
Satisfaction surveysLegitimate interestEmail accounts and a set of key data on the study programme completed (students) or organisational unit (staff)
Tax authoritiesLegal obligationOf staff members: contact details, staff number, nationality and place of birth, financial data, citizen service number (BSN)
DUOLegal obligationOf students: registration and graduation data
Online advertising companiesLegitimate interestClicking behaviour of visitors to websites
Supplying educational institutionsAgreementContact details, study programme, study results
AccountantsLegal obligationAccess to almost anything
Community Health Service (GGD)AgreementContact details, nationality, place of birth, medical information
Evaluating authoritiesLegal obligationEducation data of students, education and experience of staff
Government authorities, such as the Education Inspectorate and the Netherlands Court of AuditLegal obligationEducation data of students

*Please note that these are only examples. The data registers are leading and complete.

NHL Stenden offers some study programmes together with other universities of applied sciences or universities. This is usually based on a common scheme, article 8.1 WHW. In that case, the personal data of the students involved are also processed by the university of applied sciences or university with which we work, under our joint responsibility.

In very special cases (life or death emergencies), NHL Stenden will provide personal data of students or staff to third parties if this is necessary to protect their vital interests, for example in the event of a serious illness, accident, mental disorder, missing person, or threat.

NHL Stenden only provides information about students aged sixteen or older to parents or guardians after permission from the student.

How long do we use and retain your personal data?

We do not retain your personal data any longer than necessary. For leads (prospective students), the retention term is up to four years. For data on students, course participants and staff, the retention term is determined by statutory provisions, as presented in the Selection List for Universities of Applied Sciences. For alumni and external relations, the data as included in the data registers are kept as long as the institute considers this useful or until the data subjects indicate they no longer appreciate contact. Rough research data are retained for ten years. This term may be extended once by another ten years.

For data that can no longer be traced back to persons (such as student numbers per study programme), no destruction periods apply.

See the Selection List for Universities of Applied Sciences for more details.

How safe are your personal data with us?

NHL Stenden has taken technical and organisational measures to properly protect your data.

Only staff that need your data for their work have access to those data.

NHL Stenden has a procedure for reporting and handling data breaches.

How do we secure your personal data?

NHL Stenden has taken appropriate technical and organisational measures to protect your data.

We have taken the following technical measures:

  • We keep the equipment we use up to date;
  • We encrypt our hard drives;
  • Firewall;
  • Virus scanners;
  • End-Point security (NHL Stenden ensures that the central security software is also active on the desktop computers or your school laptop or smartphone);
  • Domain Name Server protection (prevents our network from being hacked or infected);
  • Back-ups for restoring data in the event of physical or technical incidents.
  • Logging and monitoring (logging helps us keep track of who has been in which system and when; by actively monitoring this as well, we can limit the consequences of data breaches and prevent abuse of our network and data)
  • Multi-factor authentication for access by administrators (in addition to your password, you must also enter a second code, as with online banking).

We have taken the following organisational measures:

  • Mandatory use of username and password on all our systems;
  • Information to staff members and students about the importance of protecting personal data;
  • VPN access for use in public spaces (with a Virtual Private Network on you smartphone or via SURF, you are no longer dependent on unsafe public WiFi networks of, for example, McDonald’s or on trains)
  • Use of SURFconext for cloud services. This is a secure service that allows you to log in only once (per session) to your NHL Stenden account and then use a large number of external services purchased via SURF.
  • 24 hour Security Operations Center, where all unusual data traffic is analysed and potentially blocked.

What are your rights?

The GDPR gives you a number of rights. If you want to exercise any of these rights, click here and fill in the form. Your request will be answered within a week and - if possible - handled within a month.

Right to information. You have the right to know which data about you are processed for which purpose and in which way. NHL Stenden has drawn up a data register for every target group that includes that information. You can find the data registers here. This privacy statement outlines how we handle your personal data.

Right to access your personal data. This starts with the data registers. Often, access is automatic. In the student tracking system (Progress), YOS (Your Own Space) or the staff information system (Youforce), you can check which personal data about you are retained. But you can also request access to your student file, and external relations can request access to their data in the CRM system. If you do not have direct access to the data yourself, you are entitled to a copy of those data.

Right to rectify your personal data If the personal data that NHL Stenden processes are incorrect, you have the right to have them rectified. For instance if your name is misspelt or because your name has changed after marriage or divorce. Incidentally, diplomas always state official names, as listed in your passport.

Right to erase your personal data If your data are no longer necessary for the purpose for which they were collected, you have the right to have these data erased. For example, if there is still information about you on the intranet or internet sites of NHL Stenden after you have graduated, we are obliged to delete this information if you ask us to do so. Or if you have given consent to use your photograph on one of our websites but want to retract this (i.e. withdraw your consent), we are obliged to remove your photograph.

Right to data portability. This means that, in certain situations, you can have the data NHL Stenden has on you transferred to, for example, another university of applied sciences. But this is only possible if you give your explicit consent for processing of these data or if there is an agreement.

Right to restriction. In some cases, you can temporarily lock the processing of your personal data. For instance, if you do not want the institute to pass on your contact details for a satisfaction survey. Or if you object to your photograph on a Social Media page of an NHL Stenden study programme.

Right to object. In many cases, NHL Stenden processes your data because it is essential to be able to function properly as an educational institute. Where NHL Stenden relies on this ‘legitimate interest’, you have a right to object, if you have good reasons to do so. Objections to direct marketing actions are always honoured. And if you object to the use of visual material by NHL Stenden on which you are recognisable, we will also remove your image or render it unidentifiable.

Right to waive application of automated decision-making. Decisions about you must be made by people, not by machines. The law refers to the ever advancing algorithms (complex computer decision-making models). NHL Stenden never uses these. If you have any doubts concerning this topic, please contact the Data Protection Officer.

What happens if there is a data breach?

To err is human, and not all systems turn out to be entirely secure. But if a security breach is discovered or if personal information comes to the attention of someone who should not be able to see it (or worse: becomes public knowledge), such a data breach must be reported immediately. This is stipulated in the GDPR. Any suspicion of a data breach in which NHL Stenden is involved can be reported to the designated contact point. Our specialists then investigate whether there actually is a data breach, whether it is serious enough to report to the Dutch Data Protection Authority, and whether the parties whose data have been breached should also be informed.

You can report data breaches here.

Why do we use cookies?

We use cookies on our website. A cookie is a small text file that your browser stores on your hard drive and that sends information from your device to our servers and - in case of tracking cookies - to Google and Meta, for example.

We use cookies for multiple purposes.

  1. Functional cookies, which are technically necessary to optimise your website experience. These cookies cannot be disabled.
  2. Statistical cookies. These cookies cannot be disabled.
    The statistical data are stored anonymously (part of the IP address is deleted). These data can, therefore, not be traced back to specific persons. Numbers and categories of visitors are analysed, but never individuals. We are not able to analyse individuals and do not wish to be able to do so.

    Google Analytics
    We use Google Analytics to keep track of how visitors use the website and how effective our marketing campaigns are. Google stores the resulting information, including your computer’s (anonymised) IP address, on servers in anonymised form.

  • Cookies for personal preferences and advertisements (tracking cookies). These cookies can be disabled if you want.

    We use these cookies to remember your settings and preferences. This enables us to more effectively match advertisements and banners to your preferences.

    Advertising programmes and Social Media
    We use advertising programmes of Google (Google AdWords and DoubleClick), X, Meta (Facebook and Instagram), LinkedIn and NextRoll.

    Via these advertising programmes, places advertising cookies with which visitor information, such as pages viewed, becomes visible to the parties concerned on an anonymous basis.

    We do this using the tracking cookies referred to above or through your email address if you have provided that, for instance on our website. Email address matching requires your consent, which, under the GDPR, you can also withdraw again.

    Google, X, Meta and NextRoll use these cookies to check whether you have seen or clicked on an advertisement from these platforms before.

    Moreover, the visitor information collected is used to approach visitors to again by means of personalised advertisements.

    Google, X, Meta and NextRoll may provide this information to third parties if they have the statutory obligation to do so. NHL Stenden cannot influence this.

    More information
  • Google Privacy Policy
  • Meta Privacy Policy
  • X Privacy Policy
  • NextRoll Privacy Policy

All methods we use to serve our customers more effectively are described in our Privacy Statement. If you prefer that we do not use personal information to send messages, you can withdraw your consent here