If, after reading this document and a conversation with the Data Protection Officer, you still have complaints about how NHL Stenden University of Applied Sciences handles your privacy, you can file a complaint with the Dutch Data Protection Authority .
Click here to go to the answer to your question
We are responsible for processing your personal data. In this privacy statement, we inform you how we handle your personal data, what your rights are, and what you should know about your privacy. These basic principles apply to everyone who contacts us: students, prospective students, course participants, alumni, salaried staff, unsalaried staff, external relations and research subjects.
We may occasionally update this privacy statement. You can always find the most recent version on this website. In the event of significant changes to our privacy statement, we will at least inform students and staff directly.
NHL Stenden processes personal data about the groups listed below. Which personal data we process for each group, why we process data and what we do with them is described for each group in a data register with explanatory notes.
- Students
- Course participants
- Leads (prospective students)
- Alumni (former students)
- Salaried staff
- Unsalaried staff
- External relations
- Research subjects
More information
Personal data may only be processed if there is a clear purpose for doing so. These purposes are specified for each group in the data registers. In general, these purposes are related to the fact that we are an educational institute. Education and research are made possible by staff with whom we have an employment contract. Before students start studying at our institute, we would like to inform them and help them with their study choice. After graduation, we would like to stay in touch with them, because they are our ambassadors. Schools hold a central role in society. That is why we also process data on external relations, such as internship companies, umbrella organisations or members of advisory councils.
We process your personal data on the basis of a number of legal grounds. Sometimes because you have given us your consent, but more often because we are required to do so by law (such as the Higher Education and Research Act) or because we have an educational or other agreement with you. We also often use the legal ground ‘legitimate interest’: processing of your personal data is necessary to fulfil our role in 2023, which overrides the limited breach of your privacy. This always concerns actions you can reasonably expect from an educational institute like ours, such as the digital distribution of recorded lectures via our own internet channels, or passing on email addresses for a student or staff satisfaction survey. Wherever we rely on the legal ground ‘legitimate interest’ you can, if you have good reasons to do so, object to the processing of your personal data. If it concerns mailings that we send to you based on our legitimate interest, you can always easily unsubscribe.
In the majority of cases, we have received the data directly from you because you completed a form with a request for information, because you registered for a study programme, because you started working for us, because you gave us your details when you joined an advisory council, or because you participated in a study by one of our professors or lecturer-researchers.
Students send us registration details via Studielink. These are personal data as they are included in the Dutch population register (Basisregistratie personen) and completed preliminary education data as they appear in the key register of educational institutes (Basisregistratie onderwijs) at DUO. Read more here.
We use your personal data for the purposes described in the data registers for each target group We will never sell your personal data and never disclose them to third parties in any other way, except when we are obliged to do so by law and in the exceptional cases listed in the data registers.
Your email address can be used to approach you for studies (such as satisfaction surveys) or to send information that we consider important for you (such as an educational offer). We do this through email or social media. If you do not want this, you can simply unsubscribe. Otherwise, you can always exercise your right to object.
Your data can be used for research purposes. This can include applied scientific research or research that provides information necessary for improving the institute’s operational management.
NHL Stenden also engages third parties to process personal data. These are known as processors. Most processors are cloud providers. In the data registers for each target group, you can find more information on which processors do what for which target group. As stipulated in the GDPR, NHL Stenden enters into processing agreements with these processors. For these agreements, we use the model designed by SURF for higher education These are our most important processors.
Which party? | Which service? | For which groups? |
Progress | Student information system | Students, course participants |
YouForce Visma Raet | Staff information system | Staff members |
Microsoft Dynamics | Customer Relations Management | Students, course participants, staff, alumni, external relations |
Microsoft | Office365 and Azure Active Directory, among others | Students, course participants, staff members |
OCLC | Library service | Students, course participants, staff members |
Decos | Filing system | Students, course participants, staff members, external parties |
Blackboard | Electronic learning environment | Students, staff members, course participants |
Afas | Financial package | Students, course participants, external parties, staff members |
SURFconext | Extended Single Sign On* | Students, course participants, staff members |
Real Open IT | Identity Management System | Staff members, students, course participants |
Xedule | Schedule programme | Students, course participants, staff members |
*Extended Single Sign On: a secure service that allows you to log in only once (per session) to your NHL Stenden account and then use a large number of external services purchased via SURF.
NHL Stenden also uses the services of Microsoft.
To whom? | Based on what? | What (for example*)? |
Our international sites | European model contracts as referred to in Article 46, paragraph 2 under c of the GDPR | Registration data, medical information on Grand Tour™ students |
Processors | Processing agreement | Is specified in the appendix to the processing agreements |
Internship organisations | Internship agreement | Student and supervisor contact information |
Satisfaction surveys | Legitimate interest | Email accounts and a set of key data on the study programme completed (students) or organisational unit (staff) |
Tax authorities | Legal obligation | Of staff members: contact details, staff number, nationality and place of birth, financial data, citizen service number (BSN) |
DUO | Legal obligation | Of students: registration and graduation data |
Online advertising companies | Legitimate interest | Clicking behaviour of visitors to websites |
Supplying educational institutions | Agreement | Contact details, study programme, study results |
Accountants | Legal obligation | Access to almost anything |
Community Health Service (GGD) | Agreement | Contact details, nationality, place of birth, medical information |
Evaluating authorities | Legal obligation | Education data of students, education and experience of staff |
Government authorities, such as the Education Inspectorate and the Netherlands Court of Audit | Legal obligation | Education data of students |
*Please note that these are only examples. The data registers are leading and complete.
NHL Stenden offers some study programmes together with other universities of applied sciences or universities. This is usually based on a common scheme, article 8.1 WHW. In that case, the personal data of the students involved are also processed by the university of applied sciences or university with which we work, under our joint responsibility.
In very special cases (life or death emergencies), NHL Stenden will provide personal data of students or staff to third parties if this is necessary to protect their vital interests, for example in the event of a serious illness, accident, mental disorder, missing person, or threat.
NHL Stenden only provides information about students aged sixteen or older to parents or guardians after permission from the student.
We do not retain your personal data any longer than necessary. For leads (prospective students), the retention term is up to four years. For data on students, course participants and staff, the retention term is determined by statutory provisions, as presented in the Selection List for Universities of Applied Sciences. For alumni and external relations, the data as included in the data registers are kept as long as the institute considers this useful or until the data subjects indicate they no longer appreciate contact. Rough research data are retained for ten years. This term may be extended once by another ten years.
For data that can no longer be traced back to persons (such as student numbers per study programme), no destruction periods apply.
See the Selection List for Universities of Applied Sciences for more details.
NHL Stenden has taken technical and organisational measures to properly protect your data.
Only staff that need your data for their work have access to those data.
NHL Stenden has a procedure for reporting and handling data breaches.
NHL Stenden has taken appropriate technical and organisational measures to protect your data.
We have taken the following technical measures:
- We keep the equipment we use up to date;
- We encrypt our hard drives;
- Firewall;
- Virus scanners;
- End-Point security (NHL Stenden ensures that the central security software is also active on the desktop computers or your school laptop or smartphone);
- Domain Name Server protection (prevents our network from being hacked or infected);
- Back-ups for restoring data in the event of physical or technical incidents.
- Logging and monitoring (logging helps us keep track of who has been in which system and when; by actively monitoring this as well, we can limit the consequences of data breaches and prevent abuse of our network and data)
- Multi-factor authentication for access by administrators (in addition to your password, you must also enter a second code, as with online banking).
We have taken the following organisational measures:
- Mandatory use of username and password on all our systems;
- Information to staff members and students about the importance of protecting personal data;
- VPN access for use in public spaces (with a Virtual Private Network on you smartphone or via SURF, you are no longer dependent on unsafe public WiFi networks of, for example, McDonald’s or on trains)
- Use of SURFconext for cloud services. This is a secure service that allows you to log in only once (per session) to your NHL Stenden account and then use a large number of external services purchased via SURF.
- 24 hour Security Operations Center, where all unusual data traffic is analysed and potentially blocked.
The GDPR gives you a number of rights. These rights are detailed below. If you want to exercise any of these rights, click here and fill in the form. Your request will be answered within a week and - if possible - handled within a month.
If you prefer to submit your request in writing, you can. Send a letter to:
NHL Stenden University of Applied Sciences
Attn: Ex. Concern Staff, team Privacy & Security,
P.O. Box 1080
8900 CB Leeuwarden
Include at least the following:
- Your name and relationship with NHL Stenden;
- Which right you want to exercise;
- Your contact information.
Furthermore, the following information may help us to process your request smoothly:
- What you want to achieve by exercising your rights;
- Your email address and/or telephone number;
- Your preferred method of contact.
After you make a request to exercise one of your rights, we need to verify your identity. How we do this depends on your relationship with NHL Stenden, as this affects the types and amount of personal data we process about you. As soon as we have received your request, we will make a proposal to do so via the contact method you have expressed a preference for, or if you have not done so via the same way you made the request.
Right to information. You have the right to know which data about you are processed for which purpose and in which way. NHL Stenden has drawn up a data register for every target group that includes that information. You can find the data registers here. This privacy statement outlines how we handle your personal data.
Right to access your personal data. This starts with the data registers. Often, access is automatic. In the student tracking system (Progress), YOS (Your Own Space) or the staff information system (Youforce), you can check which personal data about you are retained. But you can also request access to your student file, and external relations can request access to their data in the CRM system. If you do not have direct access to the data yourself, you are entitled to a copy of those data.
Right to rectify your personal data If the personal data that NHL Stenden processes are incorrect, you have the right to have them rectified. For instance if your name is misspelt or because your name has changed after marriage or divorce. Incidentally, diplomas always state official names, as listed in your passport.
Right to erase your personal data If your data are no longer necessary for the purpose for which they were collected, you have the right to have these data erased. For example, if there is still information about you on the intranet or internet sites of NHL Stenden after you have graduated, we are obliged to delete this information if you ask us to do so. Or if you have given consent to use your photograph on one of our websites but want to retract this (i.e. withdraw your consent), we are obliged to remove your photograph.
Right to data portability. This means that, in certain situations, you can have the data NHL Stenden has on you transferred to, for example, another university of applied sciences. But this is only possible if you give your explicit consent for processing of these data or if there is an agreement.
Right to restriction. In some cases, you can temporarily lock the processing of your personal data. For instance, if you do not want the institute to pass on your contact details for a satisfaction survey. Or if you object to your photograph on a Social Media page of an NHL Stenden study programme.
Right to object. In many cases, NHL Stenden processes your data because it is essential to be able to function properly as an educational institute. Where NHL Stenden relies on this ‘legitimate interest’, you have a right to object, if you have good reasons to do so. Objections to direct marketing actions are always honoured. And if you object to the use of visual material by NHL Stenden on which you are recognisable, we will also remove your image or render it unidentifiable.
Right to waive application of automated decision-making. Decisions about you must be made by people, not by machines. The law refers to the ever advancing algorithms (complex computer decision-making models). NHL Stenden never uses these. If you have any doubts concerning this topic, please contact the Data Protection Officer.
To err is human, and not all systems turn out to be entirely secure. But if a security breach is discovered or if personal information comes to the attention of someone who should not be able to see it (or worse: becomes public knowledge), such a data breach must be reported immediately. This is stipulated in the GDPR. Any suspicion of a data breach in which NHL Stenden is involved can be reported to the designated contact point. Our specialists then investigate whether there actually is a data breach, whether it is serious enough to report to the Dutch Data Protection Authority, and whether the parties whose data have been breached should also be informed.
You can report data breaches here.
We use cookies on our website. A cookie is a small text file that your browser stores on your hard drive and that sends information from your device to our servers and - in case of tracking cookies - to Google and Meta, for example.
We use cookies for multiple purposes.
- Functional cookies, which are technically necessary to optimise your website experience. These cookies cannot be disabled.
Statistical cookies. These cookies cannot be disabled.
The statistical data are stored anonymously (part of the IP address is deleted). These data can, therefore, not be traced back to specific persons. Numbers and categories of visitors are analysed, but never individuals. We are not able to analyse individuals and do not wish to be able to do so.
Google Analytics and Microsoft Clarity
We use Google Analytics and Micorsoft Clarity to keep track of how visitors use the website and how effective our marketing campaigns are. Google and Microsoft stores the resulting information on servers in anonymised form.
Cookies for personal preferences and advertisements (tracking cookies). These cookies can be disabled if you want.
We use these cookies to remember your settings and preferences. This enables us to more effectively match advertisements and banners to your preferences.
Advertising programmes and Social Media
We use advertising programmes of Google (Google AdWords and DoubleClick), X, Meta (Facebook and Instagram), LinkedIn and NextRoll.
Via these advertising programmes, nhlstenden.com places advertising cookies with which visitor information, such as pages viewed, becomes visible to the parties concerned on an anonymous basis.
We do this using the tracking cookies referred to above or through your email address if you have provided that, for instance on our website. Email address matching requires your consent, which, under the GDPR, you can also withdraw again.
Google, X, Meta and NextRoll use these cookies to check whether you have seen or clicked on an advertisement from these platforms before.
Moreover, the visitor information collected is used to approach visitors to nhlstenden.com again by means of personalised advertisements.
Google, X, Meta and NextRoll may provide this information to third parties if they have the statutory obligation to do so. NHL Stenden cannot influence this.
More information
- Google Privacy Policy
- Meta Privacy Policy
- X Privacy Policy
- NextRoll Privacy Policy
All methods we use to serve our customers more effectively are described in our Privacy Statement. If you prefer that we do not use personal information to send messages, you can withdraw your consent here.