Privacy Statements
Privacy statement iBabs
15-05-2023
This privacy statement explains how your personal data is processed as part of the use of the application iBabs.
For what purposes will my personal data be processed?
The purpose of iBabs is to facilitate the meeting agenda of the board of Utrecht University and to help them to meet in a structured and efficient way. In addition to the ability to organize meetings more efficiently, it is important that the confidential documents discussed and shared during these meetings are adequately protected and that the measures taken comply with the security and data breach requirements prescribed in the GDPR.
What personal data is processed?
The following data is processed when using iBabs:
- Names;
- Identification numbers (SolisId);
- Email address;
- Log data;
- Agenda items;
- Agenda documents;
- Action items;
- Chairmanship;
- Metadata.
How long will this personal data be retained?
After 30 days of inactivity, a user’s account becomes inactive. All linked data remains available within the iBabs at that time. After 90 days of inactivity, the user account and the associated data will be removed from the iBabs environment.
Will my data be shared with third parties?
iBabs B.V. provides the iBabs service as a cloud service, so iBabs role is data processor on behalf of Utrecht University. A processing agreement has been concluded between Utrecht University and iBabs. iBabs B.V. uses CYSO Hosting B.V. as a hosting partner, CYSO Hosting B.V. acts as a sub-processor on behalf of iBabs B.V. The use of CYSO Hosting B.V. is included in the processing agreement between Utrecht University and iBabs.
Will my data be transferred to third countries?
No, there is no transfer of data to third countries outside the European Economic Area (EEA).
What is the legal basis for this data processing?
The legal basis for the processing of personal data via iBabs is legitimate interest. Legitimate interest requires a balancing test of the interests and necessity of the processing. These are further explained and weighed in the explanation below.
Utrecht University’s legitimate interest
It is in the interest of Utrecht University to provide its board with the means to effectively and efficiently conduct meetings. By using a meeting tool like iBabs, the agenda of the meeting as well as relevant documentation can be shared with the authorized participants of the meeting. It is also in the interest of the University to take adequate security measures to protect the collected (personal) data of its employees and to comply with the security and data breach requirements prescribed in the GDPR. Since the board of Utrecht University regularly works with confidential information and conducts meetings based on this information, the University needs the ability to access, discuss, and edit this information appropriately in preparation for, or during meetings.
Necessity
The assessment of the necessity of the processing consists of two principles: the principle of proportionality and the principle of subsidiarity. The principle of proportionality requires a balanced consideration of the interests of the data controller and the data subjects. The processing must be suitable and proportionate to the intended purpose of the processing and must not be excessive. If the purpose can be achieved with less data, the number of processed data should be reduced. For the principle of subsidiarity, the consideration must be made as to whether the purpose can reasonably be achieved with less invasive alternatives.
Proportionality
In relation to the legitimate interest of Utrecht University, there is the interest of the data subject. The interest of the data subject is to ensure their privacy interests are safeguarded and the processing of their personal data is limited to the necessary and lawful purpose. Where it is necessary to collect personal data, it is important for the data subject that this is done in a responsible manner.
Subsidiarity
iBabs is a mature product, the platform is suitable for much broader use within the organization. It is possible to set up an entire decision-making cycle in iBabs, as is often used in local governments (municipalities), for example, to bring decisions from the College of Mayor and Aldermen to the Committee, and then to the council meetings to structure the entire process. No significant (privacy) risks have been identified that would require Utrecht University to consider an alternative for the chosen agenda management tool.
Consideration
The University has a clear interest in the managed sharing of agendas for the purpose of meetings and (confidential) documents in preparation of meetings of the universities board. The principle of data minimization is complied with and the collected personal data of the data subjects are proportionate to the intended purpose. Considering the limited infringement, the relatively small group of data subjects, and the University’s interest in complying with the legal requirements regarding data protection, the interests of Utrecht University in using iBabs as an agenda management tool outweigh the (privacy) interests of the data subjects.
What rights do I have under the GDPR and how can I exercise them?
As a data subject, you have certain rights: The right of access, the right to rectification of personal data, the right to erasure, the right to restriction of processing and the right to object. If you want to make use of these rights, you can send your request to Privacy@uu.nl. It is possible that identity documents are requested during this procedure.
When you object, it will be examined on a case-by-case basis whether this objection can or must be met. Utrecht University will cease the processing of personal data unless urgent legitimate grounds are invoked that outweigh your interests, rights and freedoms.
Is there automated decisionmaking or profiling?
There is no automated decision-making. This means that decisions are never made without human intervention. There is also no profiling as part of this processing.
Questions
If you have any questions about this privacy statement, please contact privacy@uu.nl. Do you want to file a complaint? Then you can do so at the data protection officer of Utrecht University, which can be reached at fg@uu.nl. You are also always free to file a complaint with the Dutch Data Protection Authority, the privacy watchdog of the Netherlands.
