Privacy Statements
Privacy statement for central storage of data related to user experiences
Version 31-10-2024
This privacy statement is specifically intended for employees who use the UX (User Experience) repository and for participants in user experience-related research whose data are processed at Utrecht University (UU). A UX repository is a database where all files, designs, and documents for the user screen (UI) and user experience (UX) of a product or application are centrally stored. These include:
- Designs of screens and buttons;
- Research into user experiences or needs;
- Descriptions of how a user moves through the app;
- Style guidelines, such as colours and fonts.
The UU handles the personal data of everyone who works, studies or participates in research in a careful manner.
In this privacy statement, we inform you in general terms about the personal data we process, about the purposes for which we do so, about your privacy rights and about other matters that may be important to you.
For what purposes does UU process my personal data?
The personal data we collect from you are processed by UU for the following purposes:
To centralize user experience research data in one organized system. This contributes to improving and ensuring the quality, consistency and efficiency of the data. These can then be used as input for products, services, or programs.
What personal data does UU collect from me?
UU processes the following data about you as a participant of a UX-related research:
- Research data, such as audio-visual recordings or pseudonymized survey results or interviews.
The UU processes the following data about you as a user (UU employee):
- Name details;
- SolisID;
- UU email address;
- Personal data as part of the log data.
The UU collects (personal) data directly from you, but in some cases, the UU also receives personal data from third parties. This will only be done to the extent that it is in accordance with the law or to the extent that you have given your consent.
Can the UU process my personal data?
The UU may only process your personal data on the basis of a legal basis mentioned in the law. The UU processes your personal data on the basis of the following basis(s):
- The processing is necessary for the protection of the legitimate interests of the UU.
The processing of personal data for access to the system takes place on the basis of the legitimate interest of the UU. The UU must adequately protect the data for which it is responsible and therefore limits access to those who are authorized. For access to the system, only personal data necessary to verify the identity and establish that you are authorized to access the system.
- You have given your consent to this processing of your personal data.
You have consented to this processing of your personal data as a participant in a UX related study or research. For example, if you participate in a study, you may be asked whether you give permission for the processing of your personal data.
How long does UU keep my personal data?
The UU stores your personal data in accordance with the GDPR. This means that the data will not be kept longer than is strictly necessary to achieve the purposes for which the data was collected.
- Name data: Up to 30 days after the account is deleted;
- SolisID: Up to 30 days after the account is deleted;
- UU email address: Up to 30 days after the account is deleted;
- Personal data as part of the log data: Up to 30 days after the account is deleted;
- Research data, such as audio-visual recordings or pseudonymized survey results or interviews: Audio-visual recordings will be deleted as soon as the project is completed. Pseudonymised research data will be deleted when they are no longer relevant to the initial purpose for which they were collected. The data is periodically evaluated on this.
After the expiry of these retention periods, the UU will delete the personal data in question.
With whom is my personal data shared?
The UU may instruct other organisations to provide certain parts of our services on our behalf. If such organisations process personal data in the context of that assignment, we refer to them as processors. The UU makes agreements with these processors to ensure confidential and careful handling of personal data. These agreements are contractually laid down in so-called processing agreements. Sometimes these processors make use of services from other third parties to provide their service. These third parties are sub-processors. The same terms that apply to the processor apply to these sub-processors.
Your personal data will never be rented or sold. The UU can share your (personal) data with third parties if, for example, you have given permission for this yourself or if this is necessary to be able to execute an agreement between you and the UU.
The categories of third parties with whom the UU shares personal data are:
| Service provider | Entity | Country of processing | Role |
| Condens Insights GmbH | Condens Insights GmbH Sandstr. 37 80335 Munich Germany |
Germany | Processor
|
| Amazon Web Services | Amazon Web Services EMEA SARL 38 Avenue John F. Kennedy L-1855 Luxemburg |
Germany | Sub-processor |
| Microsoft Azure | Microsoft Ireland Operations Ltd. One Microsoft Place Dublin 18 Ierland |
Germany or France | Sub-processor
|
| Google Cloud Platform | Google Cloud EMEA Limited 70 Sir John Rogerson’s Quay Dublin 2 Ierland |
Germany
|
Sub-processor
|
| CloudConvert | Lunaweb GmbH Nördliche Münchner Straße 14a 82031 Grünwald Duitsland |
Germany
|
Sub-processor
|
Organisations involved in the processing of your personal data may also be located outside the European Economic Area (EEA). Separate rules apply to countries located outside the EEA. Transfers may only take place to third countries with an adequate level of protection, this can be done on the basis of an adequacy decision of the European Commission, appropriate safeguards and/or specific exceptions. If you want to know more about this, you can contact privacy@uu.nl.
What are my rights under the GDPR?
The GDPR gives you a large number of rights with regard to your personal data. For example, you have the right to be informed in a timely, clear and complete manner about the processing of your data. This privacy statement is intended to do just that. In addition, you have the right to view your data and to have it corrected or deleted. In certain cases, you have the right to have the processing of your data temporarily frozen (‘restricted’), the right to object to the processing and the right not to be subject to decisions resulting from fully automated processes (i.e. without human intervention) which may have serious consequences for you. And finally, in some cases you have the right to have a whole set of data that we have about you transferred to another organization. This is called the right to portability.
What about giving and withdrawing consent?
If we process your data on the basis of your consent, you have the right to withdraw your consent. This is always possible, even after we have already collected your data. Withdrawing your consent is as easy as granting it, and you don’t have to say why you are withdrawing your consent. Please note that if you withdraw your consent, we do not have to undo what we have done with your personal data up to that point. Withdrawing your consent does not work retroactively.
Can I view, correct or delete my personal data?
You have the right to know what personal data we process. At your request, we will provide you with an overview of all that data, or a specific part in which you are interested, free of charge. In doing so, we provide you with additional information, for example why we process that data, how long we keep it, and so on.
We must ensure that all your personal data stored on our systems is correct. If you notice (or if you think) that certain personal data is factually incorrect, you can request that we correct that data. And because our data must not only be correct, but also complete, you may supplement data if you think the information we have about you is incomplete. In certain cases, you can do so by offering us an additional statement of fact that we will add to your file.
There are situations in which you can ask us to delete certain data about you. You can do so, for example, if you feel that we no longer need this data or that we are processing it unlawfully, if you have withdrawn your consent or if you have objected to the processing. We will then check whether there are legitimate reasons to keep your personal data despite this. If there are no such reasons, we will delete your data.
When can I object to the processing?
In certain cases, we process your personal data because it is necessary to carry out a task carried out in the public interest or to pursue our legitimate interests (or those of another person or organisation). In such cases, we do not ask for your consent to the processing, but you can object to this based on your specific situation. If you object, we will suspend processing and balance your rights, freedoms and interests against our interests. We pay attention to your specific situation. If our interests outweigh yours, we will resume processing. If your rights, freedoms and interests outweigh ours in your specific case, we will permanently stop the processing. In either case, we’ll let you know what we’ve decided.
What does it mean that I can ‘restrict’ the processing?
Restricting the processing is nothing more than that you can temporarily ‘freeze’ the processing. If you request to restrict the processing of your personal data, we can’t do anything with your information other than storing it on our systems. You have the right to restrict the processing of your personal data if one of the following situations applies:
- You dispute the accuracy of the data, in which case we will interrupt the processing of your data until we have verified its accuracy.
- The processing is unlawful or the UU no longer needs your personal data for the purpose for which the data was collected and you do not want us to delete your personal data.
- You have, in accordance with your right to object, objected to the processing of your personal data and you are awaiting the outcome of your objection.
Does the UU make fully automated decisions?
You don’t have to accept that decisions are made about you without the involvement of a human being, if those decisions do have substantial consequences for you.
For users or participants in UX-related research, the UU will never make automated decisions that have substantial consequences.
Can I have my personal data transferred to another organisation?
If we process your personal data on the basis of your consent or a contract concluded with you, you have the right to have this data returned to you in a digital common file format. You are free to pass that data on to another party.
How can I exercise these rights?
If you want to exercise one or more of the aforementioned rights and you cannot do so via mijn.uu.nl or HR, you can submit a request via Privacy Request Form (uu.nl). We will then have one month to respond to your request. For very complex requests (or if there are a lot of requests coming in at the same time), we sometimes need more time (up to two months extra). We will let you know within that first month.
When exercising your rights, we first need to establish your identity. We do this in a way that suits the situation at hand and the right you want to exercise.
Individual assessment
We would like to point out that the rights described above are not absolute rights. We assess each request individually. There may be circumstances that prevent us from responding to a particular request. If that’s the case, we’ll let you know why.
How does the UU secure my personal data?
The UU makes sure that personal data is treated with confidentially. The UU takes appropriate technical and organisational measures to ensure that your personal data is properly protected.
Technical measures
In order to optimally protect your personal data against unauthorised access or use, the UU has appropriate security technology in use. We report (attempted) abuse.
Organisational measures
Within the organisation, the UU has taken a large number of measures to ensure that your data is not only technically secured, but that the chance of human error and misuse is also kept to a minimum.
Questions? Complaints
Do you have any specific questions or comments about this privacy statement? Please feel free to contact us via privacy@uu.nl.
The UU has appointed a Data Protection Officer (DPO). This is an internal advisor and supervisor on the application of the GDPR. When you have questions about the processing of your personal data or when you want to file a complaint, you can contact our DPO via fg@uu.nl.
We would like to point out that you also have the right to file a complaint with the supervisory authority, the Dutch Data Protection Authority.
Contact details Utrecht University
Heidelberglaan 8
3584 CS Utrecht
Tel. (030) 253 35 50
Privacy statement: version and policy document
This privacy statement was last amended on 31 October 2024. From time to time, changes are made to this privacy statement. Please check our website to make sure you are consulting the most recent version.
