Privacy Statements
Privacy statement UU Computer Emergency Response Team (CERT)
In this privacy statement, we explain what happens to your personal data when it is processed in relation to the UU CERT.
Who is responsible for data processing?
Utrecht University is responsible for the data processing described in this privacy statement.
For what purposes are my personal data processed?
Your personal data will be processed to register and act upon digital threats and incidents.
What personal data is processed?
The following personal information might be processed:
- Your name,
- Your email address,
- Your SolisID,
- Your telephone numbers,
- Information related to your position at Utrecht University,
- Digital information, such as your IP-address, and logging,
- And any other information that you include in an incident notification.
How long is this personal data kept?
The personal information mentioned above will be anonymized or deleted within two years of the initial incident notification.
Will my data be shared with third parties?
While CERT uses third party services, your personal data will not be legible at any point for these parties.
Will my data be transferred to third countries?
No, data will not be transferred to third countries outside the European Economic Area.
What is the legal basis for this data processing?
The legal basis for this data processing is legitimate interest for the Utrecht University.
Utrecht University has the legitimate interest to be notified of and act upon cyber incidents at the university. To this end, personal data of the notifier and other data subjects might be processed. The data processed is in a certain sense contained. The CERT team is trained to work with the minimum amount of personal required to resolve an incident. It should also be considered that the data subjects have an interest in the functioning of the CERT, as the CERT works to prevent and resolve data breaches that will affect UU data subjects.
What rights do I have under the GDPR and how can I exercise them?
The GDPR gives you a number of rights with regard to your personal data. You have the right to access your data and to have it corrected or deleted. In this processing, you also have the right to temporarily freeze (‘restrict’) the processing of your data, the right to object to the processing and the right to have your dataset transferred to another organisation.
How can I exercise these rights?
If you want to exercise one or more of the above rights, you can submit a request using the privacy request form. We will then have one month to respond to your request. For very complex requests (or if a lot of requests come in at the same time), we sometimes need more time (up to two months extra). We will let you know within that first month.
Is there automated decision-making or profiling?
There is no automated decision-making. This means that decisions are never made without human intervention. There is also no profiling.
Questions? Complaints?
Do you have any specific questions regarding the above information or do you have any comments regarding this privacy statement? Feel free to contact us. You can send a message to privacy@uu.nl.
The UU has appointed a Data Protection Officer (DPO). This is an internal advisor and supervisor who may also be important to you, namely if you want information about our processing of personal data or if you want to file a complaint about it. You can contact our DPO via fg@uu.nl.
We would like to point out that you also have the right to file a complaint with the supervisory authority, the Dutch Data Protection Authority.
Contact details Utrecht University
Heidelberglaan 8
3584 CS Utrecht
Tel. (030) 253 35 50
Privacy Statement: Version and Policy Document
This Privacy Statement was last modified on 18-9-2025.
