Utrecht University (UU) regularly carries out research that is subsidised by external parties. Project administration is kept for this purpose. Some of the elements that are saved in that project administration are privacy sensitive, including the number of hours spent. This privacy statement explains for which purposes we process your personal data in the context of time recording and how you can exercise your rights and provides further information that may be relevant to you.

Who is responsible for processing my personal data?

Utrecht University is a controller within the meaning of the General Data Protection Regulation (GDPR). That means UU is responsible for what happens to your personal data. It is of great importance to UU that personal data are handled with due care and that the appropriate technical and organisational measures are taken to protect your personal data.

For what purposes are my personal data processed?

The time recording system logs and saves hours. These can be shared with the accountant in order to substantiate project staff costs charged to the provider. The information you enter is also used by the project controller in order to prepare a correct and complete financial statement. For security reasons, we also register the date and time when you logged in.

What personal data will be processed?

The following personal data are processed:

• name;
• employee number;
• hours worked;
• project name and/or project number;
• leave hours;
• login date and time.

What is the lawful basis of the processing?

Personal data may only be processed if there is a lawful basis for doing so that is explicitly mentioned in the GDPR. UU applies the basis legitimate interest for the processing of your personal data in the context of time recording. It is important to our university that the grant provider is able to check staff costs. After all, this is a standard obligation in the agreements entered into with grant providers. This means that, without time recording, UU would not be able to meet its contractual obligations.

Will my data be shared with third parties?

In accordance with the audit protocols of grant providers (primarily the EU and the Ministry of Economic Affairs), the auditor must be able to access documents that can be used to substantiate the accuracy and lawfulness of the costs charged in connection with a subsidised project, including the hours spent. The auditor may be our own accountant or an external auditor who is engaged by the grant provider.

Capgemini takes care of the system (SAP) that we use for saving your personal data. This is what is referred to as processor in the GDPR.

Will my data be shared with parties outside the EEA?

Your personal data are processed in the EU and are in principle not shared with countries outside of the EEA. In the event this does occur, we take appropriate measures such as contractual agreements in order to ensure that your data are adequately protected.

How long will my personal data be stored?

We store the personal data processed in the context of time recording for seven years after the date of the last grant payment.

What rights do I have under the GDPR, and how can I exercise them?

Under the GDPR, you have a number of specific rights that you can invoke. For example, you can ask us which personal data of yours we process; if you then find that these data are incorrect, you can request to have them corrected. In certain cases, you can also request that we delete, transfer or restrict the processing of your data. Finally, you are entitled to object to the processing of your data.

If you wish to exercise any of the aforementioned rights, please contact us via privacy@uu.nl. Please note that you may be asked to provide a copy of a valid ID so that your identity can be verified.

If you disagree with how and why UU processes your personal data, you can file a complaint with the Dutch Data Protection Authority:

Dutch Data Protection Authority
Bezuidenhoutseweg 30
2594 AV The Hague
www.autoriteitpersoonsgegevens.nl/en
Tel. no. +31 88 1805 250

Any questions?

If you have any questions about the way in which your personal data are processed, please send an email to privacy@uu.nl.

Our Data Protection Officer can be reached via fg@uu.nl.