Privacy Statements
In this privacy statement, we explain what happens to your personal data when it is processed for SURF Research Drive.
Who is responsible for data processing?
Utrecht University is responsible for the data processing described in this privacy statement.
For what purposes are my personal data processed?
Your personal data will be processed for to enable the use of SURF Research Drive. The aim of SURF Research Drive is to easily share research data with other researchers, especially at other research institutions.
What personal data is processed?
Apart from personal data that you store yourself on SURF Research Drive, the following data is processed:
- Your e-mail address,
- Your SolisID or EduID,
- Your IP address and other logging information,
- Information about your usage, such as how much storage you use, who owns or uses a folder, and
- Which UU business unit you work for.
How long is this personal data kept?
Data relating to your account will be kept for as long as you have an account with UU.
Data about your logging is stored to a limited extent.
You must keep an eye on the retention period of the research data yourself and determine it yourself.
Will my data be shared with third parties?
The SURF Research Drive is provided by SURF.
Will my data be transferred to third countries?
No, data will not be transferred to third countries outside the European Economic Area.
What is the legal basis for this data processing?
Legitimate interest of Utrecht University
Utrecht University’s legitimate interest in making use of the SURF Research Drive (RD) lies in supporting scientific research through secure, efficient and scalable storage and collaboration options. The service provides the necessary infrastructure for storing, managing and sharing large amounts of research data, which are necessary for large-scale and data-intensive studies. SURF In doing so, SURF RD meets both the functional requirements for easy collaboration with both internal and external partners, as well as the requirements for data protection and data protection.
Information security
SURF Research Drive also makes it possible to centrally allocate available storage capacity to specific organisational units, such as faculties. This means that the UU has sufficient control and insight over the distributed capacity and can report on this. The faculties can then further subdivide the allocated capacity to researchers and/or projects.
Furthermore, the platform is well integrated with SURF’s services, which increases the efficiency of research processes.
Necessity
The assessment of the necessity of the processing consists of two principles, the principle of proportionality and the principle of subsidiarity.
The principle of proportionality requires a balanced balance between the interests of the party responsible for the defence and the party concerned. The processing must be appropriate and proportionate to the intended purpose of the processing and must not be excessive in relation to the purpose. If the goal can be achieved with less data, the number of data processed should be reduced.
For the subsidiarity principle, it must be considered whether the goal can reasonably be achieved with less invasive alternatives.
– Proportionality
The intended purpose of using SURF Research Drive is to provide a user-friendly and secure environment where researchers can store, share and collaborate with their partners.
It is necessary that there are insight and management options for the efficient allocation of the available storage capacity. For researchers so that they know whether they have sufficient capacity at their disposal and for the UU to keep an overview of costs.
As part of providing a secure environment for storing data, it is necessary to allow only authorized users to access the environment and provide them with the appropriate permissions on files and/or folders.
The personal data processed within SURF RD are proportionate to these purposes and are not used for other purposes. The data processing by SURF RD is therefore assessed as proportionate because it is necessary and appropriate for the intended purposes and the security of personal data is guaranteed.
– Subsidiarity
SURF RD is a specialised service for storing, sharing and collaborating on research. Local storage or less specialized cloud solutions would come at the expense of efficiency and collaboration. SURFdrive only processes the minimum data necessary to provide the service securely.
Balancing
Both UU and its researchers and partners have an interest in a user-friendly and efficient system for storing, sharing and collaborating on data and research in which personal data is adequately protected and the availability, integrity and confidentiality of data are guaranteed.
SURF RD is seen as the least intrusive and effective solution. Where it meets the requirements for both information security and data protection of the UU as well as the desired business functionality.
What rights do I have under the GDPR and how can I exercise them?
The GDPR gives you a number of rights with regard to your personal data. You have the right to access your data and to have it corrected or deleted. In this processing, you also have the right to temporarily freeze (‘restrict’) the processing of your data, the right to object to the processing.
How can I exercise these rights?
If you want to exercise one or more of the above rights, you can submit a request using the privacy request form. We will then have one month to respond to your request. For very complex requests (or if a lot of requests come in at the same time), we sometimes need more time (up to two months extra). We will let you know within that first month.
Is there automated decision-making or profiling?
There is no automated decision-making. This means that decisions are never made without human intervention. There is also no profiling.
Questions? Complaints?
Do you have any specific questions regarding the above information or do you have any comments regarding this privacy statement? Feel free to contact us. You can send a message to privacy@uu.nl.
The UU has appointed a Data Protection Officer (DPO). This is an internal advisor and supervisor who may also be important to you, namely if you want information about our processing of personal data or if you want to file a complaint about it. You can contact our DPO via fg@uu.nl.
We would like to point out that you also have the right to file a complaint with the supervisory authority, the Dutch Data Protection Authority.
Contact details Utrecht University
Heidelberglaan 8
3584 CS Utrecht
Tel. (030) 253 35 50
Privacy Statement: Version and Policy Document
This Privacy Statement was last modified on (November 6, 2025). From time to time, we will make changes to this Privacy Statement.
