Tools

nl

Tools

Privacy Statements

Privacy statement SURF Works (Nextcloud)

In this privacy statement, we explain what happens to your personal data when it is processed for SURF Research Drive. 

Who is responsible for data processing? 

Utrecht University is responsible for the data processing described in this privacy statement. 

For what purposes are my personal data processed? 

Your personal data will be processed for to enable the use of SURF Works. The purpose of SURF Works is to collaborate with parties both within and outside the UU. 

What personal data is processed? 

Apart from personal data that you store yourself on SURF Works, the following data is processed: 

  • Your e-mail address, 
  • Your SolisID or EduID, and an unique ID managed by SURF 
  • Your IP address and other logging information, 
  • Information about your usage, such as how much storage you use, who owns or uses a folder, and 
  • Which UU business unit you work for. 

How long is this personal data kept? 

Data relating to your account will be kept for as long as you have an account with UU. 

Data about your logging is stored to a limited extent for security purposes. 

Will my data be shared with third parties? 

The SURF Works platform is provided by SURF. SURF manages the technology on which SURF Works is built (Nextcloud) and makes it available through its data centers in the Netherlands. 

Will my data be transferred to third countries? 

No, data will not be transferred to third countries outside the European Economic Area. 

What is the legal basis for this data processing? 

The Universiteit Utrecht aims to achieve greater autonomy and sovereignty in the field of IT. SURF Works is a collaboration platform that supports this goal by being managed and hosted within the Netherlands by a Dutch organization (SURF). The platform is also transparent (open source), enables seamless, user-friendly integration with existing IT infrastructure, and complies with data protection and information security requirements. 

Necessity 

The assessment of the necessity of processing is based on two principles: the principle of proportionality and the principle of subsidiarity. 

The principle of proportionality requires a balanced assessment of the interests of the data controller and the data subject. The processing must be appropriate and proportionate to the intended purpose of the processing and must not be excessive in relation to that purpose. If the purpose can be achieved with less data, the amount of data processed should be reduced. 

With regard to the principle of subsidiarity, a determination must be made as to whether the purpose can reasonably be achieved using less intrusive alternatives. 

– Proportionality 

The intended purpose of using SURF Works is to provide a more autonomous, user-friendly, and secure environment where employees and students can collaborate within the UU as well as with parties outside the UU. 

This requires the ability to monitor and manage the system, as well as the processing of the aforementioned personal data. This is necessary so that users know whether they can control their own data and their collaboration with others, and so that the UU can maintain an overview of costs and security. 

As part of providing a secure environment for storing data, it is necessary to grant access to the environment only to authorized users and to provide them with appropriate permissions for functions such as document editing, communication, forms, and access to files and/or folders. 

The personal data processed within SURF Works is proportionate to these purposes and is not used for any other purposes. The data processing by SURF Works is therefore deemed proportionate because it is necessary and appropriate for the intended purposes, and the security of personal data is guaranteed. 

– Subsidiarity 

SURF Works is an alternative to Big Tech collaboration environments. For successful implementation, it is important that it offers the same functionality and security as Big Tech environments and integrates seamlessly into the existing system. It is also important that the processing of personal data for this purpose be kept to a minimum in order to safeguard privacy as effectively as possible. 

Balancing 

Both the UU and its staff, students, and partners have a stake in a user-friendly and efficient system for storing, sharing, and collaborating, one in which personal data is adequately protected and the availability, integrity, and confidentiality of data are guaranteed. 

SURF Works is considered the least intrusive and most effective solution in this regard. It meets the requirements for both information security and data protection at the UU, as well as the desired business functionality 

What rights do I have under the GDPR and how can I exercise them? 

The GDPR gives you a number of rights with regard to your personal data. You have the right to access your data and to have it corrected or deleted. In this processing, you also have the right to temporarily freeze (‘restrict’) the processing of your data, the right to object to the processing. 

How can I exercise these rights? 

If you want to exercise one or more of the above rights, you can submit a request using the privacy request form. We will then have one month to respond to your request. For very complex requests (or if a lot of requests come in at the same time), we sometimes need more time (up to two months extra). We will let you know within that first month. 

Is there automated decision-making or profiling? 

There is no automated decision-making. This means that decisions are never made without human intervention. There is also no profiling. 

Questions? Complaints? 

Do you have any specific questions regarding the above information or do you have any comments regarding  this privacy statement? Feel free to contact us. You can send a message to privacy@uu.nl. 

The UU has appointed a Data Protection Officer (DPO). This is an internal advisor and supervisor who may also be important to you, namely if you want information about our processing of personal data or if you want to file a complaint about it. You can contact our DPO via fg@uu.nl. 

We would like to point out that you also have the right to file a complaint with the supervisory authority, the Dutch Data Protection Authority. 

Contact details Utrecht University 

Heidelberglaan 8
3584 CS Utrecht
Tel. (030) 253 35 50 

Privacy Statement: Version and Policy Document 

This Privacy Statement was last modified on (June 24, 2026). From time to time, we will make changes to this Privacy Statement.