Privacy Statements
Version 29-02-2024
In this privacy statement, we explain what happens to your personal data when it is processed in the mobile endpoint management system (Intune); the management system for mobile devices (phones and tablets) provided on loan by the UU, or personal (bring your own) devices that are also used for business purposes to access UU information resources.
Who is responsible for processing the data?
Utrecht University, with its official address at Heidelberglaan 8, 3584 CS Utrecht, is responsible for processing the data as described in this privacy statement.
For which purposes will we process your personal data?
The objective of mobile device management (mobile endpoint management) is to secure UU data on mobile devices in such a way that it is not unintentionally accessible to anyone other than the owner of the device. This platform enables employees to be productive on all their devices while ensuring that UU information remains secure in accordance with the UU’s information security policy.
Which personal data do we process?
When using a business device managed by UU: For the management of mobile devices issued by UU, the following personal data is processed:
| Name data |
|
| Contact information |
|
| Devide information |
|
| Activity log |
|
When using a personal, Bring Your Own Device (BYOD), with access to UU information services:
| Name data |
|
| Contact details |
|
| Device information |
|
| Activity logs |
|
How long will we store these personal data?
Utrecht University:
The retention period for the Intune management profile within Intune aligns with the general systems of the UU for managing (digital) access rights. Once an employee leaves UU, the data will be removed from these systems, and thus from Intune as well.
When a business device is returned, it will be removed from Intune. After removal, no information about the device will be available anymore.
Microsoft:
Microsoft retains the Azure logs for 30 to 90 days. The audit logs of the respective management profile are kept for up to one year.
What management capabilities does UU have on the mobile device?
When using a business device managed by UU:
When the mobile device is provided to employees on a loan basis, the device remains the property of UU. The device and business applications are then partially managed by UU. This management takes place through the management profile on the device: Mobile Application Management (MAM). In practice, this means that the UU has the following management capabilities for the device:
- The UU, as the owner of the device, has management capabilities over all apps provided by UU.
- Only access to business applications is managed.
- The management capabilities include:
- Enforcing a 6-digit PIN code on the device.
- Enforcing a 6-digit PIN code on business applications.
- Only business applications provided by UU can be installed via the UU account.
- Ability to reset the 6-digit PIN code for business applications.
- Ability to remove the business UU applications.
- After 30 minutes of inactivity within the business application, the application code must be re-entered.
- Denying access to business applications after the device has not been able to connect with Solis Cloud Endpoint Management for 90 days.
- Ability to remotely lock the phone.
- Apps provided by UU can be installed by the employee through the Company Portal app.
- Storage on the device will be encrypted so that any locally stored files can be safely used.
- Private use of the business device is allowed, as long as it is in accordens wit the user policy.
When using a personal, Bring Your Own Device (BYOD), with access to UU information services:
The mobile device is a personal device owned by the user. The user is and remains the owner of the personal mobile device. When the user registers the device to access UU information services, access to the business UU applications falls under UU’s management. This management takes place through the management profile on the device: Mobile Application Management – Without Enrollment (MAM-WE). In practice, this offers the following management capabilities for the device:
- The device is and remains the employee’s property.
- The employee has access to the managed business apps.
- Only data within the apps used by the business account is managed.
- The device must be secured with a 6-digit PIN code.
- All data from the business applications are in the cloud and cannot be exchanged locally.
- Access to business applications can be revoked.
Are my data shared with third parties?
Intune is a service provided based on cloud technology (Software as a Service) and operates within Microsoft’s digital Azure environment.
As the processor and provider of the service, data is shared with Microsoft during this processing.
Will my data be shared with third parties?
The data centers where the Azure servers used by UU are located are within the EEA. However, during processing by Intune, data is transmitted to Microsoft’s locations in the United States. The following data is involved:
- IMEI number
- Account name
- Email address
- Manufacturer
- Model
- Device serial number
- Last user login
- Last contact with Solis Cloud Endpoint Management
- Operating system and version
- User ID
- Device name
- Device type
- IP address
For the international transfer of personal data to the United States, the European Commission issued an adequacy decision on July 10, 2023.
Additionally, UU uses the model contract for the education sector, in which SURF has agreed on supplementary measures with Microsoft regarding the protection of personal data.
What are the legal grounds for processing these data?
The processing takes place in accordance with Article 6, paragraph 1, sub f of the GDPR, based on the legitimate interest of UU.
It is in the interest of UU and its employees that employees can perform their work in a flexible and secure manner. The UU provides various resources to protect the personal data of its employees. Since the UU remains the owner of the resources that are provided on loan, it is also the UU that ensures these resources are set up correctly. This also applies to the digital environment of the UU, and therefore, the UU is responsible for maintaining a secure digital environment that protects all of its employees.
Through the management profile on the business resources provided by the UU, it is possible to monitor private activities to a certain extent (e.g., an inventory of all installed applications on the device).
The UU has implemented both technical and organizational measures to ensure that processing is carried out in a secure and responsible manner. For instance, access to the management portal is only available to a limited number of employees, and they are only granted the rights necessary to perform their tasks. Additionally, the actions taken by administrators are always logged, ensuring that all actions can be traced back to an individual.
Which rights do I have in accordance with the GDPR, and how can I exercise these rights?
As a stakeholder, you have certain rights with regard to the processing of your personal data: The right to view, correct and delete the data, the right to limitation of processing, and the right to object. If you wish to exercise any of these rights, you can submit a request to GDPR Request (Privacy) – Selfserviceportal (topdesk.net) external link. If you do not have a UU account, you can use the Privacy Request Form (uu.nl) external link. You may be asked to provide proof of identification to process this request.
Questions
If you have any questions about this privacy statement, please feel free to send an e-mail to: privacy@uu.nl. If you wish to submit a complaint, you can contact Utrecht University’s Data Protection Official via e-mail at: fg@uu.nl. You are of course also free to submit a complaint to the Data Protection Authority external link, the Netherlands’ official privacy protection agency.
