Tools

Privacy Statements

Privacystatement Sharepoint Share requests Monitoring 

Version 22-11-22 

In this privacy statement we explain what happens to your personal data when you share a file with an external e-mail address via Sharepoint or OneDrive, or you receive a Sharepoint or OneDrive shared file from Utrecht University. 

Who is responsible for data processing? 

Utrecht University, located at Heidelberglaan 8, 3584 CS Utrecht, is responsible for the communications described in this privacy statement. 

For what purposes will my personal data be processed? 

Your data is processed to quickly find out when and how files were shared with external parties in the event of incidents related to file confidentiality. 

Which personal data are processed? 

The following data is processed when you give an external email address access to a file within the UU environment. 

  • Your e-mail address,
  • The name of the sharing file, 
  • The time the file was shared, and 
  • The receiving email address. 

The following data is processed when a file from a UU shares email address with your external email address. 

  • Your e-mail address,
  • The time the file was shared, and 
  • The name of the shared file. 

How long is this personal data stored? 

Data in this processing is stored for 6 months. After that, they will be automatically deleted. 

Will my data be shared with third parties? 

Your data will not be shared with third parties in this processing. 

Will my data be transferred to third countries? 

Your data will not be transferred to countries outside the EEA. 

What is the legal basis of this data processing?  

The basis used in this processing is the legitimate interest. This basis is elaborated as follows: 

Utrecht University’s interest being weighed here is that of securing its environment and (intellectual) property. More specifically, this involves securing documents within SharePoint environments. These are logged during this processing so that it can be looked back when an employee or student has given external access to a certain document. 

This interest must be weighed against that of the staff, students and recipients whose data is kept. It is not taken into account here that these data are in any case kept. This processing is intended to make it easier to search this data in the event of problems. The interest of the staff and students is that their data is not processed, as little as possible and in any case not unnecessarily. In addition, students and staff also have an interest in the fact that if there is a successful phishing action or otherwise provided access to their accounts, it can be looked back with whom and when certain files were shared. 

In this processing, of course, data, although in small quantities, is processed. In addition, there have been questions about the usefulness of this data processing. In this context, it was decided to use this service as a pilot for the first period and then to evaluate whether this processing proves useful. This utility was initially adopted, because tracking these share requests is an industry standard that is also recommended by the vendor. 

That the interest of Utrecht University in this also applies to some of the people involved, namely the students and staff. This does not apply directly to external parties, as they do not communicate in the safe working environment of Utrecht University. If we weigh the achieved benefit for the University against the privacy infringement, namely a snapshot that a certain email address has been given access to a file, then it is striking that the security advantage here seems to weigh more heavily. This is mainly due to, again, the very small amount of data that is processed by the data subjects. 

This assessment therefore concludes that the legitimate interest of Utrecht University prevails over the privacy interests of the data subjects. 

What rights do I have under the GDPR and how can I exercise them? 

As a data subject , you have certain rights. Namely, the right of access, the right to rectification of personal data, the right to erasure, the right to restriction of processing and the right to object. If you want to make use of these rights, you cansend your request to Privacy@uu.nl. It is possible that identity documents are requested during this procedure. 

When you object, it will be examined on a case-by-case basis whether this objection can or must be met. Utrecht University will cease the processing of personal data unless urgent legitimate grounds are invoked that outweigh your interests, rights and freedoms. 

Is there automated decisionmaking or profiling? 

There is no automated decision-making. This means that decisions are never made without human intervention. There is also no question of profiling.

Questions 

If you have any questions about this privacy statement, you can ask them to privacy@uu.nl. Do you want to file a complaint? Then you can do so at the data protection officer of Utrecht University, which can be reached at fg@uu.nl. You are also always free to file a complaint with the Dutch Data Protection Authority, the privacy watchdog of the Netherlands.