Ghent University privacy statement
On the 18th of May 2018 the Executive Council of Ghent University approved the Generic Code of Conduct for the processing of personal data and confidential information. As a data controller, Ghent University hereby ratifies its general data protection policy which focusses on the security, accuracy, care and responsibility of the processing of personal data and confidential information, in addition to ensuring compliance with the General Data Protection Regulation (GDPR).
The General Data Protection Regulation aims to inform each individual about the possible processing of his or her personal data and the protection thereof. As a university, Ghent University processes personal data of its employees, students, external parties (students deciding on a course of study, alumni, contacts, business relations) and specific personal data in connection with its educational and research responsibilities. The following overview shows how Ghent University handles personal data, what rights you may exercise in this connection, and to whom you can turn in case you wish to know more about privacy and information security at Ghent University.
Generic Code of Conduct for the processing of personal data and confidential information
The Generic Code of Conduct for the processing of personal data and confidential information at Ghent University is an internal code of conduct applicable to all employees, whether they are voluntarily or contractually affiliated with Ghent University, as well as to all Ghent University students. Whenever Ghent University collaborates with external partners, they may also be contractually bound to ensure compliance with this Generic Code of Conduct.
Among other things, the Generic Code of Conduct lays down guidelines subject to which personal data and confidential data may be accessed or used. The Generic Code of Conduct supplements other existing regulations, in which connection, special mention needs to be made of the regulations for the proper use of the IT infrastructure of Ghent University’. Wherever necessary, the Generic Code of Conduct itself may be supplemented with codes of conduct with a focus on specific applications and processing operations. Finally, the Generic Code of Conduct also provides for possible measures and sanctions that may be imposed against persons who actively, knowingly and repeatedly violate the Code of Conduct.
The Generic Code of Conduct is part of the general data protection policy (the policy on the lawful and secure processing of personal data) that is implemented within Ghent University. To ensure this, Ghent University has appointed a Data Protection Officer who is empowered to coordinate and monitor the lawful and secure processing of personal data at Ghent University.
Which personal data are processed?
Ghent University processes personal data of staff members, students, alumni, external partners, visitors or other groups involved in the education, scientific research, quality assurance and business operations provided by Ghent University. Ghent University may process and/or record these personal data in connection with fulfilling its educational and research responsibilities.
Ghent University may therefore process the following categories of personal data:
- Personal identification data: name; address; place of residence; place of birth; bank account number; telephone number; date of birth; gender; e-mail address
- Interaction data such as the IP address; cookies; surfing and clicking behaviour
- Images such as photos and videos
- Information about the study programme and training, such as decision-making on a course of study, study progress and study results
- Data collected in connection with scientific research
The above list is not exhaustive.
What are the purposes for which Ghent University processes personal data?
Ghent University ensures that the processing of personal data is restricted to the achievement of the intended objective. Ghent University primarily processes personal data to achieve the following objectives.
This includes all personal data of (prospective) students who wish to pursue a study programme or course of training at Ghent University and who consequently register (online) or (pre-)register for the same. These data are accurately and securely stored in a database of Ghent University. The attention of (prospective) students is drawn to this regulation at the time of registration, pre-registration and re-registration. They are free to access and change their personal privacy settings at any time via the web application provided for this purpose.
The personal data collected in connection with educational matters are mainly used for the management of academic careers in the context of educational events. This includes all administrative (and legally) necessary processing of personal data in order to ensure a high quality realisation of the educational mandate of Ghent University subject to a legal or contractual basis, including:
- administrative acts relating to registration, pre-registration and enrollment, tuition fees, examination and study progress decisions in conformity with the Education and Examination Regulations and Students’ Facilities Services
- processing in connection with study and career counselling, psychosocial counselling on the request of the data subject, and counselling relating to the choice of profession, the preparation of (education-related) policy decisions, quality assurance, organisational analysis, and alumni associations
- sending information relevant to (prospective) students in order to ensure the realisation of the educational mandate with the requisite quality as mentioned above.
In addition to legally required processing operations, certain processing operations may also take place in connection with the student and education administration, subject to the explicit consent of the student for the same at the time of registration (such as making study results available to the secondary school for processing relating to secondary school graduates).
Research is an important pillar of Ghent University. The results of scientific research have an impact on the wider community, and provide new impulses to education, in addition to laying the foundation for a progressive knowledge society, in the general interest.
Researchers affiliated with Ghent University may also collect, process, analyse and manage personal data in connection with scientific research. Depending on the nature of the research, sensitive data may also be involved (e.g. medical data, ethnicity/race, data relating to personal or sexual life, etc.). The Generic Code of Conduct for processing personal data and confidential information in force at Ghent University already lays down the general principles that should also be applied in scientific research.
The handling of personal data in connection with research at Ghent University is framed within the broader policy of research data management, with a focus on ensuring the collection, management and storage of research data in an ethical manner and with the requisite quality. The research data management websitecontains further information concerning this subject.
With regard to the organisation of personnel matters such as recruitment and selection, payroll administration and providing career counselling to Ghent University employees, personal data are processed at Ghent University as part of complying with a legal obligation, fulfilling a contractual agreement with the data subject or in the legitimate interest of the university.
A variety of personal data are required, depending on the HR process involved. When commencing employment, the diploma held by the candidate determines the job level within Ghent University, and the personal data are used in connection with the career growth track through training, counselling and functioning. For the purposes of calculating the appropriate salary, Ghent University not only needs the employee’s identification data, but also the family composition. The specific employment and career details are also forwarded to the public authorities, such as Dimona for social security and Capello for updating the pension details. Ghent University issues individual certificates based on personal data relating to the development of the career of the person involved (employment certificate, C4, C131, A1), which the employee requires for the purpose of proving his status to various government bodies and other employers (tax certificate, guaranteed residence certificate, visa certificate).
Business management operations
A variety of personal data processing operations are carried out at Ghent University in connection with conducting business management operations, such as maintaining financial administration records, managing contacts and contracts, ensuring the safety and health of students, personnel and visitors, managing access to the buildings of and around Ghent University, being able to implement and improve policy, organisational analyses, management reports and audits, providing careful dispute resolution and complaint handling, etc.
Who has access to personal data?
Ghent University ensures that personal data are only transferred to third parties with the explicit consent of the data subject, or where a legal basis or obligation to do so exists, or where such processing is required in order to protect the legitimate interests of the data controller or of a third party, or if such transfer is required in order to fulfil an agreement with the data subject.
Whenever Ghent University engages external partners or collaborates with external partners and personal data are likely to be processed in this connection, it shall always conclude a processing agreement with a view to ensuring that such external party shall also handle the transferred personal data lawfully, confidentially and with all due care.
The security of personal data
Information security is a necessary condition for the protection of personal data. Ghent University therefore implements appropriate technical and organisational measures to ensure that personal data remains confidential, and to protect the same against any form of loss or unlawful processing.
This is evidenced by the modular information security policy that is implemented within Ghent University. This policy is based on the internationally recognised information security standard ISO/IEC 27001 and includes policies, guidelines and procedures (e.g. practical guidelines for safe working with IT resources). Additions and updates to the policy are made on a regular basis. Checks and audits are also conducted on selected applications or processing operations, based on risk analyses. Finally, the policy is supplemented by an information security plan, which is drawn up every three years.
Ghent University underlines the general principles of the GDPR in its Generic Code of Conduct. These principles are directly or indirectly related to information security:
- Accountability obligation: those who process personal data are actively responsible for the same and among other things are bound to document the specific security measures taken.
- Confidentiality and integrity: everyone shall handle personal data and confidential information with the required secrecy, and shall respect the security of the data as well as of the equipment. A breach (data breach, theft, loss, etc.) shall immediately be reported internally – and externally, whenever so required.
- Lawfulness, fairness and transparency: each user shall maintain transparent communication about the fact that he/she is working with certain data. Access to personal data shall be limited to persons who are required to have lawful access to such data.
- Purpose limitation: the purposes for which certain data are processed are clearly recorded and documented. Other – improper – use is not permissible.
- Minimal data processing: no more data are processed than is strictly necessary.
- Accuracy: the data are correct, and errors if any found are rectified immediately.
- Storage limitation: data is not kept for longer than is necessary. The period is specified at the time of collecting the data.
What rights does a data subject have with regard to processing of personal data?
Depending on the purpose and the legal basis on which Ghent University processes personal data, the data subjects may exercise the following rights:
- The right to request which personal data are processed and, if such data are not provided directly to Ghent University, to request information concerning the source of such data;
- The right to request the rectification of incorrect data;
- The right to request ‘to be forgotten (right to erasure)’, provided a number of conditions are met;
- The right to request the provision of certain data in order that the data subject may transfer the same to another organisation;
- The right to object to the processing of personal data through fully automated processing (e.g. direct marketing).
How can you, as a data subject, exercise these rights?
You may contact the Data Protection Officer of Ghent University at firstname.lastname@example.org in case you have any further questions concerning the various rights and obligations relating to privacy, or if you believe that Ghent University is processing your personal data wrongfully and/or improperly.
Ghent University may request additional information in order to assess the well-foundedness of such a request or to verify the identity of a person making the same. Ghent University reserves the right not to comply with such requests, provided it states the grounds for the same. This would apply, for example, if such a request is manifestly unfounded or excessive in nature.
If you believe that insufficient action has been taken on a request or complaint, you may contact the Flemish Supervisor:
Flemish Supervisory Committee for the processing of personal data
Koning Albert II-laan 15
Telephone: +32 (0)2 553 50 47