0. Administrative Information
We start the privacy scan by filling out some administrative details about the project. After filling in the name of the project and which department from the Geo faculty is involved, we need to state who is (are) the project controller(s).
A controller is someone who “determines the purposes and means of the processing of personal data”. Plainly speaking, controllers exercise overall control of the personal data being processed and are ultimately in charge of, and responsible for, the processing.
Legally speaking, if a UU employee or student is responsible for the activity as part of their official UU roles (as opposed to a personal capacity), then under the eyes of the GDPR the controller is the University itself. But for practical purposes in this privacy scan, the controller is the individual(s) who has final authority and can make decisions about the project, and is able to respond to any inquiries about the project throughout its entire duration.
When more than one person is in control of the processing (i.e., a PI or promoter and a Postdoc or PhD student), it is important to include them both in the “Contact details of project controller(s)” – maybe one will be the overall responsible for the project and the other one will be the contact person most familiar with the way personal data will be processed. The listed controllers are responsible for the safety and privacy of the project’s personal data, from the start of data collection until all personal data has been deleted and/or anonymized – which may take up to 10 years for some research data. It is important to ensure that even if a controller leaves the UU, there is always another person who is responsible for the project.
In addition to the (one or more) individuals listed as main controllers in this section, there may be others involved in the project that do not share the same level of responsibility as the controllers listed above – these individuals are not listed here. If these individuals or organizations are part of the UU – students, researchers, staff from other UU faculties – they should be listed in section 4 “data access”, of this privacy scan. If these individuals are not part of the UU – i.e., researchers and other collaborators from external universities or organizations – they will also need to be described later in section 8 “Description of measures to ensure compliance by processors and/or joint controllers”.
| Project/Study title: | [type here the name of the project] |
| Department in Geo Faculty: | [type here the name(s) of the Geo faculty departments involved in the project. If other UU faculties/departments are also involved, type them here too. Non-UU faculties are not to be included here] |
| Contact details of project controller(s)*:
Role, name, job title, department, e-mail. |
[type here the role, name, job title, department, e-mail of the person responsible for the project. For PhD projects, include here the PhD student and the PI/promoters/supervisors involved in the project] |
| Initial personal data collection start / end date: | [enter if it is known, leave empty if not known, or give an estimate date, update as necessary as the project is being designed] |
| Reviewed by: | [usually, it is the faculty privacy officer, but can also be reviewed by the faculty data steward(s) and/or faculty data manager] |
| Privacy Scan Outcome | [to be filled in by reviewer. May be ‘started’ while it is being drafted, ‘completed/approved’ to indicate that it has been reviewed and data collection can be started, and ‘ongoing’ when the privacy scan has been reviewed, but there are still issues that need to be addressed] |
| Comments: [to be filled by reviewer] | |