GDPR and privacy: What does it all mean?

Privacy is the cornerstone of the policy on ethics and integrity at VUB. The protection of personal data is an important issue in Europe. The new GDPR  gives citizens more control and protection over their personal data. This is a good thing, but it has an important impact on our daily work at VUB.

What is personal data? When are you entitled to use data from students or employees? How does the GDPR impact research? Why can’t you keep on using your existing mailing list  to invite people for  a congress, seminar or other events? In these GDPR-guidelines we will explain what will change, as of the 25th of May 2018.

The General Data Protection Regulation (GDPR) is stricter than the previous European privacy legislation. There are more measures in case of data breaches and the fines in case of infringements can be very high. The VUB will take all the necessary measures to respect the GDPR  in every use of personal data. This implies an important cultural change that impacts the functioning of your department. What will change? He we provide answers to 10 important questions.

1. What is personal data?

Personal data is any information about a person that makes it possible to identify them, directly or indirectly: username, a name, a picture, a photo, an address, a licence plate, a telephone number, locations , IP-address,… Be careful: some combinations of data can also make it possible to identify a person, even if the individual data items do not. For instance a file that records the sex, the department where somebody is employed and the details of their contract. Or a list of school children containing their age, school and postal code. The GDPR rules apply to all these types of data.

Does the GDPR apply to the data of deceased persons? No. But it does apply to the personal data of the  descendants.

2. When is the GDPR applicable?

The GDPR applies when you are ‘processing’ personal data in any way. GDPR applies when you – either manually or via automated processes – collect, record, organize, structure, save, update or modify, retrieve, consult, use, provide, forward, distribute or otherwise makes available, align or combine, protect, deletes or destroy personal data.

3. When can you process personal data?

You can only only process personal data when you have a legitimate ground for it and / or when the person in question has explicitly consented to this.

When in doubt whether you have a legitimate ground for storing and / or processing data, contact us via

4. When and what should I register internally?

Do you have a legitimate ground for processing and storing personal data? Super! Then you only have to file an internal declaration in the record of processing activities. This can be done with this form. The form must be completed and sent to

5. Can you still work with data from students and / or staff members?

Only when you have a legal or contractual reason for this: for example, certain financial information is necessary to be able to perform a wage administration, and you need study results to be able to issue diplomas.

6. How do you deal with personal data in scientific research?

When you have informed consent, you have a valid legal basis for processing data collected directly from participants. But beware: the informed consent you obtain must always be clear and  indicate:

  • for what purposes the data are collected
  • who has access to the data
  • how long the data is stored
  • how will you process your data: anonymous (there is no longer any link to the person), pseudonymized (via a key or that makes it possible to retrieve a link to the personal data ) or neither of these. For the latter two, please take sufficient security precautions for storage and access to the data.

As a researcher, you must also comply with the Research Data Management policy.

Other legal measures apply when you are performing research on secondary data –  i.e. data that is not collected directly from participants but from existing files or databases. For more information contact

7. What does GDPR mean when organizing an event, seminar, conference and training?


Have you gathered an impressive mailing list over the years? It is important to know that you may only send an invitation to people who have given their explicit consent for this. If this is not the case, and these people never gave permission to be part of your database, these data have to deleted from the list. If they gave permission for another reason or type of communication, you may not write them for any purpose other than that for which they gave you permission.

The central CRM database of the VUB is the best source for ‘up to date’ data. We will, for example, update this database when people decide to withdraw their consent for data processing. It is therefore important to consult the latest version of the necessary personal data via this source before every processing activity (for example: sending out an e-mail). And above all: do not keep the data longer than necessary for the purpose. Delete the list afterwards.

What if someone receives an invitation for your event when they have notconsented to be on the mailing list? Then he/she is entitled to file a complaint. And heavy fines can be imposed if the complaint is upheld.

For this reason you should always include the relevant phrases on privacy in your emails, using this disclaimer.


You process personal data with every registration for an event. When you set up the registration page or email, you have to think carefully about this:

  • What data you specifically request: the GDPR prescribes that you cannot process more data than strictly necessary.
  • What retention period is necessary? ​​The personal data you request may no longer be necessary after the event has finished. Has the administrative communication been completed? Then you must immediately delete the collected personal data, unless you explicitly asked permission to keep these for longer – and possibly for other purposes.
  • Always use this disclaimer in all your communication about your event.


The GDPR prescribes that you delete all personal data that you collected and processed in the context of an event. This applies to all of the following, and to other personal data you may have collected:

  • photos showing people in a recognizable way
  • e-mail addresses of those involved
  • Age
  • sex
  • origin
  • telephone / mobile phone number
  • function
  • bank account information

Do you want to keep these personal data? Then you have to request permission from the participants. If you used the disclaimer for the registration email, participants can already opt-in to allow their data to be used for other purposes.


Do you have permission to process and store personal data? Superb. Then you only have to file an internal declaration in the record of processing activities.

8. How do I secure my existing datasets in accordance with the new GDPR?

Follow the guidelines of the Information Security and Privacy Committee. Do you have additional questions about this? Please contact

9. What do I do if I have to deal with a data breach?

Have you lost your VUB laptop? Did you accidentally send an e-mail to the wrong people? Or did you lose your USB stick? Every situation that can lead to a data breach must be reported to as soon as possible.

Doing this, we can take the necessary steps as quickly as possible to guarantee the rights and freedoms of all parties involved.

10. Do you have any further questions regarding the application of the GDPR?

Or do you have doubts about a very specific case? Or questions about the privacy statement of the VUB? To guide everyone through the GDPR, the VUB has appointed a data protection officer. If you have any questions please contact us via and we will reply to you as soon as possible.

A link not working? Send an email to