The persons whose information is processed are usually referred to as 'data subjects'. In the UvA's case, these persons include: employees, students, guests, visitors and external relations, but also scientific research subjects.
By 'personal data', we mean all information on the basis of which someone can be identified or which can be directly or indirectly traced back to a natural person. This information includes a name, identification number, telephone number, assessments and research data, but also a combination of data which can jointly result in an image so unique that it can only relate to one person.
Processing includes any act involving personal data. Such acts include collecting, recording, structuring, storing, changing, requesting and deleting data.
Processors are the entities that perform the processing. While the UvA usually acts as the processor itself, the UvA often engages an external party for the processing. As the processor has an executive task, it has no control of the manner in which data are processed. Both controllers and processors must comply with various obligations. For example, processing at the UvA is subject to a registration obligation (keeping a record of the processing that takes place) and must be properly secured.
The controller – which, in this case, is the UvA – is the party that determines the objective and the means of processing. The GDPR imposes obligations on controllers. For example, as a controller, the UvA has a registration obligation, the obligation to appoint a Data Protection Officer (Functionaris Gegevensbescherming, FG – firstname.lastname@example.org), the obligation to secure the systems properly and the obligation to comply with the rights of data subjects.
When the UvA engages an external processor or the UvA itself acts as a processor for a third party, an agreement is drawn up to provide for the rights of the data subjects. In a so-called 'processing agreement', the objective, the duration and the extent of processing are laid down, while arrangements are made on the retention periods and the security measures for the personal data.