Privacy Statement Rotterdam School of Management, Erasmus University

This privacy statement applies to Rotterdam School of Management, Erasmus University, and to Rotterdam School of Management B.V. jointly, hereinafter referred to as ‘RSM’.

This privacy statement details the purposes for which RSM processes personal data, whose personal data we process, what kind of data we process, how you can exercise your privacy rights, and other important information relating to your privacy and personal data.

  • For most of the purposes described below, RSM is ‘controller’ according to the definition in the EU’s General Data Protection Regulation (GDPR). This means RSM determines the goals and means for the processing of personal data of all categories of data subjects. This is described in the section Whose personal data is processed by RSM?, below. We consider it to be essential that everyone’s personal data is handled and secured with the greatest care. We also want to be transparent about the way in which we process your data.

    RSM’s compliance with the GDPR is supervised by the Data Protection Officer of the Erasmus University Rotterdam (EUR). Click here for more information about how data protection at the EUR is supervised.

  • RSM processes data from these data subjects:

    • prospective students
    • current students
    • alumni
    • research participants
    • job applicants and employees
    • external parties, including third parties
    • visitors to RSM websites.
  • Here is the list of the kind of personal data we process. The level of processing depends on the level of the individual’s involvement with RSM:

    Category Examples
    Personal identification data Name, date of birth
    Contact details Email address, home address, phone number
    Imagery Photographs, videos
    Financial data Bank account number, payments
    Educational data Examinations, diplomas, graduation certificates
    Research data Questionnaires, data sets
    Employment data Curricula Vitae, resumés, labour contracts
    Digital data Cookies, IP addresses, account logs

    Some categories listed above may include special categories of personal data. Additional conditions may apply to this usage.

  • RSM may process personal data for three main purposes, and for several subprocesses within those main purposes. They are:

    Education & Education-Support

    Registration, planning, education execution (e.g. lectures), and assessments. Recruitment, counselling, certification, alumni management, and accreditations and rankings.

    Scientific Research

    Research design, data collection and analysis, publication and archiving.

    Business Operations

    Financial management, IT management, relationship management and communications, security on campus in buildings and other facilities, human resource management (recruitment and selection, employee administration), legal affairs and contract management, and organisational analysis, development and management reports.

  • Read more about how RSM processes your data depending on your connection with RSM. It explains the goal of the activity, which personal data is processed, its source and how long your data is retained. If you have any questions, remarks and/or complaints regarding the processing of your personal data, please do not hesitate to contact privacy@eur.nl.

     

     

     

     

  • Third parties may provide some data processing services as part of their instructions from, or agreements and contracts with RSM. RSM makes these contracts and agreements with third party processors to ensure that personal data is handled confidentially and with due care. These agreements are described in ‘processor’s agreements'.

    Individual’s personal data will not be leased, sold or shared in any way, nor will it be provided to third parties. RSM may share individuals’ personal data with third parties only if it is granted specific permission by the individual, if it is required by law, or if this is necessary for the execution of the agreement.

    RSM provides personal data to enforcement authorities and fraud control organisations if required to comply with a statutory obligation.

    In some cases, third parties may be located outside of the European Union. In these cases, RSM will take appropriate measures to protect personal data.

  • As a data subject, you have several rights under GDPR. To exercise one of your rights, please click here.

    Response time

    First you will be asked to identify yourself. Your query will be answered by the RSM Privacy Team within 30 days. We may extend our decision-making period by another two months if this is necessary for us to formulate an acceptable and useful response.

    Right to withdraw consent

    You have the right to withdraw your consent for us to process your data at any time. Withdrawing your consent after processing has started does not mean that any processing of your personal data before you withdrew your consent was unlawful.

    Right of access

    You have the right to know if personal data concerning you is being processed. If your data is being processed, you have the right to access it.

    Right to rectification

    You have the right to rectify inaccurate personal data that concerns you. You also have the right to insist that incomplete data about you should be completed, according to the purposes of the processing.

    Right to restriction of processing

    You have the right to obtain restriction of processing of your personal data where one of the following applies:

    • You contest the accuracy of the personal data, in which case we will pause the processing of your data until we have verified its accuracy;
    • The processing is unlawful and you do not want us to erase your personal data;
    • We no longer need your personal data for the purposes of processing, but you require us to store the data in order to establish, exercise, or defend a legal claim;
    • You have objected to the processing in accordance with your right to object (as set out in the next paragraph) and you are waiting to find out if RSM’s legitimate grounds override yours.

    Right to object

    If RSM has a legitimate interest in processing your personal data, you have the right to object to its processing because of grounds relating to your particular situation. We will halt the processing of your personal data unless we demonstrate compelling legitimate grounds for continuing its processing which override your interests, rights and freedoms, or unless we need the data to establish, exercise, or defend a legal claim.

    If you execute your right to object, RSM will weigh your interests against the interests of RSM or the interests of relevant third parties.

    Right to be forgotten

    In some cases, you have the right to be forgotten. This means that we must erase all of your personal data from our records and systems. You have the right to be forgotten in the following cases:

    • Your personal data are no longer necessary for the purposes for which they were collected;
    • If the processing was based on consent, and you withdraw your consent, and we have no other grounds for processing;
    • The personal data have been unlawfully processed;
    • The retention period has expired.

    You do not have the right to demand RSM to erase your personal data, if RSM has a legal obligation to process your data, or if the data is necessary to establish, exercise, or defend a legal claim.

    Right to data portability

    Insofar that RSM processes your data (by automated means) based on your consent, or to execute a contract we have with you, you have the right to receive the data that you have provided to us in a structured, commonly used and machine-readable format. You may also ask us to transfer the data straight to another controller.

    Right to file a complaint

    You always have the right to file a complaint with the Data Protection Authority (in the Netherlands, this is the Autoriteit Persoonsgegevens). However, if you have any issues, questions or remarks about RSM’s processing of your data, please contact us first (privacy@eur.nl). We take your privacy seriously.

  • Please contact us at privacy@eur.nl if you have questions or comments about this privacy statement and/or the processing of your personal data.