The service must ensure the privacy of users is ensured, especially in the context of the GDPR. 

 

Why is it important?

Users should feel free to use the service without their data traces being retained and reused without permission. We have a legal obligation to follow GDPR rules to build trustworthiness and safety of our services.  

 

What to do?

  • When procuring or renewing (third-party) services, you are obliged to ensure any data storage is done within the framework of GDPR
  • When procuring or renewing third-party services,  ensure that a Data Processing Agreement is completed (https://www.tudelft.nl/en/privacy-security/privacy/data-processing-agreement). Work together with ICT and Legal services to get a Data Processing Agreement in place. 
  • Clearly document what data the service is  collecting and for how long, asking permission where relevant.
  • For services managing digital assets with complex rights (such as more users for different assets), ensure the service respects the different rights related to the asset.