“When the GDPR went into effect, people at TU/e generally thought they were GDPR-compliant,” says Hooijen. “But it turned out there were still steps to be taken to comply with it. The major data breach involving access card company ID-Ware in 2022 was ‘necessary’ to get things into gear. Since then, professionalization within the organization has been on the rise, as evidenced by the expansion of the privacy team and front-line teams such as DDCs (Data Domain Coordinators, ed.) and data stewards. I also see that awareness about data protection has grown on campus and within TU/e.”

In society, on the one hand, we see people who are very conscious of their privacy. But once things are on the internet, they often don’t manage to remove them. On the other hand, there’s a large group that thinks things aren’t all that bad. “When it comes to the many phishing emails, some people are like ‘Oh well, it’s ‘just’ an email.’ However, in this day and age, with a lot of personal data on social media, criminals can send a very personalized message to you and you’re much more likely to click on a link and/or share data. As a result, identity fraud is increasing,” Hooijen notes.

“I know people are quick to say that they have nothing to hide, but when I ask them for their PIN code, it turns out that’s not true after all. They see ‘hiding’ as something negative, but you have to see it as a protection, which is actually a good thing,” the data protection officer continues.

Recommendations and supervision

A data protection officer spends a lot of time on issuing recommendations, for example on Data Protection Impact Assessments (DPIAs). This is a tool that identifies privacy risks of a data processing operation in advance. “It may concern a research DPIA or a DPIA that deals with processing in tooling such as tracking systems for job applicants or a parking system. Examples of relevant research are studies involving vulnerable groups such as children or elderly people with dementia and/or special personal data such as religion or health data.”

In addition to giving recommendations, Hooijen also performs supervision. “In my first year, I mostly did so on an ad-hoc basis because I still had to get to know the organization, but as of this year I’ve also been doing it on a structural basis. So then it concerns pre-planned supervision.”

She supervises different university divisions. “This year, I’m monitoring HR, Biomedical Engineering, and processing registries at the services.” Just because she’s supervising a particular division doesn’t mean there’s a problem there. “I chose Biomedical Engineering because a pilot took place at that department on the use of processing registries and for their own privacy maturity measurement. That allows for focused supervision. If they don’t have anything in place yet, it’s better to start by giving recommendations,” the data protection officer says.

The specific reason for choosing HR is that a relatively large amount of personal data (including special personal data) passes through that service. For example, track is being kept here of on- and off-boarding and absenteeism due to employee illness. Health data is an example of special personal data that gives rise to additional requirements for processing. “And I also think this is a division that should be at the forefront of privacy,” she says.

Whereas most people have a manager who, to a greater or lesser extent, decides what they should do at work, this isn’t the case for the data protection officer. Given she has a control function, it wouldn’t be appropriate to take orders from a manager in her role. For data protection officers, there is special dismissal protection in the GDPR that ensures they can’t be fired for doing their job. “But if I don’t do my job according to the job description, of course I can be fired. This dismissal protection gives you the ability to be critical in your control role.”

Awareness

“Since the transition from the Data Protection Act to the General Data Protection Regulation (GDPR) in 2018, there have been more enforcement opportunities for the regulator (Dutch Data Protection Authority). Combine this with a society in which people are more online and more aware of their privacy, and we see organizations making more and more policies in this area.”

The data protection officer doesn’t make policy, but performs supervision and makes recommendations on whether something is desirable. The organization receiving those recommendations, in this case TU/e, is responsible for the final policy and its implementation. “Nowadays, for example, the privacy team draws up a Risk Assessment & Evaluation if there appear to be residual risks after a DPIA. A division director can then decide to accept those risks, but they must put that in writing. Similarly, if someone wants to deviate from a recommendation by the data protection officer, this must be recorded. That act creates more awareness of one’s own actions.”

Complaint

Can staff contact the data protection officer, and does that ever happen? “Sure. If you have a complaint about how your data is processed within TU/e, there are different ways to lodge that complaint. You can do so with the relevant division where the problem occurred or with the privacy team, but you can also report the complaint directly to me.

This also applies if you’re not satisfied with how your ‘data subject rights’ have been handled. This concerns, for example, requests for access to your personal data held by the organization or deletion of certain data. The privacy team makes sure such requests end up in the right place within the organization, but if you’re not satisfied with how things have been handled, you can file an objection or contact me.”

Hooijen is bound to secrecy in her position, also by the law. “If a complaint comes in, I don’t just go and talk to people. First, I consult with the person making the report about whether they’re okay with it. Then I’ll investigate the complaint. This may result in a recommendation to the organization.” Such a recommendation is significant, but not binding. Only the Data Protection Authority can give a binding recommendation, to stop a certain type of processing for instance.”