Privacy & Information Security

  • WMO
  • Non-WMO

The Team of Privacy Protection and Information Security (Privacybescherming en informatiebeveiliging-PB&IB) advises and supports the Executive Board, the management and the work floor with regard to privacy protection and information security. PB&IB has an important advisory and supervisory role that is performed in accordance with legislation and regulations (including the GDP and NEN7510).

The former Research walk-in consultation hours have stopped. Making an appointment with the Data Protection Officer remains possible under certain conditions. Send your request to privacy@amsterdamumc.nl. Clearly describe your question and if available, add additional information to support your question e.g. a data flowchart or information about the team that advised you to contact team PB&IB etc.

More information can be found on the following pages:

Verwerkingsregister (Data Processing Register)

      According to the General Data Protection Regulation (GDPR in Dutch AVG), Amsterdam UMC must keep a record of all data processing that contains personal data, including the privacy measures taken, suppliers engaged, retention periods and any transfer to third parties, etc.
      Any intended data processing must be reported to the Verwerkingsregister (Data Processing Register) formerly know as the ‘Centraal Meldpunt Gegevensverwerking (CMG register).

      To register in the "Verwerkingsregister" you need an amsterdamumc.nl account.

      • Click here to register a data processing in K2.iProva (green thumb).
      • Click here for more information about this registration form in K2.iProva (green thumb)

      More explanation and details on what and why to report and how your registration is processed you can find here.

      DPIA

      The Data Protection Impact Assessment (DPIA) is an instrument (questionnaire) to asses the privacy risks of personal data that will be processed during the research.  

      Since June 2023 an abbreviated DPIA is no longer required for some clinical trials*.

      Enter 'wordt getoetst door METC' in het 'Verwerkingsregister". The DPIA question will then no longer appear. The abbreviated DPIA no longer needs to be send separately to the PB&IB team.

        *The extensive DPIA is for more complex clinical trials and other matters that do not concern research and must be sent to the Data Protection Officer (in Dutch Functionaris Gegevensbescherming FG) for advice. Before advice is sought, send the research protocol to the FG. The extended DPIA is mandatory in the following cases, among others; international registrations, websites and apps, research with employee data and when Cloud facilities are used. If you have any questions please send an e-mail to privacy@amsterdamumc.nl

        BIV-Classification

        If you will be using an IT system that has not yet been authorised by Amsterdam UMC for processing personal data during your investigation, then you will also need to complete a BIV classification.

        BIV classification is an instrument (a questionnaire) that is used to determine which level of security should be used with regard to the processing of personal data and in order to ensure the availability, integrity and confidentiality of the data and the (IT)systems with which the personal data are processed are appropriately secured.

        More explanation and the BIV classification questionnaire can be found here.