Privacy Statement

Last updated: 14 January 2026

Lees deze pagina in het Nederlands

1. Introduction

This privacy statement explains how the CEM Projects Portal (the "Portal") processes and protects personal data. The Portal is managed by the Computational and Experimental Mechanics (CEM) Division within the Department of Mechanical Engineering of Eindhoven University of Technology (TU/e).

The Portal supports students enrolled in an academic program in selecting a thesis/graduation project. The Portal is designed to process as little personal data as possible. We do not create user profiles and we do not use tracking or analytics to analyse or profile visitor behaviour.

2. Controller

The TU/e Executive Board is the controller within the meaning of the GDPR for the processing activities described in this privacy statement. The CEM Division manages the Portal on behalf of TU/e.

Correspondence address:

Eindhoven University of Technology (TU/e)
Computational and Experimental Mechanics (CEM) Division
Department of Mechanical Engineering
PO Box 513
5600 MB Eindhoven
The Netherlands

For questions regarding this privacy statement or the processing within the Portal, you may contact: J. (Joris) Remmers.

For questions or exercising your privacy rights: privacy@tue.nl.
For complaints: dataprotectionofficer@tue.nl.

3. Authentication and Identity Provider

The Portal uses SURFconext for authentication via Security Assertion Markup Language (SAML). SURFconext enables secure single sign-on (SSO) for education and research institutions in the Netherlands.

When you sign in to the Portal:

  • You are redirected to SURFconext for authentication.
  • SURFconext verifies your identity via your home institution (e.g. TU/e).
  • After successful authentication, SURFconext provides the Portal with a SAML assertion containing the minimum necessary attributes.
  • We only process the minimum required data for affiliation verification and access control, such as:
    • A persistent identifier (pseudonym) to link your session.
    • Institutional affiliation (e.g. student/staff) to grant access.

We do not store your password. Authentication is handled by SURFconext and your home institution.

4. Which personal data do we process?

As a general principle, the Portal does not process personal data in the sense of creating user profiles or storing identifying information on a long-term basis. However, during the authentication process we temporarily process a limited set of personal data provided via SURFconext (such as a persistent identifier and affiliation) in order to verify whether you are allowed to access the Portal.

This authentication data is used solely for granting access and security. It is not used for tracking, profiling, or analysing individual usage.

Information entered via filters or search functionality (such as project type, tags, sections, or other search criteria) is not stored on a long-term basis as personal data and is not linked to your identity or used for tracking/profiling.

Technical logs (such as web server logs and error logs) may temporarily contain IP addresses and technical metadata for security, abuse prevention, and troubleshooting purposes. This data is not used for tracking or profiling.

5. Purposes and legal basis

We process data only for the following purposes:

  • Affiliation verification and access control: to verify that you are a TU/e member (or otherwise authorised) and to grant access to the Portal.
    Legal basis: performance of a task carried out in the public interest (Article 6(1)(e) GDPR), namely supporting educational activities for enrolled students in selecting a thesis/graduation project and securely offering an internal Portal.
  • Security and continuity: to keep the Portal secure and reliable, prevent abuse, and detect and resolve technical issues.
    Legal basis: performance of a task carried out in the public interest (Article 6(1)(e) GDPR) and, where appropriate, legitimate interest (Article 6(1)(f) GDPR) in securing systems and services.

The Portal does not create user profiles and does not use tracking or analytics for behavioural analysis or profiling.

6. Data sharing and access

We do not share personal data for commercial purposes and we do not provide personal data to third parties for tracking, marketing, or profiling.

For authentication, we use SURFconext. Necessary attributes are transferred from your home institution via SURFconext to the Portal in order to grant access.

6.1 Access within TU/e

Within TU/e, functional and technical administrators may have access to administrative functionality and (where required) technical data for management, support, security, and troubleshooting purposes. Such access is limited to what is necessary to perform their tasks and is subject to internal authorisations and access controls.

6.2 Service providers (processors)

We may use external service providers (e.g. hosting providers) for technical infrastructure. If such parties process personal data on behalf of TU/e, appropriate arrangements are made in line with TU/e policy (such as a data processing agreement) and appropriate security measures.

We do not sell, rent, or commercialise personal data.

7. Retention periods

Authentication attributes processed via SURFconext are used only during sign-in and the active session and are not stored on a long-term basis in a user database or profile.

Technical logs (such as web server logs and error logs) may be retained temporarily for security and troubleshooting. These logs are retained for a limited time and deleted periodically in accordance with applicable TU/e retention policies and operational necessity.

Because the Portal does not maintain user profiles, in practice there is typically no long-term stored personal data within the Portal to delete upon request.

8. Your rights

Under the General Data Protection Regulation (GDPR), you may have (depending on the circumstances) the following rights:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to object
  • Right to data portability (where applicable)
  • Rights related to automated decision-making and profiling (where applicable)

Because the Portal does not create user profiles and does not store personal data on a long-term basis, some rights may have limited practical applicability within the Portal itself. If your request concerns authentication data held by your home institution or SURFconext, it may be necessary to handle your request (partly) via those parties.

For questions or exercising your rights, please contact: privacy@tue.nl.

You have the right to submit a complaint to the Data Protection Officer via: dataprotectionofficer@tue.nl, and to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if you believe your data protection rights have been violated.

9. Data security

We implement appropriate technical and organisational measures to ensure secure operation of the Portal. These measures include:

  • Encryption of data in transit (HTTPS/TLS)
  • Secure authentication via SURFconext
  • Access controls and authentication requirements for Portal access
  • Regular security reviews and updates
  • Secure hosting infrastructure and hardening where appropriate

No method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we apply appropriate safeguards in line with the state of the art and the level of risk.

10. Cookies and similar technologies

The Portal uses only functional cookies and similar technologies that are necessary for the operation of the website, including:

  • Maintaining your session and authentication status during your visit
  • Ensuring the correct and secure functioning of the Portal

We do not use cookies for tracking, marketing, or profiling. Session cookies are intended for the active session and are not used to follow visitors across websites.

You can manage cookies via your browser settings. Disabling certain functional cookies may affect the operation of the Portal.

11. International transfers

The Portal is intended for use within the European Economic Area (EEA). Authentication via SURFconext takes place within the EEA. We do not intend to transfer personal data outside the EEA as part of the standard functionality of the Portal.

12. Changes to this statement

We may update this privacy statement from time to time. We will publish significant changes on this page and update the "Last updated" date. We recommend reviewing this statement periodically.

13. Contact details

If you have questions or concerns about this privacy statement, or if you wish to exercise your rights, you may contact:

J. (Joris) Remmers
Computational and Experimental Mechanics (CEM) Division
Eindhoven University of Technology

For questions or exercising your privacy rights: privacy@tue.nl.
For complaints: dataprotectionofficer@tue.nl.

For technical support, please contact: B. (Bart) Verhaegh