Student LibraryStudent Library
About UsFor StudentsContact

Privacy Policy Student Library

At Student Library, your privacy is a priority. We process personal data in accordance with the General Data Protection Regulation (GDPR) and other relevant legislation. This policy informs you about what data we collect, how we use it, how we secure it, and your rights regarding your data. Please note that the contents of this policy are subject to change during the pilot version without notice.

Table of contents

Organization Details:

  • Company name: Student Library

For questions, you can email info@student-library.nl.

1. What personal data do we collect?

We collect and process various categories of personal data.

1.1. For students, these are:

  • Identification data: First name, last name, user handle, email address, phone number, avatar image, banner image.
  • Role data: Role, profile description, public description.
  • Work and educational experience: List of characteristics, skills, diplomas, field of study, work experience, and internships.
  • Preferences and Qualities: List of characteristics, working methods, thinking styles, and social behavior.
  • Interaction with the platform: Rating per vacancy, roles within the system, status within the system, and status at each step of the tutorial.
  • Purpose of processing: We use this data to match you with relevant vacancies, to keep you informed about vacancies, and to provide you with the opportunity to apply.

1.2. For Business Administrators, we collect the following data:

  • Identification data: First name, last name, user handle, email address, phone number, avatar image, banner image.
  • Role data: Job title, profile description, public description.
  • Organizational data: List of organizations you participate in, company handle, company name, Chamber of Commerce number, business sector, company slogan, company location, company profile description, company public description, date company was created, list of work culture characteristics, company status within the system, company avatar image, company banner image.
  • Vacancy data: Created vacancies (on behalf of a company), vacancy title, vacancy description, vacancy location, vacancy level of thinking, vacancy minimum and maximum salary, employment type, list of vacancy characteristics, date vacancy was created, vacancy status within the system.
  • Interaction with the platform: Company rating per vacancy per student.
  • Purpose of processing: We use this data to match suitable candidates with your vacancies, to provide you with access to a list of potential candidates for your business, and to give you the opportunity to communicate with candidates and promote your vacancies.

1.3. For Website Visitors, we collect the following data:

  • Technical data: IP address and user agent (browser information).
  • Cookies: Essential cookies are used to ensure the website functions properly. These cookies are required for user authentication and authorization. The following data is stored in these cookies:
    • Email address
    • First name and last name
    • Date of last modification of any basic information (as mentioned above or password)
    • Date account was created
    • Date email was confirmed
    • Last login date
    • Indicator if you have a weak password
  • Purpose of processing: This data is collected and processed to ensure the website functions properly, to identify users, and to ensure secure access to accounts.

Student Library processes personal data based on the following GDPR legal grounds:

  • Consent: You give explicit consent during registration.
  • Performance of a contract: Processing is necessary to deliver our matchmaking and recruitment services.
  • Legal obligation: In some cases, we process data to comply with legal obligations.
  • Consent (Article 6(1)(a) GDPR): This legal basis is used when users give explicit consent for specific processing activities, such as receiving marketing messages. This consent must be voluntary, informed, and specific.
  • Performance of a contract (Article 6(1)(b) GDPR): This is the basis for data processing that is necessary to provide Student Library’s services. Without the processing of personal data, the services cannot be properly performed.
  • Legal obligation (Article 6(1)(c) GDPR): Data processing required to comply with national laws, such as tax or labor laws, falls under this legal basis.
  • Legitimate interest (Article 6(1)(f) GDPR): This legal basis is used when processing is necessary for the legitimate interests of Student Library, for example, for security or analysis. This interest must always be weighed against the rights of the individuals concerned.

4. Your rights under the GDPR

The GDPR grants you extensive rights regarding your personal data:

  • Access: You have the right to know what personal data we hold about you.
  • Correction: If your data is incorrect, you can request to have it corrected.
  • Deletion: You can request to have your data deleted if it is no longer necessary for the purposes for which it was collected.
  • Restriction: You can request a restriction of processing, for example, if more data is requested than necessary.
  • Data portability: You can request to receive your data in a structured, commonly used format so you can transfer it to another service provider.
  • Objection: You can object to the processing of your data, for example, for direct marketing purposes.

5.1 Relevant for Students

5.1.1. Placement of Students with Companies

  • Purpose: To match and place students with companies for work.
  • Legal Basis: Performance of a contract (Article 6(1)(b) GDPR)
  • Argument: To match students with vacancies and place them with companies, it is necessary to process their profile data, such as education, skills, and CV. This is essential for the performance of the contract the student has entered into with Student Library.

5.2 Relevant for Companies

5.2.1. Financial Administration

  • Purpose: To carry out payments and manage financial transactions between Student Library and business partners.
  • Legal Basis: Legal obligation (Article 6(1)(c) GDPR)
  • Argument: Processing personal data in the financial administration, such as payment details and billing addresses, is necessary to comply with legal obligations, such as tax law and financial reporting.

5.3 Joint Benefits and Features

5.3.1. Marketing and Newsletters

  • Purpose: To send marketing communications and newsletters to users who have opted in.
  • Legal Basis: Consent (Article 6(1)(a) GDPR)
  • Argument: For sending marketing messages and newsletters, we explicitly ask for the user’s consent. This consent can be withdrawn at any time, stopping the processing of personal data for this purpose immediately.

5.3.2. Customer Service and Support

  • Purpose: To provide support to users of the platform.
  • Legal Basis: Performance of a contract (Article 6(1)(b) GDPR)
  • Argument: To provide customer service, such as answering queries or solving problems, we need access to certain user data. This is necessary to fulfill our contractual obligations to the user.

5.3.3. Security of the Platform

  • Purpose: To ensure the security and integrity of the platform (e.g., fraud detection, data protection).
  • Legal Basis: Legitimate interest (Article 6(1)(f) GDPR)
  • Argument: It is in Student Library’s legitimate interest to secure the platform against misuse, unauthorized access, and other security risks. For these purposes, technical and user data (e.g., IP addresses and login activities) are processed.

5.3.4. Improving the User Experience

  • Purpose: To analyze platform usage to improve the user experience.
  • Legal Basis: Legitimate interest (Article 6(1)(f) GDPR)
  • Argument: By analyzing data about how users interact with the platform, Student Library can make improvements that enhance the user experience. This may involve anonymizing data for statistical analysis.

5.4 Joint Responsibilities and Collaboration Aspects

5.4.1. Account Registration and Management

  • Purpose: To enable users (students and companies) to create an account and use the platform.
  • Legal Basis: Performance of a contract (Article 6(1)(b) GDPR)
  • Argument: Processing personal data such as name, contact details, and password is necessary to fulfill the contract users enter into with Student Library during registration. Without this data, the account cannot function, and users cannot access the services.

5.4.2. Client Management and Contractual Communication

  • Purpose: To communicate with companies about their contracts, arrangements, and placed students.
  • Legal Basis: Performance of a contract (Article 6(1)(b) GDPR)
  • Argument: Companies need to be informed about the status of students, contract details, and billing. Processing contact and company information is necessary for managing these business relationships.

5.4.3. Data Retention Period

  • Purpose: To retain personal data as long as necessary for the purposes for which it was collected.
  • Legal Basis: Necessary for the performance of the contract or to comply with legal obligations (Article 6(1)(b) and (c) GDPR)
  • Argument: Personal data is only retained as long as necessary for the performance of the contract or as legally required (e.g., tax retention obligation). When the data is no longer needed, it is deleted or anonymized. See Article 7 of the privacy policy for further clarification.

5.4.4. Monitoring and Reporting Access Agreement (TMR)

  • Purpose: Student Library may request certain business information to monitor the progress of placements and report accordingly. This is done exclusively with the explicit consent of the company and in compliance with privacy regulations.

  • Legal Bases:

    • Legitimate interest (Article 6(1)(f) GDPR): Student Library has a legitimate interest in ensuring the quality and progress of its services, which is necessary to fulfill its agreements with companies. By monitoring and reporting on placements, the service is continuously evaluated and improved. This interest outweighs any potential objections from the company, as explicit consent is obtained and the information is strictly used within this context.
    • Consent (Article 6(1)(a) GDPR): Since the requested business information is processed solely with the company’s explicit consent, this legal basis is also applied. Companies are free to give consent, and it can be withdrawn at any time.

  • Argument: There is a legitimate interest in monitoring the progress of placements, which is essential to ensure the quality of the service. Since this information is requested and processed with consent, it complies with GDPR requirements while respecting the rights of the company involved.

5.4.5. Data Retention and Responsibility of Companies

  • Purpose: Student Library retains personal data for as long as the user is active on the platform. After the end of a collaboration, companies may still have access to data shared during the partnership. They are required to anonymize or delete this data when it is no longer relevant for the purposes for which it was collected.

  • Legal Bases:

    • Performance of a contract (Article 6(1)(b) GDPR): During the collaboration, companies need to process personal data to meet their contractual obligations to Student Library and the placed students. This data processing is necessary for the performance of the contract.
    • Legal obligation (Article 6(1)(c) GDPR): Companies may be required to retain certain data for a specific period, for example, due to tax law or other legal requirements.
    • Legitimate interest (Article 6(1)(f) GDPR): After the end of the collaboration, companies may have a legitimate interest in retaining data temporarily for archiving or audit purposes. However, once this data is no longer necessary, it must be anonymized or deleted. The legitimate interest must be carefully balanced against the rights of the data subjects (students).

  • Argument: During the active period of collaboration, retaining personal data is essential for the performance of the contract. After the collaboration ends, the principle of data minimization applies: data must be anonymized or deleted when no longer necessary, in line with GDPR obligations. Companies may also be legally required to retain data for longer, which provides a valid legal basis.

5.4.6. Non-solicitation Clause

  • Purpose: Companies working with Student Library are bound by a non-solicitation clause, meaning they may not make direct applications or hire matches and leads outside the platform. This clause protects students’ personal data from unauthorized use and ensures the confidentiality of their application process.

  • Legal Bases:

    • Performance of a contract (Article 6(1)(b) GDPR): The non-solicitation clause is part of the contract between Student Library and the company. The clause ensures that students’ personal data is only used in accordance with the agreements made via the platform, thus safeguarding student privacy. The processing of personal data arising from these contractual obligations is therefore necessary for the performance of the contract.
    • Legitimate interest (Article 6(1)(f) GDPR): There is a legitimate interest in protecting students’ personal data from unauthorized approaches by companies outside the platform. This interest benefits both the company and the student, as it prevents misuse of personal data and unwanted applications. This legitimate interest is necessary to maintain the integrity of the platform.

  • Argument: The non-solicitation clause ensures that students' personal data is used solely for its intended purpose: applications through Student Library. This protects student privacy, as companies are not permitted to use this data outside the agreed terms. The processing of this personal data is necessary for the performance of the contract, and this legitimate interest prevents breaches of the privacy of the data subjects involved.

6. Automated Decision-Making

Student Library uses automated decision-making and profiling to create optimal matches between students and companies. This system is based on the input of personal data provided by both students and companies. Students specify their qualities, such as work style, thinking style, social skills, and the type of job and company they are looking for. Companies fill in a similar list, describing their ideal candidate and the job description, as well as the characteristics of the company.

6.1. Logic of Automated Decision-Making

Based on this data, our system analyzes the similarities between student and company profiles. The algorithm weighs various factors, such as the student's stated qualities and the job requirements. By assigning different weights to these criteria, the system can identify the best matches. For example, if a student indicates they excel at teamwork, and a company is specifically looking for this skill, this match will carry more weight in the decision-making process.

Through this advanced analysis, students receive job postings that match their skills and preferences, while companies can view anonymous profiles of suitable candidates. This process ensures that companies assess students' qualities based on the information provided without directly identifying the student. Identification of the student only occurs when both parties decide to accept the match.

6.2. Feedback and Adjustment

Our system is designed to learn from feedback from both students and companies. This means that as more matches are made, the algorithm improves in understanding the preferences and expectations of users. Students can update their preferences and profiles, ensuring the system recommends relevant job opportunities that meet their current criteria.

Students and companies have access to information on how our algorithm works and how their data is used. In addition, they retain the right to object to automated decision-making and to access their data. This provides a transparent and controlled environment where both parties are actively involved in the matching process.

7. Retention Periods for Personal Data

For student data, the following applies:
Your personal data is retained as long as you use our platform and actively apply through Student Library. After terminating your student account, your personal and professional data (such as name, email address, phone number, work experience, education, and skills) will be deleted within two (2) weeks, unless there is a legal obligation to retain this data longer.
Additionally, any data shared with companies via our platform may still be in their possession. If a match between you and a company has not resulted in successful employment, and the match has been removed from the website by either party, the company is contractually obligated to delete all data stored outside of the website. You also have the right to request that the company delete this data directly at any time.
Students also have the right to request the deletion of certain data. The guideline is to act on such a request within one (1) month of receiving the email. We will send an acknowledgment of receipt. If the guideline cannot be met, you will be notified in time, and the deadline may be extended by a maximum of two months. After executing your request, we will inform you of the outcome.

To request the deletion of personal data or an account, including all associated data, you must send an email to: info@student-library.nl.
For our business partners, the following retention periods apply:

  • Financial data (such as invoices and payment information): This is retained for seven (7) years, in compliance with tax legislation.
  • Contractual data (such as signed agreements between Student Library and companies): This is retained for five (5) years after the end of the partnership for legal purposes.
  • Anonymous data: For internal analysis, anonymized data may be retained indefinitely, provided it is not traceable to an individual.
    To request the deletion of personal data or an account, including all associated data, you must send an email to: info@student-library.nl.

8. Security of Personal Data

Student Library takes appropriate measures to protect your data, including:

  • Encryption of sensitive data.
  • Limiting access to data to authorized personnel only.
  • Pseudonymization where possible.
  • Regular audits of our security systems.
  • All personal data is encrypted in the standard database using AES-256.
  • Network connections are secured via SSL.

In the event of a data breach, we will report this as soon as possible to the Dutch Data Protection Authority and, if necessary, to the affected individuals.

9. Disclosure of Student Data to Third Parties

We only share student personal data with third parties when necessary for our services, such as:

  • Employers interested in your profile.
  • External service providers, such as hosting providers (Supabase, Amazon Web Services, Vimexx).

Your data will not be sold or shared with third parties without your explicit consent unless required by law. If data is processed outside the European Economic Area (EEA), we ensure an appropriate level of protection.

10. Data Processors and Processor Agreements

We have signed data processor agreements with all processors (external parties that process personal data on our behalf). These agreements stipulate that these partner companies act solely based on our instructions and take appropriate technical and organizational measures to secure the data.

11. Data Breaches

In the event of a severe data breach that poses a risk to the rights and freedoms of individuals, we will report it to the Dutch Data Protection Authority and, where relevant, to the individuals concerned. We have procedures in place to identify, report, and resolve data breaches promptly.

12. Data Subject Rights and Access to Data

Data subjects (users, clients, or other individuals whose data we process) have the right to be informed about the collection of their personal data and may request access, correction, deletion, or restriction of their data. We aim to handle all requests within one (1) month, in line with GDPR requirements.

13. International Data Transfers

Student Library is committed to protecting your personal data, regardless of where it is processed. In some cases, it may be necessary to transfer your personal data to countries outside the European Economic Area (EEA). This could happen, for example, when you apply for a job abroad.
Example: Suppose you apply for an internship at a company based in New York. To process your application, we need to share your personal data (such as your CV and contact details) with this company.
When we transfer your data outside the EEA, we ensure that appropriate safeguards are in place to maintain a high level of protection, in accordance with the General Data Protection Regulation (GDPR).
These safeguards include:

  • Standard Contractual Clauses: We use Standard Contractual Clauses approved by the European Commission to ensure that recipients outside the EEA adequately protect your personal data.
  • Binding Corporate Rules (BCRs): For transfers within an international group of companies, we use Binding Corporate Rules that have been approved by the relevant supervisory authorities.
  • Similar mechanisms: In cases where a third country has received an adequacy decision from the European Commission, your information is transferred safely.

If you would like more information on the specific safeguards used for a particular transfer, you can contact us at info@student-library.nl.

14. Privacy by Design & Default

We adhere to the principles of Privacy by Design and Privacy by Default. This means that we place privacy protection at the core of our service development. Data processing is limited to what is necessary for the specific purpose, and default settings are aimed at maximizing the protection of your personal data.

14.1. Privacy by Design:

  • Focus on Essential Data: We identify and collect only the personal data crucial for matching students with vacancies. Instead of personal information such as name, ethnicity, or gender, our matching system focuses on relevant student qualities and skills important for recruitment processes.
  • Risk Analysis in Development: When developing new features, we conduct a privacy risk analysis prior to launch. This helps us minimize potential risks to users' privacy, particularly in the context of data exchange between students and companies.

14.2. Privacy by Default:

  • Automatic Privacy Settings: Our systems are configured with privacy-friendly default settings. This means that when profiles are created, only the necessary data for matching is collected, and unnecessary questions or data fields are eliminated.
  • Data Minimization: We apply a strict data minimization policy. We do not collect any additional personal data that is not essential for the functioning of our services. This prevents the recording of unnecessary or sensitive information.
  • Use of Anonymization: When sharing data with companies, we ensure that this information is anonymized, preventing personal identification of students. This enhances privacy protection and fosters trust in our platform.
  • Transparency and Consent: We inform users about what data is being collected and why. Students have the ability to manage their preferences and withdraw their consent at any time, giving them greater control over their personal data.

By implementing privacy by design and privacy by default, we aim to ensure the trust of our users in Student Library and provide them with the assurance that their personal data is handled with care.

15. Contact Information and Complaints

For questions about our privacy policy or to exercise your rights, you can contact us via:

If you believe that we are not processing your data correctly, you have the right to file a complaint with the Dutch Data Protection Authority. Article 4.4 of the general terms and conditions provides a detailed description of our complaints procedure.

16. Changes to the Privacy Policy

This privacy policy may be amended periodically. We will inform users in a timely manner via email about substantial changes so that you are always aware of how we process your personal data.