Privacy & Information Security

  • WMO
  • Non-WMO

The Team of Privacy Protection and Information Security (Privacybescherming en informatiebeveiliging-PB&IB) advises and supports the Executive Board, the management and the work floor with regard to privacy protection and information security. PB&IB has an important advisory and supervisory role that is performed in accordance with legislation and regulations (including the GDP and NEN7510).

Research walk-in hours:
On Mondays there is a digital "walk-in hour" for short questions with a maximum of 15 minutes per conversation. The office hours are from 3:00 PM to 4:00 PM. If you want to make use of this, send an e-mail to (use this e-mail address for scheduling purposes) with 'walk-in hours' in the subject. You will receive a Teams invitation as confirmation.

Questions that take more than 15 minutes will require a seperate session.

More information about PB&IB can be found on their intranetpage.

Verwerkingsregister (Data Processing Register)

      According to the General Data Protection Regulation (GDPR in Dutch AVG), Amsterdam UMC must keep a record of all data processing that contains personal data, including the privacy measures taken, suppliers engaged, retention periods and any transfer to third parties, etc.
      Any intended data processing must be reported to the Verwerkingsregister (Data Processing Register) formerly know as the ‘Centraal Meldpunt Gegevensverwerking (CMG register).

      To register in the "Verwerkingsregister" you need an account.

      • Click here to register a data processing in K2.iProva (green thumb).
      • Click here for more information about this registration form in K2.iProva (green thumb)

      More explanation and details on what and why to report and how your registration is processed you can find here.


      The Data Protection Impact Assessment (DPIA) is an instrument (questionnaire) to asses the privacy risks of personal data that will be processed during the research.  

      Since June 2023 an abbreviated DPIA is no longer required for some clinical trials*.

      Enter 'wordt getoetst door METC' in het 'Verwerkingsregister". The DPIA question will then no longer appear. The abbreviated DPIA no longer needs to be send separately to the PB&IB team.

        *The extensive DPIA is for more complex clinical trials and other matters that do not concern research and must be sent to the Data Protection Officer (in Dutch Functionaris Gegevensbescherming FG) for advice. Before advice is sought, send the research protocol to the FG. The extended DPIA is mandatory in the following cases, among others; international registrations, websites and apps, research with employee data and when Cloud facilities are used. If you have any questions please send an e-mail to


        If you will be using an IT system that has not yet been authorised by Amsterdam UMC for processing personal data during your investigation, then you will also need to complete a BIV classification.

        BIV classification is an instrument (a questionnaire) that is used to determine which level of security should be used with regard to the processing of personal data and in order to ensure the availability, integrity and confidentiality of the data and the (IT)systems with which the personal data are processed are appropriately secured.

        More explanation and the BIV classification questionnaire can be found here.