The Dutch Data Protection Authority has made a list of processing operations for which carrying out a DPIA is always mandatory. Check whether or not your processing operation meets at least two of the criteria in that list. If it does not, you have to assess for yourself whether your processing operation results in a high risk to data subjects. You can ask the faculty privacy officer for advice.