As adopted on the 1667th board meeting of Study Association GEWIS, valid from October 31, 2023
We respect your privacy and we process your personal data only with the purpose for which you have shared your data. In this privacy statement, we aim to make it clear what personal data we collect and store and for what purpose.
Various activities are employed within GEWIS. Different categories of personal data are processed within these activities. Unless otherwise noted, processing happens on the ground of legitimate interest.
Upon becoming a Member, Graduate or Contributor, one has to provide their personal details. This data includes: name, email address, phone number, birth date, postal address and year of becoming a member (generation). These details will be stored in the membership database. These details will be used by GEWIS to contact Members, Graduates or Contributors. Furthermore, the details may be used for the other processes listed in this privacy statement.
This data will be stored for up to 2 years after a data subject is no longer a Member, Graduate or Contributor. In the case that the association will be disbanded, the names of Members and Graduates will be stored for up to 7 years if they are mentioned in a
decision.
To verify whether a Member meets the requirements in the Articles of Association, their TU/e username and current study are requested upon subscription. This data will be periodically shared with the TU/e student administration to verify whether a member still meets the requirements. For this, a (prospective) Member’s approval is asked when registering for GEWIS. It is also possible to supply GEWIS with another proof of enrollment at the department.
This data will be stored for up to 2 years after a subject is no longer a Member or Graduate.
Members and Contributors may be offered the opportunity to pay their membership fee or voluntary contribution respectively using a SEPA Direct Debit. If a (prospective) Member or Contributor opts for this method, their international bank account number (IBAN) will be stored in the membership database. This data will be used only for direct debits and may be shared with external payment providers. In those cases, the providers will be contractually required to use the data only for processing payments for GEWIS.
The bank account number will be stored up to 2 years after a subject is no longer a Member, Graduate or Contributor. However, financial data will always be stored for at most 8 years to comply with legal obligations regarding taxes.
Members may be allowed to look up fellow Members (or Graduates) on the GEWIS Website. In these cases, the name, , date of birth and year of becoming a member is provided. Current and historic organ membership as follows from the minutes as meant
in subsection 2.13 may also be displayed.
On the GEWIS Website, a list with the names and ages of Members and Graduates who celebrate their birthday on the current day may be shown. This list may be shown to Members.
Members and Graduates can join Activities organized by GEWIS. If a Member or Graduate wishes to participate, personal data of this Member or Graduate gets processed. For most activities, Members or Graduates can subscribe through the GEWIS Website and will be asked for some data. This data consists of names, whether a participant is a member and email addresses and may include other information such as dietary wishes. The Organizer can mark certain information as ’sensitive’, this information is only visible to the Member or Graduate and shared with the Board and the Organizer The goal of this information sharing is for the organization of an activity as well as communication with Participants. The names of the people registered for an activity are also shared with other Members and Graduates. The goal of this is to inform potential Participants who else is going to participate.
Unless explicitly noted during subscription (e.g. for activities that require named tickets), the data will not be shared with external parties.
This data will be stored for up to 2 years after a subject is no longer a Member or Graduate, but at most 5 years after an Activity ended or was planned.
For some activities, it is also possible that a non-Member joins. The same conditions as in the rest of subsection 2.2 apply. In addition, the names of external participants are shared with all visitors of the GEWIS Website. Data will be stored for at most 5 years after an Activity ended or was planned.
On behalf of the Department of M&CS and GEWIS, GEWIS may organize parent days. Parents/guardians of students (Members) may be invited to these events to experience a day in the life of students. To invite them, email and postal addresses from the membership administration may be used. Due to its sensitive nature, the data will not be shared with the Organizer, but instead be processed by the Board. This data is processed on the ground of legitimate interest.
Persons who want to participate in the parent days can subscribe. In those cases, their names, email addresses, phone number and name(s) of their child(ren) will be processed. This data may be accessed by the Organizer and the Board. This data is processed on the ground of consent.
The data is stored for up to three weeks after the event took place.
During Activities and other events of GEWIS, pictures may be taken. In the pictures, people may be identifiable. The photos serve as a memory of the activity. The photo archive is accessible to Members. Additionally, Graduates can access the photos from
the association years in which they were a member. Graduates can also access photo albums in which they are tagged in a picture.. Furthermore, each week a photo of the week is picked which is accessible publicly on the homepage. If a subject wishes not to be photographed, they can indicate so to the photographer. In those cases, no pictures where they are identifiable will be taken. The pictures will be stored for an undetermined amount of time.
Members are given the option to tag themselves and other Members or Graduates in photos to indicate that someone is in a picture. These tags allow people to see all photos with a specific person quickly. Tags are only visible to Members and Graduates. If a photo is shown on the home page, the tags will not be publicly visible.
This data will be stored for up to 2 years after a subject is no longer a Member or Graduate.
A yearbook is made to commemorate a year with pictures and stories. The yearbook may contain a chapter called "smoelenboek" which shows a picture, name, and the organs an Active member (or first-year Member) was in during the year unless the Member opted-out. This chapter is shared with all active Members through the yearbook, but not with external parties. They receive an alternative edition of the yearbook without this chapter.
The yearbook contains stories written by organs with their name and a picture included. This information is shared with active members, as well as external parties.
The yearbooks with the data are accessible by recipients of the yearbook and in the GEWIS archive permanently.
On behalf of the TU/e and the Department of M&CS, GEWIS arranges book sales. For this, GEWIS and FSE collaborate with an external book supplier. By law, the book supplier is only allowed to sell books with a discount if the student is a studying member of GEWIS. Therefore, GEWIS will verify the orders of the books. For this, a list with names and email addresses is processed. This information is only shared with the Board and stored for at most 1 year after ordering the books. A count of orders and book numbers may be shared with FSE for evaluation purposes and be stored for an undetermined period of time.
Furthermore, to be able to allow members to pick up books in the GEWIS room, GEWIS will process a list of orders. This list contains names, email addresses, and the books ordered. This list will be shared with the Board and Room responsibles (or other Members) that hand out books. This data will be stored for three years (the period in which books can be picked up).
A committee of GEWIS makes a magazine with pictures and stories: the Supremum. These magazines are sent to the home addresses of active Members, Contributors and some companies. The names and addresses of recipients are shared with the Board, the committee member responsible for contact with the printing company, and the external printing company. This data is stored for at most 1 month after the magazines have been sent.
The Supremum may contain quotes made by Members with their names. This is viewable by all readers of the magazine, which includes all Members and external parties such as companies GEWIS collaborates with, Contributors and the Department of M&CS or other TU/e staff. Additionally, the archive of quotes may be published on the GEWIS Websites; if this is the case, the archive is only accessible to Members. The magazines may contain stories written by Members or non-Members with their names and pictures included. This information is shared with all recipients of the magazines.
The Supremum is accessible by recipients of the magazines permanently. Furthermore, the archive of Supremum may be published publicly on the GEWIS Websites.
Within the GEWIS room, one or more cameras may be installed. These cameras may record video footage of subjects within the GEWIS room. Footage will only be watched in case of an incident that requires watching, to be decided by a Board member. During each GMM, it is announced whether and when the camera footage was watched since the last GMM.
The recordings will be stored for at most 1 week unless the footage has been watched and an incident requires storing the video recording for a longer period of time (e.g. a police investigation).
Outside of opening hours specified by the TU/e, access to the building which hosts the GEWIS room may be restricted. For members that need to visit the GEWIS room during restricted hours, a possibility to obtain an authorization for building access may exist. If this possibility is offered, GEWIS will process your student ID and/or campus card number. GEWIS will share your affiliation with the TU/e.
This data is stored until two years after the end of your studies/employment at the TU/e or until this authorization was revoked.
During social drinks or other events where alcohol is served, the persons serving drinks, as well as the EROs, may be given a list of all Members who are under 18 years old. This list includes names, dates of birth as well as photographs.
This is done to comply with legal obligations.
The data is stored until the end of the academic year during which one turns 18.
The email addresses of Members may be used to make mailing lists that can be used to send them relevant information related to GEWIS. The email addresses, names and the content of the (e)mails are shared with the Board. Members have the possibility to unsubscribe by sending an email to the Board or using the web interface.
The data is stored for up to 1 year after one unsubscribes from a certain mailing list (due to backups).
A direct mail mailing list is used to send out relevant information for certain generations or career-related subjects. Members who subscribe at GEWIS can opt-in for the mailing list of their generation or the career mailing list. The mail addresses, names and the content of the (e)mails are shared with the Board. Members have the possibility to unsubscribe by sending an email to the Board. Occasionally, external parties (e.g. sponsors) may be offered the possibility to send an email over this list, but email addresses and names will not be shared with them.
The data is stored for up to 1 year after one unsubscribes from a certain mailing list (due to backups).
Sometimes, GEWIS may want to collect interest for certain events or other activities (such as first year committees). For this, an interest form may be used to collect names, email addresses, and preferences. This data will be shared with the Board and/or a possible other Organizer.
The ground for processing this information always is consent, and members will be informed about what happens with their data. Data will be stored until this is no longer needed, but at most one year.
Some information about visits to the GEWIS Website is automatically collected. This information consists of anonymized IP addresses, user-agent string, screen size, website performance, visited pages, and the referring website. This information is shared with the Board and the maintainers of the GEWIS Website.
For processing this information, website visitors are prompted for consent on their first visit to the website and each visit after that until they close the prompt or decline processing. This data is stored in original form for a maximum of six months and in aggregated form for a maximum of twelve months.
Minutes of GMMs, CMs and BMs may be published on the GEWIS Websites and can be accessed by all Members and Graduates for transparency reasons, most notably to present considerations and decisions. These minutes occasionally contain personal data, such as the names of the participants.
This data is stored until the association is dissolved.
Members and Graduates can buy food and drinks at the association via the point-of- sales administration system. Using this system, names, email addresses, bank transactions, and purchase transactions from the users are stored. The data is shared with the maintainers of the system, the BAC, and the Board.
For some users, it may be possible to have a negative balance. To remind users they have a negative balance, their balance may be shown on the screens in the GEWIS room during social drinks.
Data is processed on the basis of consent. Only after providing consent, a Member is able to use the system. If a user opts out of this data processing, it is not possible to use the system.
Personal data (names, email addresses, bank account numbers) will be stored for up to 1 year after the Member’s account has been deleted which will happen in accordance to the Terms of Service of the POS system.
The data about transactions may be analyzed anonymously. This data is used to optimize purchases and the experience. This data is processed on the grounds of legitimate interest. Data about total current consumption may be shown on the screens in the GEWIS room. Next to the anonymized processing, some data may be processed on a per-user basis, for example to show who bought the most snacks during a certain period. Users of the system can opt-in to this processing where they will be asked for their permission to show this info to others. The ground for this type of processing is explicit consent.
Certain guests can also sign up for this system. Their data will be processed in the same way as if they were a Member or Graduate, but personal data will be stored for at most 5 years after they last used the system.
In some cases, it may be possible to use the system with an anonymous account. In these cases, transactions will still be processed and linked to a user, but this user is not directly identifiable.
GEWIS may provide a way to match students and tutors. For this, two kinds of information may be collected.
Information from students that want to become a tutor may be requested. The Board has access to the names, email addresses, availability, and information about which topics they want to tutor. The data is stored for up to 1 month after a tutor informs the Board that they do not want to tutor anymore.
Students who want tutoring can send (e)mails through a mailing list where the Board and all tutors will get access to the content of the (e)mails. GEWIS stores this data for a maximum of two years, but tutors may still possess personal copies of these emails.
To comply with legal obligations, GEWIS may have Members with an Emergency Response Officer certificate, Members who have an Instructie Verantwoord Alcoholschenken1 (IVA) certificate and Members who have completed the course Sociale Hygiëne2.
For these courses and certificates, names, dates of birth and places of birth may be stored for up to 1 year after the certification is no longer needed or valid, whichever comes first. This data may be shared with the Board, BAC, FSE, TU/e and the municipality of Eindhoven.
A group of Members may organize a trip abroad. In some cases, to organize the trip and to fulfill legal obligations, Participants have to share their names, dates of birth, and copies of passports with the Board and Organizer. This data may also be shared with a possible external organizer in case this is needed for the organization of the trip.
The data is stored until a maximum of three months after this is no longer needed unless legal obligations require longer storage of the data.
For some trips, GEWIS may collaborate with an external foundation. In those cases, the external foundation may act as the Controller, and GEWIS may act as the Processor. Those cases are not governed by this privacy policy.
A new generation of students can participate in an Introduction Week at the beginning of their first year. For this, during the application for their studies, students can indicate whether they would like to join this week.
GEWIS acts as a Processor on behalf of the TU/e in those cases as well as a Controller and processes names, student numbers, (e)mail addresses, dates of birth, gender, and language preferences of these students and shares them with the Board as well as the Organizer within GEWIS. A subset of data relating to specific intro groups is shared with the introduction week parents of such a group. Additionally, on behalf of the TU/e, the Organizer collects phone numbers, sleeping locations, and allergies/dietary preferences from the participating first-year students. This information is stored up to two months after the Introduction Week took place.
For various development and maintenance tasks, various Members have access to live data. Those Members can access e.g. logs, database data, and administrative interfaces. A contractual agreement with those members is made which at least includes that they can only use the data for application development and system administration. Their function requires them to have access to the data, but processing the data is not their primary task.
GEWIS may store one or more of the following details: IP addresses, (attempted) user names for failed logins, and connection details for suspicious connections. This data can be accessed by committees that take on development and maintenance. Additionally, this data may be shared with TU/e.
The GEWIS Website may have a function where members can send in polls that will have to be approved by the Board before it is put on the GEWIS Website. Members and Graduates can view the comments that are being posted under the polls with the name or pseudonym of the commenter. If a member wants these comments to be removed, they can contact the Board. These polls and comments are stored for an undetermined amount of time.
For the GMM, Members can be authorized by other Members to vote on their behalf. When a Member gives their authorization via the GEWIS Website, they get notification when the person being authorized already has two other authorizations.
GEWIS can have an internal wiki platform to store and share information. Users are instructed to not include personal information on this platform. The platform may keep track of who modified information (names and email addresses of the author). This information is visible to (a subset of) Members and Graduates.
Author information will be stored for up to 2 years after a subject is no longer a Member or Graduate.
GEWIS may have a platform that allows partners of GEWIS to update their (company) pages on the GEWIS Website. For this, the contact details of partners and a password will be stored.
In some cases, GEWIS may act as the Processor for data where it is not the Controller. In cases where GEWIS is not the Controller, the Controller remains responsible for data processing and handling requests from data subjects. Data will only be processed and stored according to the agreements made with the external party unless legal obligations prevent GEWIS from doing so.
GEWIS may process names, email addresses, and email contents on behalf of external parties by providing mailing list services to other parties. GEWIS does not classify as an intermediate service provider as meant in Article 12 of Directive 2000/31/EC in those cases since email contents will be changed and subscription/unsubscription services are offered. This means that GEWIS acts as a Processor in these cases.
GEWIS may act as a provider for hosting websites or other software applications for external parties. In those cases, GEWIS does not control the content of the application. In case of requests by the TU/e (e.g. security issues) or a legal authority (e.g. copyright infringement), GEWIS may make the application unavailable. This will be communicated to the party that is responsible for the application.
In limited cases, GEWIS acts neither as a Controller nor Processor, but instead acts as an intermediate service provider as meant in Article 12 or 15 of Directive 2000/31/EC. For completeness, these cases are listed here.
GEWIS may offer email forwarding services to Members and others. In those cases, GEWIS does not process email contents in the sense of the GDPR since it does not initiate the transmission, does not select the receiver of the transmission and does not select or modify the information contained in the transmission. Information is not stored for a longer period than is reasonably necessary for the transmission.
If a data subject wants to see what data is being stored about them, they can send an email to the Board who will then show them the data using the contact details in section 6. A data subject can also contact the Board if they want their data to be moved to another party.
If a data subject wants their personal information deleted, they can contact the Board.
A data subject has the right to object to the processing of their data. If a subject wants to restrict the data that is being processed they can generally indicate this by contacting the Board.
For some activities, it is possible to object in another way. These are the following:
A data subject has the right to change the data that is being processed. For this, they can send an e-mail to the Board.
GEWIS does not use automated decision-making.
To ensure the confidentiality and security of personal data, appropriate physical, technical, and organizational measures have been taken.
When non-digital data is stored, it is stored in locations that can be locked (such as the GEWIS room, the GEWIS board storage room, or one of the safes). Additionally, when copies of non-digital personal data need to be destroyed, those will be discarded using confidential paper waste and safely discarded by TU/e.
When digital data is stored, it is stored in locations that can be locked. Servers that collect large amounts of data will be stored in data centers that can only be physically accessed by those persons who need access (i.e. the chair and the secretary of the organ that manages the hardware). In those cases where digital data is stored externally, agreements have been made to ensure similar safety. Personal data will not be stored on systems that are not owned by GEWIS. When storage media need to be discarded of, they will be securely wiped.
Data in GEWIS systems can only be accessed by those who, based on their function, need it. Technical measures have been taken to make sure changes in access levels will be logged. Additionally, users are required to use a secure password for all services.
GEWIS is allowed to change this privacy statement at any time. In case there are any changes, a new version will be published on the website and announced by email to Members on the newsletter mailing list.
When changes are announced a date at which the regulations take effect, will be announced as well. This date is at least 4 weeks after the announcement. In this period, it is possible to make objections against the changes. If no objections are made, one automatically agrees to the changes in the privacy statement.
If you want to receive a notification each time the privacy statement is changed, and you are not a Member on the newsletter mailing list, please inform the Board.
If you wish to react to our privacy statement, you can contact:
Postal address:
Study Association GEWIS
MF 3.155
P.O. Box 513
5600 MB Eindhoven
Visiting address:
Study Association GEWIS
MF 3.155
De Groene Loper 5
5612 AZ Eindhoven
Phone number:
+31 (0)40 247 2815
Mail address:
privacy@gewis.nl
GEWIS: The Association GEmeenschap van Wiskunde & Informatica Studenten based in Eindhoven
Member: A natural person who is registered as a member of GEWIS in accordance with the Articles of Association and the HR
Graduate: A natural person who is registered as a graduate of GEWIS in accordance with the Articles of Association and the HR
Contributor: A natural person who is registered as a contributor of GEWIS in accordance with the Articles of Association and the HR
Articles of Association: Articles of Association3 of GEWIS
TU/e: Eindhoven University of Technology
GEWIS Website: The collection of webpages as accessible on gewis.nl
Activity: Any sort of activity organized by a party of GEWIS, this can be a weekend, party, regular activity or other activity.
Participant: A Member, Graduate or non-Member who subscribed for or joins an Activity
Department of M&CS: Department of Mathematics & Computer Science of the TU/e
Organizer: Party that organizes an activity
Board: Board of GEWIS
Active member: A Member who is a member of at least one organ of GEWIS excluding inactive fraternity memberships
FSE: The foundation Stichting Federatie van Studieverenigingen aan de Technische Universiteit Eindhoven based in Eindhoven
GEWIS room: The rooms 3.155 and 3.155a of the MetaForum building
Room responsible: The person who is currently responsible for the room and is physically present
GEWIS Websites: The collection of webpages as accessible on gewis.nl, any of its subdomains or other domains owned by GEWIS
Board member: A person who is a member of the Board
GMM: The General Meeting of GEWIS being the general members’ meeting as a body of the association as well as its meetings
ERO: Emergency Response Officer (NL: BHV’er); a person who is able to provide first aid, help with fires/accidents and evacuations and is certified or recognized as such by the TU/e
CM: the Chair’s Meeting of GEWIS
BM: the Board Meeting of GEWIS
BAC: "BAr Committee", a committee of GEWIS responsible for managing social drinks
Controller: The person or company that determines what personal data is processed and how
Processor: A person or company that processes personal data on behalf of a Controller
GEWIS board storage room: The room 3.156 of the MetaForum building