As adopted on the 1602nd board meeting of Study Association GEWIS, valid from July 5th, 2022.
We respect your privacy and we process your personal data only with the purpose forwhich you have shared your data. In this privacy statement, we aim to make it clear whatpersonal data we collect and store and for what purpose.
Various activities are employed within GEWIS. Different categories of personal data are processed within these activities.
Unless otherwise noted, processing happens on the ground of legitimate interest.
Upon becoming a Member, Graduate or Contributor, one has to provide their personal details. This data includes: name, gender, email address, phone number, birth date, postal address and year of becoming a member (generation). These details will be stored in the membership database. These details will be used by GEWIS to contact Members, Graduates or Contributors. Furthermore, the details may be used for the other processes listed in this privacy statement.
This data will be stored up to 2 years after a data subject is no longer a Member, Graduate or Contributor.2.1.1 Verification of membership requirements
To verify whether a Member meets the requirements in the Articles of Association, their TU/e username and current study are requested upon subscription. This data will be periodically shared with the TU/e student administration to verify whether a member still meets the requirements. For this, a (prospective) Member’s approval is asked when registering for GEWIS. It is also possible to supply GEWIS with another proof of enrollment at the department.
This data will be stored up to 2 years after a subject is no longer a Member or Graduate.2.1.2 SEPA Direct debit
Members and Contributors may be offered the opportunity to pay their membership fee or voluntary contribution respectively using a SEPA Direct Debit. If a (prospective) Member or Contributor opts for this method, their international bank account number (IBAN) will be stored in the membership database. This data will be used only for direct debits and may be shared with external payment providers. In those cases, the providers will be contractual required to use the data only for processing payments for GEWIS.
The bank account number will be stored up to 2 years after a subject is no longer a Member, Graduate or Contributor. However, financial data will always be stored for at most 8 years to comply with legal obligations regarding taxes.2.1.3 Website member information
Members may be allowed to lookup fellow Members (or Graduates) on the GEWIS Website. In these cases, the name, gender, date of birth and year of becoming a member is provided. Current and historic organ membership as follows from the minutes as meant in subsection 2.13 may also be displayed.
On the GEWIS Website a list with the names and ages of Members and Graduates who celebrate their birthday on the current day may be shown. This list may be shown to Members.
Members can join Activities organized by GEWIS. If a Member wishes to participate, personal data of this Member gets processed. For most activities, members can subscribe through the GEWIS website and will be asked for some data. This data consists of names, whether a participant is a member and email addresses and may include other information such as dietary wishes. It is shared between the Board and the Organizer. The goal of this information sharing is forthe organization of an activity as well as communication to Participant. The names of the people registered for an activity is also shared with other Members and Graduates. The goal for this is informing potential Participant who else is going to participate.
Unless explicitly noted during subscription (e.g. for activities that require named tickets), the data will not be shared with external parties.
This data will be stored up to 2 years after a subject is no longer a Member or Graduate, but at most 5 years after an Activity ended or was planned.2.2.1 Activities with external participants
For some activities, it is also possible that a non-Member joins. The same conditions as in the rest of subsection 2.2 apply. In addition, the names of external participants are shared with all visitors of the GEWIS Website. Data will be stored for at most 5 years after an Activity ended or was planned.2.2.2 Parent Days
On behalf of Department of M&CS and GEWIS, GEWIS may organize parent days. Parents/guardians of first year students (Members) may be invited to these events to experience a day in the life of students. To invite them, email and postal addresses from the membership administration may be used. Due to the sensitive nature, the data will not be shared with the Organizer but instead be processed by the Board. This data isprocessed on the ground of legitimate interest.
Persons who want to participate in the parent days can subscribe. In those cases, their names, email addresses, phone number and name(s) of their child(ren) will be processed. This data may be accessed by the Organizer and the Board. This data is processed on the ground of consent.
The data is stored for up to three weeks after the event took place.
During Activities and other events of GEWIS, pictures may be taken. In the pictures, people may be identifiable. The photos serve as a memory of the activity. The photo archive is accessible to Members. Additionally, Graduates can access the photos from the association years in which they were a member. Furthermore, each week a photo of the week is picked which is accessible publicly on the homepage.
If a subject wishes not to be photographed, they can indicate so to the photographer. In those cases, no pictures where they are identifiable will be taken.
The pictures will be stored for an undetermined amount of time.2.3.1 Use of photos in other publications
Members are given the option to tag themselves and other Members or Graduates in photos to indicate that someone is in a picture. These tags allow people to see all photos with a specific person quickly. Tags are only visible to Members and Graduates. If a photo is shown on the home page, the tags will not be publicly visible.
This data will be stored up to 2 years after a subject is no longer aMember or Graduate.
A yearbook is made to commemorate a year with pictures and stories. The yearbook may contain a chapter called "smoelenboek" which shows a picture, name and the organs an Active member (or first-year Member) was in during the year, unless the Member opted out. This chapter is shared with all active Members through the yearbook, but not with external parties. They receive an alternative edition of the yearbook without this chapter.
The yearbook contains stories written by organs with their name and a picture included. This information is shared with active members, as well as external parties.
The yearbooks with the data are accessible by recipients of the yearbook and in the GEWIS archive permanently.
On behalf of TU/e and Department of M&CS, GEWIS arranges book sales. For this, GEWIS and FSE collaborate with an external book supplier. By law, the book supplier is only allowed to sell books with a discount if the student is a studying member of GEWIS. Therefore, GEWIS will verify the orders of the books. For this, a list with names and email addresses is processed. This information is only shared with the Board and stored for at most 1 year after ordering the books. A count of orders and book numbers may be shared with FSE for evaluation purposes and be stored for an undetermined period of time.
Furthermore, to be able to allow members to pick up books in the GEWIS room, GEWIS will process a list of orders. This list contains, names, email addresses and the books ordered. This list will be shared with the Board and Room responsibles (or other Members) that hand out books. This data will be stored for three years (the period in which books can be picked up).
A committee of GEWIS makes a magazine with pictures and stories: the Supremum. These magazines are sent to home addresses of active Members, Contributors and some companies. The names and addresses of recipients are shared with the Board, the committee member responsible for contact with the printing company, and the external printing company. This data is stored for at most 1 month after the magazines have been sent.
The Supremum may contain quotes made by Members with their name. This is viewable by all readers of the magazine, which includes all Members and external parties such as companies GEWIS collaborates with, Contributors and Department of M&CS or other TU/e staff. Additionally, the archive of quotes may be published on the GEWIS Websites; if this is the case, the archive is only accessible byMembers. The magazines may contain stories written by Members or non-Members with their name and picture included. This information is shared with all recipients of the magazines.
The Supremum is accessible by recipients of the magazines permanently. Furthermore, the archive of Supremum may be published publicly on the GEWIS Websites.
Within the GEWIS room, one or more cameras may be installed. These camera may record video footage of subjects within the GEWIS room. Footage will only be watched in case of an incident that requires watching, to be decided by a Board member. During each GMM, it is announced whether and when the camera footage was watched since the last GMM.
The recordings will be stored for at most 1 week, unless the footage has been watched and an incident requires storing the video recording for a longer period of time (e.g. a police investigation).
Outside of opening hours specified by the TU/e, access to the building which hosts the GEWIS room may be restricted. For members that need to visit the GEWIS room during restricted hours, a possibility to obtain an authorization for building access may exist. If this possibility is offered, GEWIS will process your student ID and/or campus card number. GEWIS will share your affiliation with the TU/e.
This data is stored until two years after the end of your studies/employment at the TU/e or until this authorization was revoked.
During social drinks or other events where alcohol is served, the persons serving drinks, as well as the EROs, may be given a list of all Members who are under 18 years old. This list includes names, date of birth as well as photographs.
This is done to comply with legal obligations.
The data is stored until the end of the academic year in which one turns 18.
The email addresses of Members may be used to make mailing lists that can be used to send them relevant information related to GEWIS. The email addresses, names and the content of the mails is shared with the Board. Members have the possibility to unsubscribe by sending an email to the Board or using the web interface.
The data is stored up to 1 year after one unsubscribes from a certain mailing list (due to backups).2.10.1 Direct Mail
A direct mail mailing list is used to send out relevant information for certain generations or for career related subjects. Members who subscribe at GEWIS can opt-in for the mailing list of their generation or for the career mailing list. The mail addresses, names and the content of the mails is shared with the Board. Members have the possibility to unsubscribe by sending an email to the Board. Occasionally, external parties (e.g. sponsors) may be offered the possibility to send an email over this list, but email addresses and names will not be shared with them.
The data is stored up to 1 year after one unsubscribes from a certain mailing list (due to backups).
Sometimes, GEWIS may want to collect interest for certain events or other activities (such as first year committees). For this, an interest form may be used to collect names, email addresses and preferences. This data will be shared with the Board and/or a possible other Organizer.
The ground for processing this information always is consent andmemberswill be informed about what happens with their data. Data will be stored until this is no longer needed, but at most one year.
Some information about visits to the GEWIS Website is automatically collected. This information consist of anonymized IP-addresses, user-agent string, screen size, website performance, visited pages and the referring website. This information is shared with the Board and the maintainers of the GEWIS Website.
For processing this information, website visitors are prompted for consent on their first visit to the website and each visit after that until they close the prompt or decline processing.
This data is stored in original form for a maximum of six months and in aggregated form for a maximum of twelve months.
Minutes of GMMs, CMs and BMs may be published on the GEWISWebsites and can be accessed by all Members. These minutes occasionally contain personal data, such as the names of the participants. These minutes are published to all Members for transparency reasons, most notably to present considerations and decisions.
This data is stored until the association is dissolved.
Members and Graduates can buy foods and drinks at the association via the point-of-sales administration system. Using this system, names, email addresses, bank transactions and purchase transactions fromthe users are stored. The data is sharedwith themaintainers of the system, the BAC and the Board.
For some users it may be possible to have a negative balance. To remind users they have a negative balance, their balance may be shown on the screens in the GEWIS room during social drinks.
Data is processed on the basis of consent. Only after providing consent, a Member is able to use the system. If a user opts out of this data processing, it is not possible to use the system.
Personal data (names, email addresses, bank account numbers) will be stored up to 2 years after a data subject is no longer a Member, Graduate or Contributor. Transactions and aggregated sales will always be stored for at most 8 years to comply with legal obligations regarding taxes.2.14.1 Statistics
The data about transactions may be analyzed anonymously. This data is used to optimize purchases and the experience. This data is processed on the grounds of legitimate interest. Data about total current consumption may be shown on the screens in the GEWIS room.
Next to the anonymised processing, some data may be processed on a per-user basis, for example to show who bought the most snacks during a certain period. Users of the system can opt-in to this processing where they will be asked for their permission to show this info to others. The ground for this type of processing is explicit consent.2.14.2 Registered guests
Certain guests can also sign up for this system. Their data will be processed in the same was as if they were a Member or Graduate, but personal data will be stored for at most 5 years after they last used the system.2.14.3 Anonymous guests
In some cases it may be possible to use the system with an anonymous account. In these cases, transactions will still be processed and linked to a user, but this user is not directly identifiable.
GEWIS may provide a way to match students and tutors. For this, two kinds of information may be collected.
Information from students that want to become a tutor may be requested. The Board has access to the names, email addresses, availability and information about which topics they want to tutor. The data is stored for up to 1 month after a tutor informs the Board that they do not want to tutor anymore.
Students who want tutoring can send mails through a mailing list where the Board and all tutors will get access to the content of the mails. GEWIS stores this data for a maximum of two years, but tutors may still posess personal copies of these emails.
To comply with legal obligations, GEWIS may have Members with an Emergency Response Officer certificate, Members who have an Instructie Verantwoord Alcoholschenken (IVA) certificate and Members who have completed the course to Sociale Hygiëne.
For these courses and certificates, names, birth dates and birth places may be stored for up to 1 year after the certification is no longer needed or valid, whichever comes first. This data may be shared with the Board, BAC, FSE, TU/e and the municipality of Eindhoven.
A group of Members may organise a trip abroad. In some cases, to organize the trip and to fulfill legal obligations, Participant have to share their names, date of birth and copy of passport with the Board and Organizer. This data may also be shared with a possible external organizer in case this is needed for the organization of the trip.
The data is stored until a maximum of three months after this is no longer needed unlesslegal obligations require a longer storage of the data.2.17.1 Study trips
A new generation of students can participate in an Introduction Week at the beginning of their first year. For this, during the application for their studies, students can indicate whether they would like to join this week.
GEWIS acts as a Processor on behalf of the TU/e in those cases as well as a Controller and processes names, student numbers, mail addresses, birth dates, gender and language preferences of these students and shares them with the Board as well as the Organizer within GEWIS.Asubset of data relating specific intro groups is shared with the introduction week parents of such a group. Additionally, on behalf of the TU/e, the Organizer collects phone numbers, sleeping locations and allergies/dietary preferences from the participatingfirst-year students. This information is stored up to two months after the Introduction Week took place.
For various development and maintenance tasks, various Members have access to live data. Those Members can access e.g. logs, database data and administrative interfaces. A contractual agreement with those members was made which at least includes that they can only use the data for application development and system administration. Their function requires them to have access the data, but processing the data is not their primary task.2.19.1 Security information
GEWIS may store one or more of the following details: IP addresses, (attempted) user names for failed logins and connection details for suspicious connections. This data can be accessed by committees who take on development and maintenance. Additionally, this data may be shared with TU/e.
The GEWIS Website may have a function where members can send in polls that will have to be approved by the Board before it is put on the GEWIS Website. Members and Graduates can view the comments that are being posted under the polls with the name or pseudonum of the commenter. If a member wants these comments to be removed, they can contact the Board. These polls and comments are stored for an undetermined amount of time.
For the GMM, Members can be authorized by other Members to vote on their behalf. When a Member gives their authorization via the GEWIS Website, the get a notification when a the person being authorized already has two other authorizations.
GEWIS can have an internal wiki platform to store and share information. Users are instructed to not include personal information on this platform. The platform may keep track of who modified information (names and email addresses of the author). This informatino is visible to (a subset of) Members and Graduates.
Author information will be stored up to 2 years after a subjec tis no longer a Member or Graduate.
GEWIS may have a platform that allows partners of GEWIS to update their (company) pages on the GEWIS Website. For this, contact details of partners and a password will be stored.
In some cases, GEWIS may act as the Processor for data where it is not the Controller. In cases where GEWIS is not the Controller, the Controller remains responsible for data processing and handling requests from data subjects. Data will only be processed and stored according to the agreements made with the external party unless legal obligations prevent GEWIS from doing so.2.24.1 Mailing list services
GEWIS may process names, email addresses and email contents on behalf of external parties by providing mailing list services to other parties. GEWIS does not classify as intermediate service provider as meant in Article 12 of Directive 2000/31/EC in those cases since email contents will be changed and subscription/unsubscription services are offered. This means that GEWIS acts as a Processor in these cases.2.24.2 Website hosting services
GEWIS may act as a provider for hosting websites or other software applications for external parties. In those cases, GEWIS does not control the content of the application. In case of requests by TU/e (e.g. security issues) or a legal authority (e.g. copyright infringement),GEWISmaymake the application unavailable. Thiswill be communicated to the party that is responsible for the application.
In limited cases, GEWIS acts neither as a Controller or Processor, but instead acts as intermediate service provider as meant in Article 12 or 15 of Directive 2000/31/EC. For completeness, these cases are listed here.2.25.1 Email forwarding services
GEWIS may offer email forwarding services to Members and others. In those cases, GEWIS does not process email contents in the sense of the GDPR since it does not initiate the transmission, does not select the receiver of the transmission and does not select or modify the information contained in the transmission. Information is not stored for a longer period than is reasonably necessary for the transmission.
If a data subject wants to see what data is being stored about them, they can send an email to the Board who will then show them the data using the contact details in section 6. A data subject can also contact the Board if they want their data to be moved to another party.
If a data subject wants their personal information deleted, they can contact the Board.
Adata subject has the right to object against the processing of their data. If a subject wants to restrict the data that is being processed they can generally indicate this by contacting the Board.
For some activities, it is possible to object in another way. These are the following:
A data subject has the right to change the data that is being processed. For this, they can send an e-mail to the Board.
GEWIS does not use automated decision making.
To ensure the confidentiality and security of personal data, appropriate physical, technical and organizational measures have been taken.When non-digital data is stored, it is stored in locations that can be locked (such as the GEWIS room, the GEWIS board storage room or one of the safes). Additionally, when copies of non-digital personal data need to be destroyed, those will be discarded using confidential paper waste and safely discarded by TU/e.
When digital data is stored, it is stored in locations that can be locked. Servers that collect large amounts of data will be stored in data centers that can only be physically accessed by those persons who need access (i.e. the chair and the secretary of the organ that manages the hardware). In those cases where digital data is stored externally, agreements have been made to ensure similar safety. Personal data will not be stored on systems that are not owned by GEWIS. When storage media need to be discarded of, they will be securely wiped.
Data in GEWIS systems can only be accessed by those who, based on their function, need it. Technical measures have been taken to make sure changes in access levels will be logged. Additionally, users are required to use a secure password for all services.
GEWIS is allowed to change this privacy statement at any time. In case there are any changes, a new version will be published on the website and announced by email to Members on the newsletter mailing list.
When changes are announced, a date at which the regulations take effect, will be announced as well. This date is at least 4 weeks after the announcement. In this period, it is possible to make objections against the changes. If no objections are made, one automatically agrees to the changes in the privacy statement.
If you want to receive a notification each time the privacy statement is changed, and you are not a Member on the newsletter mailing list, please inform the Board.
If you wish to react to our privcacy statement, you can contact:
Study Association GEWIS
P.O. Box 513
360 5600 MB Eindhoven
Study Association GEWIS
De Groene Loper 5
365 5612 AZ Eindhoven
+31 (0)40 247 2815