User Tools

Site Tools


ict:privacy:details

This is an old revision of the document!


Specific usage of your personal data

This document will provide you with a detailed view of the various kinds of information S.A. Proto processes, how this is acquired, where it can be reviewed and how it can be modified and/or deleted.

The intention of this overview is to be complete and exhaustive, and the Have You Tried Turning It Off And On Again committee has the duty to keep this document factual and actual. If, despite these efforts, you find that his document is incomplete or incorrect, or if you have other questions related to this document, please send an e-mail to privacy@proto.utwente.nl.

This section should be viewed as an appendix to the Privacy Policy of Study Association Proto.

Who has access to your data

Throughout this document several groups will frequently been named as having access to your data. These groups will be outlined below for quick reference. In addition sometimes names of committees or societies of S.A. Proto will make an appearance. If this is the case a link will be included to that committee's/society's page on the S.A. Proto website to easily allow you to see who a member of that committee/society is currently. If an external company or party has access to your data, a link will be included to (the closest thing to) a privacy policy on the website of that party.

Common groups

Common groups that will be repeated throughout this document are:

  • System Administrators – The people responsible for the most technical IT support in the association. This includes all members listed on the Have You Tried Turning It Off And On Again committee member list that have System Admin(istrator), SysAdmin or Privacy Officer in their function.
  • Administrators – This group consists of three groups: the System Administrators, the board of S.A. Proto and all members listed on the Have You Tried Turning It Off And On Again committee member list that have Developer in their function.
  • OmNomCom – This group consists of people that have access to a specific part of the association administration related to the stock, management, purchases and other related aspects of the OmNomCom, the system that keeps a tally of all purchases made within the association and sees that they are being paid for. This group consists of three groups: the Administrators and all members listed on the OmNomCom and TIPCie member list. Next to that, also Alfred, the administrator of the SmartXp lab, has access to this administration, to make purchases able to go via the OmNomCom.
  • Members – This group consists of all people that have a user account on the website and an active association membership tied to that user account.

Everyone in the System Administrators, Administrators and OmNomCom groups have signed an NDA or Non Disclosure Agreement .

Terms

  • The University of Twente (henceforth also called the UT) is the university which is home to the Creative Technology program, and the facilitating university to S.A. Proto.
  • A user's dashboard is the part of the S.A. Proto website where they can see, for the largest part, what information S.A. Proto has on them and add, edit and/or remove it.

Location of data and storage

S.A. Proto exclusively stores data on Dutch soil and with Dutch companies, except where specifically mentioned otherwise.

Most of the data related to the website and e-mail and our backup is stored on a virtual server provided by the student company Studenten Net Twente (SNT) on the UT terrain. The privacy policy can be found at https://www.snt.utwente.nl/helpdesk/beleid/privacy. S.A. Proto signed a data processing agreement with SNT.

Our website will soon be hosted at Antagonist because of maintainability over future years. Data centers used at Antagonist are located at Enschede and Hengelo, via Equinix and Previder. We have a data processing agreement with Antagonist, of which the content can be viewed here

The domain names are arranged with TransIP. Their privacy policy can be found here.

Most of the file storage, part of the e-mail and some secondary data is stored on a physical server on the University of Twente campus. This server is located in a locked room that is only accessible to System Administrators and technical staff of the University of Twente. This server is in possession of S.A. Proto.

Personally identifiable information (PII)

If you register an account with S.A. Proto, you are asked to provide:

  • Your name
  • Your e-mail address

Upon account creation, this information is stored on our servers and visible only to Administrators. Other users and/or members cannot see your information. You are also assigned an internal numerical user ID, which is used to link all your data to your account. This user ID contains no PII and is retained indefinitely.

This information is stored together with your account and retained as long as your account is active. If you have no active S.A. Proto membership, you can deactivate your account (and delete most of your PII) via your dashboard. You cannot deactivate your account as long as you have a running membership. If you wish to terminate your account, please contact the association board.

Note: even for a deactivated account (only) your name is retained indefinitely for historical purposes.

Any additional PII you add to your account can be removed again via your dashboard, as long as you don't have an active membership.

Additional PII for members

If you are a member of S.A. Proto some of the PII mentioned earlier will become visible for other members of the association:

  • Your name
  • Your e-mail address

We believe that it is necessary for members to be able to contact each other in order to ensure a smoothly running association. Therefore we do not allow you to hide your e-mail address for other members. Your e-mail address will never by visible to guests or users.

Becoming a member of S.A. Proto also requires you to add a few extra pieces of information:

  • Your date of birth
  • Your phone number
  • Your current living address
  • A SEPA withdrawal authorization
  • Your signature

All of these are added by you via your dashboard. As soon as you are a member, this information can only be changed, not deleted. In order to completely delete this information, you must terminate your membership. Note that your date of birth can only be changed by contacting the association board.

Your living address and your SEPA withdrawal authorization are only visible to Administrators. You can voluntarily choose to share your address, birth date and/or phone number with other members of the association, but not users, (and reverse this) via your dashboard. These data will be visible to Administrators.

Your age may be shown to other members. If it is your birthday, you will be displayed on the homepage of the site. We think this improves the feel of a community, but the user can opt-out for this via their dashboard.

The page where you can authorize S.A. Proto for a SEPA direct withdrawal processes your IBAN. To improve usability your IBAN is sent to openiban.org to see if your BIC can be automatically determined. No other PII is sent to openiban.org. In order to prove that you allowed S.A. Proto to collect the debt you have at S.A. Proto (by buying from the OmNomCom, retrieving your membership fee or participating in activities for example) your signature is saved.

Additionally, you can also choose to supply:

  • Dietary or allergy information
  • Mailing list subscriptions
  • RFID tag

Dietary or allergy information is only visible to Administrators and to members of the committees or societies that organize activities you attend. This information is retained until you manually change or delete it. Note that the latter can only see your dietary or allergy information:

  • If you are registered as a participant in the activity, up until two weeks after the activity has ended; AND
  • That activity has been marked (by an Administrator) to involve food or other allergy sensitive activities.

The mailinglist subscriptions are saved to see which mail you want to receive such that you only have to receive mail you are interested in. RFID code can added by the user to simplify OmNomCom purchases and can be deleted at all times.

Finally, if you choose to become active by joining a committee or a society, your name will be added to the page of the committee or society you are joining (along with a join and leave date and a function description), and this will be visible to members. Your memberships are retained indefinitely, even if you deactivate your account.

Data S.A. Proto automatically stores the following data about you:

  • Date of start of membership
  • Date of end of membership
  • User id
  • Regular member
  • Life-long member
  • Donator
  • Honorary member

The start and the end date of your membership are stored for historical and statistical purposes and also to prove that a member had contribution fee obligation in the past.

Every member receives a unique user id for anonymization in case of statistical operations and for the layout of the database.

When becoming a member, the type of member can be one (or more) of the following: Regular member, honorary member, life-long member and donator. This is because there is a difference in contribution fee to receive between these types.

Purchases and payments

In the course of your S.A. Proto membership, you can make purchases at various points. These purchases can include food and consumables at the OmNomCom, participant's fee for activities and your membership fee. Any purchases you make are saved and retained indefinitely, even if you terminate your membership or deactivate your account. All purchases are visible and searchable by the OmNomCom and Administrators. During some activities you can pay for your consumptions in cash. If you pay in cash, the purchase is logged but not linked to your user account.

Administrators are also able to see the aggregated purchase and payment information that is visible to you. This includes totals for each month, which withdrawals you were included in and the amount that was involved in these withdrawals.

Purchase history may be used to present you with your favorite purchases in the OmNomCom, and to generate (anonymized) statistics that can help the OmNomCom manage stock better and more efficiently. Your purchase history and derived data will never be sold to other parties. You can choose whether you want your purchase data anonymized after 7 years via your dashboard.

You can pay for your purchases either via an automatic withdrawal or using our online payment provider. As a member, paying via automatic withdrawal is the default option. See also the notes in withdrawal authorizations earlier in this document. If you pay using automatic withdrawal, the details of your withdrawal authorization (including your name and bank account number) are shared with the bank of S.A. Proto in order to perform the automatic withdrawal.

The bank of S.A. Proto is currently the Rabobank. You can find the privacy policy of this bank here.

Alternatively, you can pay using our online payment provider Mollie (see here for their terms and conditions, including privacy statement). We do not send data of individual purchases to Mollie, only the total amount you wish to settle including a generic description. When you pay, Mollie receives some data on you depending on the payment method you choose. For example, if you pay using iDeal, Mollie receives the bank account number and bank you paid with. This information is also available to S.A. Proto and may be processed automatically. S.A. Proto does not send any PII to Mollie.

Please note that not linking any payment data to your account (e.g. removing your withdrawal authorization or refusing to pay via Mollie) does not excuse you from settling your debts with S.A. Proto. If you have a privacy concern with any of the existing options, please contact the treasurer of S.A. Proto to see if it could be possible to pay in cash or via another method.

User generated content and other data

Over the course of being a user of the S.A. Proto website, or a member of the association, information may be created and/or generated by you or about you. We try to provide a comprehensive list below, but do not guarantee this list to be complete.

Profile photo

You can add, edit or remove a profile photo via your dashboard. This is completely voluntarily. As a rule of thumb, assume that your profile photo is visible wherever your name is. Your profile photo is retained till you delete or change it. Your photo can also be visible during drinks when you are under 18. If you wish to receive a membership card, your profile picture will be used on this card.

Achievements

You can receive achievements (virtual 'prizes' for achieving something) automatically or manually. These are visible to other members of the association in your profile. Please contact the association board if you don't want an achievement to be shown in your profile. Achievements are retained until they're deleted by an Administrator or your account is deleted.

Activities

If you participate in, organize or help with an activity, your name may appear indefinitely on that activity's page. The only way to prevent this is by not going to activities.

Played ProTube videos

S.A. Proto keeps a history of which videos are added to the ProTube video system. If you are logged in with your user account to the website in the same session and/or browser you use to add a video to ProTube, this act may be associated with your account. If you wish to prevent this, please indicate this via the ProTube dashboard. Played video history is retained indefinitely for historical purposes. If you wish to clear your personal history (i.e. make Proto forget you put certain songs in ProTube) you can do so via the ProTube dashboard. This will not delete the songs from history, just the association with your user account.

Quotes

The website has a place where members can see and place quotes by other people and/or members. If there is a quote that you posted, or in which you are mentioned, and you wish to have this quote removed, please contact the association board. Quotes are retained until deleted by an Administrator.

RFID cards

You can link RFID cards to your account via the OmNomCom system to speed up check-out. If you do this, the card's UID is saved. This is in fact required if you want to buy something during drinks. You can edit or remove an RFID card at any time via your dashboard. RFID cards are retained until you remove them.

Student information and study details

You can find the privacy policy of the University of Twente here, unfortunately only in Dutch.

The ICT systems of Study Association S.A. Proto integrate with those of the University of Twente on several fronts.

University of Twente address book

S.A. Proto offers a University of Twente address book that allows users to search into the contact details of UT employees and students. The UT maintains the information in this address book and S.A. Proto merely relays the query of the user to this address book. The UT address book on the S.A. Proto website is only accessible to user accounts that have linked an active UT account to their S.A. Proto account. All the information in the UT address book is otherwise also available via their LDAP directory service, which can be accessed by anyone with access to the UT network.

The information from the UT address book is not used to automatically update any information related to your S.A. Proto user account or membership.

The LDAP directory service is, where not explicitly mentioned otherwise, also the source of data S.A. Proto uses to perform the other actions described in this section.

Linking a UT account

From your dashboard you can link or unlink a UT account from your S.A. Proto account. Having a UT account linked to your S.A. Proto account entitles you extra privileges on the website. As long as you have a UT account linked, S.A. Proto stores your student or employee number as part of your user data. If you unlink your UT account from your S.A. Proto account, S.A. Proto also removes the reference to your student or employee number from your user data.

If you link your UT account S.A. Proto will also request your current study/studies or department from the university. S.A. Proto will store this information as long as you have your student number linked, and will periodically update this information. Your study or department can be shown to other members.

Logging in with your UT credentials

If you log-in using your UT credentials (either to link your account or to login to the website) you are redirected to the single sign-on (SSO) environment of the UT. Your UT credentials are not read by, transmitted to or processed by us. If SSO authentication succeeds, you are redirected back to S.A. Proto. In this process, S.A. Proto is presented your student number, full name and student e-mail address.

  • Your student number is stored as described elsewhere.
  • Your name is used to update your user account.
  • If you're registering an account, your e-mail is used for that account. If you're only loggin in, it is discarded.

Your student or employee number

Although S.A. Proto stores your student or employee number if you choose to link your UT account to your S.A. Proto account, it does not make this number searchable for other users, also not via the UT address book. Only the Administrators can find you by this number or look up this number for you.

Determining membership fees and UT grands

S.A. Proto performs automated and periodical checks against UT records to decide whether a member is currently a Creative Technology or Interaction Technology student. This check is performed to establish whether this member needs to pay the regular or reduced membership fee. S.A. Proto does not keep a record that indicates directly whether a user is a Creative Technology student, although this can be inferred from the membership fee charged to that member. The UT cannot learn anything about non Creative Technology or non Interaction Technology students from this check.

If you believe you were charged the wrong membership fee, you can contact the treasurer of S.A. Proto for rectification.

S.A. Proto is entitled a grant from the faculty of EEMCS at the University of Twente because of its status as the study association of Creative Technology and Interaction Technology. To qualify for this grant, S.A. Proto needs to show how many of its members are a student at the faculty of EEMCS. To do this, S.A. Proto sends a list with the names, e-mail addresses and student numbers (if applicable) of its members to the faculty of EEMCS, so the faculty of EEMCS can determine the correct height of the grant. S.A. Proto and the UT agree to treat this list confidential and to destroy the list after use. The UT is not allowed to retain any of the details on this list for its own use.

Verifying valid UT account

S.A. Proto periodically and automatically checks whether the UT accounts users have linked to their S.A. Proto account are still valid and active in the administration of the UT. If this automated check determines a UT account is deactivated by the UT, it will be removed from the S.A. Proto account. The user is not informed of this. If you believe the check to have incorrectly removed your UT account from your S.A. Proto account, you can always contact the website developers.

Committee specific information

There are two committees with which you personal data might be shared.

Guild of Drafters

First of all, if you join the drafting committee, your data might be stored on Alex.ia. The following information might be stored:

  • Name
  • IVA certificate

Your name is stored to see who is or was scheduled to draft beer. Your IVA (if applicable) is stored, because that always needs to be present when drafting. To know more about Alex.ia, please check their privacy policy or contact them directly.

Protopeners

Second, if you join the ProtOpeners committee, your name will be displayed on the screen in and nearby the Protopolis when you have Protopener duty. This is to show members who is responsible for the Protopolis at that very moment and who members can ask question and/or information. Next to this, you should get a Proto membership card displaying your profile picture which is used for identification.

Photos and portrait right

At activities organized by or together with S.A. Proto, photographers or film crew may be present at the activity and they may take a picture and/or video of you that may later be published. If this makes you feel uncomfortable, please indicate this to the people taking the photos/video. They will do their best to take it into account.

In the case of photographers/film crew of S.A. Proto (most notably, the S.A. Protography committee), S.A. Proto reserves the right to take or publish any pictures taken. For activities that are likely to generate embarrassing photos (a cantus, for example), S.A. Proto will take precautions to prevent embarrassing photos from being put online without consent from the subject. For other activities though, S.A. Proto reserves the right to publish photos without asking consent. Either way, by joining an activity you are surrendering your portrait right for any photos taking during that activity. You may always request a photo to be taken off-line after publishing. To do that, please contact photos@proto.utwente.nl or the association board. Photos are uploaded to Flickr and will be published on our own site via Flickr. This is mainly done because of their storage options. You can find their Privacy Policy here.

In the case of external parties (press, for example), please ask that party or the association board for their policy regarding portrait rights.

E-mail

When you send e-mail via S.A. Proto (either towards an @proto.utwente.nl address or by using S.A. Proto's SMTP servers) a copy of that e-mail (including the body) will be temporarily stored on our servers while the e-mail is in transit. That copy will be deleted once delivered to the following e-mail server. Additionally, our mail servers log activity (this includes to and from addresses, as well as the subject of the e-mail – the body of an e-mail is never logged) to combat spam and troubleshoot problems.

Network drives and file storage

If you or your committee makes use of network drives provided by S.A. Proto, outside the intended users only System Administrators have access to data on that drive.

All data on the network drives are stored on the campus of the University of Twente on machines controlled by S.A. Proto.

Some data might be temporarily stored on Google Drive to ease working together on one file. This might happen with draft versions of GMM documents or minutes of board meetings for example. Google's privacy policy can be found here.

Cookies, IP-addresses and other technical metadata

The S.A. Proto website makes use of various cookies to provide session and log-in persistence. These cookies are functional and do not allow us to collect privacy sensitive data.

When you visit any of the S.A. Proto websites technical metadata (which can including your IP-address, browser user-agent and URL you access) will be logged by the web server.

Only System Administrators have access to this data.

Your information with third parties

Matomo.org, web analytics

S.A. Proto uses Matomo for web analytics. Using Matomo, S.A. Proto collects non-personally-identifying information of the sort that web browsers and servers typically make available, such as the browser type, language preference, referring site, and the date and time of each visitor request. The purpose in collecting non-personally identifying information is to better understand how visitors of all sites operated by S.A. Proto use these websites. From time to time, S.A. Proto may release non-personally-identifying information in the aggregate, e.g., by publishing a report on trends in the usage of its website to external parties to, for example, give sponsors information about visibility.

Check here for Matomo's Privacy Policy. Matomo is a self-hosted software product. This means that although S.A. Proto uses software provided by Matomo, S.A. Proto is in full control of all information collected by the software. This information is not accessible by Matomo, and never leaves servers operated by S.A. Proto.

You can opt-out for web analytics on the websites operated by S.A. Proto as described in this section here.

All Administrators may see information collected through Matomo.org

Sentry, error tracking software

If something goes wrong on our website, (meta) information about the problem will be send to Sentry. This information includes UserID and User input. This is to see what went wrong, so this issue can be resolved. This information will be stored no longer that 7 days. Please check their privacy policy for more information.

All Administrators may see information collected through Sentry

ict/privacy/details.1580738530.txt.gz · Last modified: 2020/02/03 15:02 by x.vanbruxvoort