This is an old revision of the document!
This is a draft document and has no official status yet.
This document is supposed to replace the chapter on “Personal information” in the Rules and Regulations of S.A. Proto as per the next General Member Meeting.
This document is written on a best effort basis and its aim is to provide a comprehensive view of the current situation. Please e-mail firstname.lastname@example.org if you believe this document contains mistakes or needs clarification.
These general provisions describe how the association handles privacy and your personal information in general. This section should give you a short overview on how S.A. Proto handles your data in general. This section serves as a replacement to the chapter Personal information in the Rules and Regulations of S.A. Proto.
This section does not go into exact detail. If you wish to have a more specific insight in the information S.A. Proto has about you, please see the section Explanation of specifics.
In general, your personal data is collected by S.A. Proto in one of the following ways:
If data is acquired in any way other than those above, it will be specifically mentioned in this document.
Almost all of the information S.A. Proto has accumulated about you can be reviewed by you on the website of S.A. Proto on your dashboard, your profile page or on the relevant part of the S.A. Proto website. It should be explicitly stated that it is always the intent of S.A. Proto to be transparent about the information the association has about you. If you wish to receive an overview of information S.A. Proto has about you that cannot be found on the website, please send an e-mail to email@example.com with your request. We aim to reply to your request within one week, but reserve the right to take up to four weeks for our reply.
In general, only the board of the association, the IT administrators and specific committees can see (part) of the data S.A. Proto has about you. The latter concerns committees that need access to some of your information in order to provide you or the association services. Examples of this are to predict what stock to buy for the OmNomCom, or to prepare activities.
Any personal data supplied to S.A. Proto is never shared with third parties, except in special cases involving the University of Twente. Those are outlined below.
How exactly S.A. Proto uses your data is explained further on in this document. In general, your data may be used to:
S.A. Proto may also send you:
S.A. Proto will primarily contact you via e-mail. Only in exceptional occasions will you be contacted by regular mail.
You can object to S.A. Proto sending you information, except for:
If you wish to object to S.A. Proto sending you information, you may do so via the website, or by contacting the association board.
For information on how to object to usage of other personal data, please refer to the second part of this document.
If S.A. Proto wishes to outsource processing of personal information of members of S.A. Proto to a third party, an agreement needs to be established with this third party that guarantees that the information is processed secure, in the right way and for the right purposes.
This section will provide you with a detailed view of the various kinds of information S.A. Proto processes, how this is acquired, where it can be reviewed and how it can be modified and/or deleted.
This section serves as an addition to what was previously described in the chapter Personal information in the Rules and Regulations of S.A. Proto.
Common groups that will be repeated throughout this document are:
Everyone in the System Administrators, Administrators and OmNomCom groups have signed an NDA or Non Disclosure Agreement .
If you register an account with S.A. Proto, you are asked to provide:
Upon account creation, this information is stored on our servers and visible only to Administrators. Other users and/or members cannot see your information. You are also assigned an internal numerical user ID, which is used to link all your data to your account. This user ID contains no PII and is retained indefinitely.
The rationale behind requesting this data is that, for the vast majority of people, creating an account on the website is followed by either becoming a member, or to purchase tickets to an open event. Both of these require the given information, which is why it is already asked when creating an account.
This information is stored together with your account, and retained as long as your account is active. If you have no active S.A. Proto membership, you can deactivate your account (and delete most of your PII) via your dashboard. You cannot deactivate your account as long as you have a running membership. If you wish to terminate your account, please contact the association board.
Note: even for a deactivated account (only) your name and e-mail address is retained indefinitely. If you wish to prevent this, please change your e-mail address to something random before deactivating your account. You can do the same for your name. To change your name, please contact the association board.
Any additional PII you add to your account can be removed again via your dashboard, as long as you don't have an active membership.
If you are a member of S.A. Proto some of the PII mentioned earlier will become visible for other members of the association:
We believe that it is necessary for members to be able to contact each other in order to ensure a smoothly running association. This is why we do not allow you to hide your e-mail address for other members. Your e-mail address will never by visible to guests or users.
Becoming a member of S.A. Proto also requires you to add two extra pieces of information:
Both of these are added by you via your dashboard. As soon as you are a member, this information can only be changed, not deleted. In order to completely delete this information, you have to terminate your membership.
Your living address and your SEPA withdrawal authorization or only visible to Administrators. You can voluntarily choose to share your address and/or phone number with other members of the association, but not users, (and reverse this) via your dashboard.
The page where you can authorize S.A. Proto for a SEPA direct withdrawal processes your IBAN. To improve usability your IBAN is sent to openiban.org to see if your BIC can be automatically determined. No other PII is sent to openiban.org.
Additionally, you can also choose to supply:
This information is only visible to Administrators and to members of the committees that organize activities you attend. This information is retained until you manually change or delete it. Note that the latter can only see your dietary or allergy information:
Finally, if you choose to become active by joining of a committee, your name will be added to the page of the committee you are joining (along with a join and leave date and a function description), and this will be visible to members. Your committee memberships are retained indefinitely, even you deactivate your account.
In the course of your S.A. Proto membership, you can make purchases at various points. These purchases can include food and consumables at the OmNomCom, participant's fee for activities and your membership fee. Any purchases you make are saved and retained indefinitely, even if you terminate your membership or deactivate your account. All purchases are visible and searchable by the OmNomCom. During some activities you can pay for your consumptions in cash. If you pay in cash, the purchase is logged but not linked to your user account.
Administrators are also able to see the aggregated purchase and payment information that is visible to you. This includes totals for each month, which withdrawals you were included in and the amount that was involved in these withdrawals.
Purchase history may be used to present you with your favorite purchases in the OmNomCom, and to generate (anonymized) statistics that can help the OmNomCom manage stock better and more efficiently. Your purchase history and derived data will never be sold to other parties.
You can pay for your purchases either via an automatic withdrawal or using our online payment provider. As a member, paying via automatic withdrawal is the default option. See also the notes in withdrawal authorizations earlier in this document. If you pay using automatic withdrawal, the details of your withdrawal authorization (including your name and bank account number) are shared with the bank of S.A. Proto in order to perform the automatic withdrawal.
Alternatively, you can pay using our online payment provider Mollie (see here for their terms and conditions, including privacy statement). We do not send data of individual purchases or PII to Mollie, only the total amount you wish to settle including a generic description. When you pay, Mollie receives some data on you depending on the payment method you choose. For example, if you pay using iDeal, Mollie receives the bank account number and bank you paid with. This information is also available to Proto and may be processed automatically.
Please note that not linking any payment data to your account (e.g. removing your withdrawal authorization or refusing to pay via Mollie) does not excuse you from settling your debts with S.A. Proto. If you have a privacy concern with any of the existing options, please contact the treasurer of S.A. Proto to see if it could be possible to pay in cash or via another method.
Over the course of being a user of the S.A. Proto website, or a member of the association, information may be created and/or generated by you or about you. We try to provide a comprehensive list below, but do not guarantee this list to be complete.
You can add, edit or remove a profile photo via your dashboard. This is completely voluntarily. As a rule of thumb, assume that your profile photo is visible wherever your name is. Your profile photo is retained till you delete or change it.
You can receive achievements (virtual 'prizes' for achieving something) automatically or manually. These are visible to other members of the association in your profile. Please contact the association board if you don't want an achievement to be shown in your profile. Achievements are retained until they're deleted by an Administrator.
If you participate in, organize or help with an activity, your name may appear indefinitely on that activity's page. The only way to prevent this is by not going to activities.
S.A. Proto keeps a history of which videos are added to the ProTube video system. If you are logged in with your user account to the website in the same session and/or browser you use to add a video to ProTube, this act may be associated with your account. If you wish to prevent this, please use ProTube only from a private browsing session where you are not logged in to the website. Played video history is retained indefinitely until manually deleted by a System Administrator. If you wish to anonymize part or all of the video history tied to your account, please contact any of the System Administrators directly.
The website has a place where members can see and place quotes by other people and/or members. If there is a quote that you posted, or in which you are mentioned, and you wish to have this quote removed, please contact the association board. Quotes are retained until deleted by an Administrator.
You can link RFID cards to your account via the OmNomCom system to speed up check-out. If you do this, the card's UID is saved. This is in fact required if you want to buy something during drinks. You can edit or remove an RFID card at any time via your dashboard. RFID cards are retained until you remove them.
The ICT systems of Study Association S.A. Proto integrate with those of the University of Twente on several fronts.
S.A. Proto offers a University of Twente address book that allows users to search into the contact details of UT employees and students. The UT maintains the information in this address book and S.A. Proto merely relays the query of the user to this address book. The UT address book on the S.A. Proto website is only accessible to user accounts that have linked an active UT account to their S.A. Proto account. All the information in the UT address book is otherwise also available via their LDAP directory service, which can be accessed by anyone with access to the UT network.
The information from the UT address book is not used to automatically update any information related to your S.A. Proto user account or membership.
The LDAP directory service is, where not explicitly mentioned otherwise, also the source of data S.A. Proto uses to perform the other actions described in this section.
From your dashboard you can link or unlink a UT account from your S.A. Proto account. Having a UT account linked to your S.A. Proto account entitles you extra privileges on the website. As long as you have a UT account linked, S.A. Proto stores your student or employee number as part of your user data. S.A. Proto does not store your study/department, it requests it on the fly from the UT when you load your dashboard. If you unlink your UT account from your S.A. Proto account, S.A. Proto also removes the reference to your student or employee number from your user data.
If you log-in using your UT credentials (either to link your account or to login to the website) you are redirected to the single sign-on (SSO) environment of the UT. Your UT credentials are not read by, transmitted to or processed by us. If SSO authentication succeeds, you are redirected back to S.A. Proto. In this process, S.A. Proto is presented your student number, full name and student e-mail address. Your student number is stored as described elsewhere, your name and student e-mail address are discarded.
Although S.A. Proto stores your student or employee number if you choose to link your UT account to your S.A. Proto account, it does not make this number searchable for other users, also not via the UT address book. Only the Administrators can find you by this number or look this number up for you.
S.A. Proto performs automated and periodical checks against UT records to decide whether a member is currently a Creative Technology student. This check is performed to establish whether this member needs to pay the regular or reduced membership fee. S.A. Proto does not keep a record that indicates directly whether a user is a Creative Technology student, although this can be inferred from the membership fee charged to that member. The UT cannot learn anything about non Creative Technology students from this check.
If you believe you were charged the wrong membership fee, you can contact the treasurer of S.A. Proto for rectification.
S.A. Proto is entitled a grand from the faculty of EEMCS at the University of Twente because of its status as the study association of Creative Technology. To qualify for this grand, S.A. Proto needs to show how many of its members are a student at the faculty of EEMCS. To do this, S.A. Proto sends a list with the names, e-mail addresses and student numbers (if applicable) of its members to the faculty of EEMCS, so the faculty of EEMCS can determine the correct height of the grand. S.A. Proto and the UT agree to treat this list confidential and to destroy the list after use. The UT is not allowed to retain any of the details on this list for its own use.
S.A. Proto periodically and automatically checks whether the UT accounts users have linked to their S.A. Proto account are still valid and active in the administration of the UT. If this automated check determines a UT account is deactivated by the UT, it will be removed from the S.A. Proto account. The user is not informed of this. If you believe the check to have incorrectly removed your UT account from your S.A. Proto account, you can always contact the website developers.
S.A. Proto does not have access to study progress, grades or other study related records. S.A. Proto can look up what study you follow using your name, e-mail address and/or student number, but does not store this information. Users can (voluntarily) indicate their current and/or past study programs along with start and end dates via their dashboard. When this information is present, it is shared with members of the association and can be used by S.A. Proto. The study details you enter via your dashboard are never shared outside of the association, except in anonymized form (for example, to indicate how many students of a certain study are a member of S.A. Proto). Study details you have entered are retained until you delete them.
At activities organized by or together with S.A. Proto, photographers or film crew may be present at the activity and they may take a picture and/or video of you that may later be published. If this makes you feel uncomfortable, please indicate this to the people taking the photos/video. They will do their best to take it into account.
In the case of photographers/film crew of S.A. Proto (most notably, the S.A. Protography committee), S.A. Proto reserves the right to take or publish any pictures taken. For activities that are likely to generate embarrassing photos (a cantus, for example), S.A. Proto will take precautions to prevent embarrassing photo from being put online without consent from the subject. For other activities though, S.A. Proto reserves the right to publish photos without asking consent. Either way, by joining an activity you are surrendering your portrait right for any photos taking during that activity. You may always request a photo to be taken off-line after publishing. To do that, please contact the association board.
In the case of external parties (press, for example), please ask that party or the association board for their policy regarding portrait rights.
The S.A. Proto website makes use of various cookies to provide session and log-in persistence. These cookies are functional and do not allow us to collect privacy sensitive data.
When you visit any of the S.A. Proto websites technical metadata (which can including your IP-address, browser user-agent and URL you access) will be logged by the web server.
When you send e-mail via S.A. Proto (either towards an @proto.utwente.nl address or by using S.A. Proto's SMTP servers), a copy of that e-mail will be temporarily stored on our servers while the e-mail is in transit. That copy will be deleted once delivered to the following e-mail server. Additionally, our mail servers log activity (this includes to and from addresses, as well as the subject of the e-mail – the body of an e-mail is never logged) to combat spam and troubleshoot problems.
Only System Administrators have access to this data.
All Administrators may see information collected through Google Analytics.