Who are we?

Study Association Siduri

Our website adress is: https://siduri.nl.

Chamber of Commerce (CoC) number: 57848254

Which personal data do we collect and why?

  1. The data that Siduri receives from its members are confidential and are only to be used when deemed necessary by both the board and the relevant committee.
    1. Personal data include the standard details about a member: date of birth and/or age, student number, address and email address. These data are provided to Siduri during membership registration and should only be used in efforts related to the association.
    2. Financial data include the bank account details of members. These are used for direct debits or for verifying payments made by members. These details are only accessible to the board and can only be obtained by committees upon request and if the board deems it necessary. 

Policy for data usage by committees

  1. Committees only request personal or financial details from either the board or the relevant Siduri member when these serve an active purpose, for instance in the case of the organisation of activities, or are essential in emergencies. 
    1. An exception to this is that the ACI (Advies Commissie Introductietijden) [UG advisory body on student introductory periods] may rule that additional information should be obtained by the study association if the member comes along to the introduction camp. 
    2. In order to ensure that Siduri can organise trips with an overnight stay in a safe and secure manner, Siduri chooses to follow the guidelines of the ACI outside introductory activities, for instance on the yearly trip abroad. In this case, Siduri’s board and/or committee may request members’ personal information via a registration form, parallel to the registration for the introduction camp. 
  2. Committees may only request personal information of Siduri’s members after explicit consent of the board, with the exception of a member’s (full) name and date of birth/age. 
    1. Personal data concerning (full) name and date of birth/age may be provided to official bodies, such as companies or organizations with a CoC (KvK) number, and embassies, for instance with regards to the organization of an activity. Such bodies will have general privacy policies that are regarded by Siduri as processor agreements. Such bodies will only obtain members’ personal data concerning (full) name and date of birth/age when they have explicitly requested this and when the goal of this request has been clarified, and only with explicit consent of the board. 
      1. Examples of good reasons to provide members’ personal data concerning (full) name and date of birth/age are:
        1. When all attendants have to be of legal age with regards to the consumption of alcohol or other legal provisions concerning age limits.
        2. When this is in accordance with the security policy of the body in question. This may be the case with visits to embassies or intelligence services. Only the aforementioned personal data of those members present at the activity will be provided. 
        3. Other situations that have not yet arisen may necessitate the disclosure of aforementioned personal data. This will only happen when the motivation of the official body is deemed sufficient by the board.
    2. Committees may request members’ personal data other than a (full) name and date of birth/age by way of a registration form, only after explicit consent of the board, in the following cases:
      1. The introductory camp,
      2. The yearly trip abroad,
      3. Visits to official governmental bodies. Such bodies will have general privacy policies that are regarded by Siduri as processor agreements. Such bodies will only obtain additional personal data of members when they have explicitly requested this and when the goal of this request has been clarified, and only with explicit consent of the board. Such bodies may include, but are not limited to:
        1. Embassies
        2. Consulates
        3. Intelligence services. 
    3. Such personal data may only be used:
      1. When these data are necessary in case of emergencies. 
        1. This includes for instance an emergency contact person, or allergy information. 
        2. Such information remains between the relevant committee and the board; exceptions to this are emergency situations that necessitate the provision of such personal data to third parties in order to secure the health and well-being of that member. An example of this might be the provision of allergy information of a member to medical services in case of an emergency. 
      2. When explicitly requested by official bodies, such as companies or organizations with a CoC (KvK) number, and embassies. Such bodies will have general privacy policies that are regarded by Siduri as processor agreements. Such bodies will only obtain members’ personal data concerning (full) name and date of birth/age when they have explicitly requested this and when the goal of this request has been clarified, and only with explicit consent of the board. An example of this is passport numbers for flight tickets for our yearly trip abroad. 
      3. When the ACI, or another body of the UG requests permission to access Siduri’s internal administration for monitoring purposes, after explicit consent of the board. 
  3. The treasurer of the association has access to members’ data concerning payments. If a committee wishes to know whether members have paid for an activity they organise, they may request the treasurer to provide this information. This information remains between the relevant committee and the board. 
    1. Any problems with a member’s payment for an activity are only discussed between the relevant committee and the board. 
  4. To ensure that committees handle members’ personal information in a prudent and cautious manner, the association’s commissioner of internal affairs will discuss provisions 1 and 2 of this privacy policy for committees with the chairs of the committees at the time of their launch. 
    1. If necessary, the commissioner of internal affairs may remind the committee chair(s) of these provisions later in the year. 
    2. If there is no commissioner of internal affairs in the board, this responsibility falls to the secretary. 
  5. To ensure that committees handle members’ financial information in a prudent and cautious manner, the association’s treasurer will discuss provision 3 of this privacy policy for committees with the treasurers of the committees at the time of their launch. 
    1. If necessary, the association’s treasurer may remind the committees’ treasurer(s) of these provisions later in the year. 

Cookies

  1. When you leave a comment on our website, you can indicate whether your name, email address and website may be stored in a cookie. We do this for your convenience, so that you do not have to fill in this information the next time you leave a comment. Such cookies are valid for a year. 
  2. If you have an account on our website and you log in, we store a temporary cookie to determine whether your browser accepts cookies. This cookie does not contain personal information and will be deleted once you close your browser.
  3. When you log in on our website, we will store some cookies related to your login information and screen display options.
    1. Login cookies are valid for 2 days.
    2. Cookies for screen display options are valid for 1 year.
    3. If you select ‘remember me’, your login information will be stored for 2 weeks. 
    4. When you log out, login cookies will be deleted.
  4. When you edit or remove a message, an additional cookie will be saved by your browser. This cookie does not contain personal data and only contains the post ID of the article you edited. 
    1. This cookie is valid for 1 day.

Embedded content from other websites

  1. Messages on this website may contain embedded content, such as videos, images or other messages. Embedded content of other websites behaves as if the visitor of our website also visited those other websites. 
    1. Websites of which content is embedded on our website may collect your data, use cookies, include tracking by third parties, and monitor your interaction with the embedded content in question, including the interaction with embedded content if you have an account and are logged in on that website.

Who do we share your data with?

  1. Personal information that Siduri receives is confidential and is only used when this is deemed necessary by both the board and the relevant committee, according to the provisions set out above. 
    1. The membership administration is stored in a secure place. 
    2. Email addresses of members and habibis are shared with Laposta in order to send our monthly newsletter. Please refer to Laposta’s privacy policy: https://laposta.nl/privacy-statement

For how long do we store your data?

  1. Personal data will be deleted after a member terminates their membership.
    1. Personal data will be stored until the end of the academic year. This means that if a member terminates their membership in May 2022, their data will be stored until September 2022. Siduri will mention this provision at the moment of registration. 
    2. Exception to this is that after a termination of membership, financial data will be removed from the membership administration, but they will be stored up to three years in the financial records of the association. This means that financial information cannot be used actively, but will be retained with regards to the application for a graduation fund or other funds at the Central Executive Board for Student Organizations (CUOS). 
    3. We store personal data of users that are registered on our website in their user profile.
      1. All registered users can access, edit or delete their personal data, with the exception of their username, which cannot be edited. 
      2. Website administrators can also access and edit this information.

Your rights concerning your data

  1. If you have an account on our website and/or you have left messages/comments, you can request an export file on your personal data we have stored, including all data you have provided us with. 
  2. You may request that we delete any personal data we have of you.
    1. This does not include any data we have to store with regard to administrative, legal or security purposes.

Contact information

  1. When a member and/or website user wants to access their information, they can send an email to bestuur@siduri.nl. You may request that we delete any personal data we have of you. This does not include any data we have to store with regard to administrative, legal or security purposes. 

Which measures have we implemented with regards to data breaches? 

  1. In the case of a data breach, Siduri is responsible for documenting this within 48 hours and for reporting this to the Autoriteit Persoonsgegevens (AP) [Dutch Data Protection Authority] and the parties involved, if necessary.
    1. In the case of a notification/report, documentation is the first step. In this documentation, Siduri should include the moment of the notification, which data leaked, and what will be done to retrieve these data if possible. 
      1. If retrieval of data is impossible, the data breach should be reported to the AP and the parties involved. 
    2. Notification of the parties involved should happen within 48 hours. This should include a report on the data it concerns, as well as measures Siduri will take to safeguard members’ privacy, despite this data breach.
    3. After these 48 hours, it is up to Siduri to ensure that data are better protected, so that they cannot be leaked again. 
X