Data Privacy Policy Statement

Agora  Patra,  May  2014

I -­ General Provisions

Article 1: Object and Purpose

The purpose of this statement is to secure right to privacy of AEGEE members, with regard to:

a)     the gathering and automatic processing of personal data relating to them;

b)    information and all relevant data about the Association, its work and its members.

 

Article 2: Definitions

(1) For the purposes of this statement the following expressions shall have the meaning hereunder assign to them:

a)     “anonymous statistical data” is information collected on a categorical basis (by survey from data subjects, or from AEGEE data bases) in terms of the design of survey in such a way that the further reconstruction of the information about the data subject is not possible;

b)    “automatic processing” includes the following operations if carried out in whole or in part by automated means: storage of data, carrying out of logical and/or arithmetical operations on those data, their alteration, erasure, retrieval or dissemination;

c)     “blocking” means the marking of stored personal data with the aim of limiting their processing in future;

d)    “data subject” is the member of a local or contact of AEGEE to which the information applies;

e)     “external data subject” is a person or organisation not a member of AEGEE to which the information applies;

f)      “data subject’s consent” means any freely given specific and informed indication of the wishes by which the data subject signifies his agreement to personal data relating to him being processed;

g)     “external data” is information which emphasize the aim, purposes of the Association and its work, available and open or all interested parties;

h)    “internal data” is information about the Association and its work which can be accessed only by the AEGEE members;

i)      “internal confidential data” is information about the Association and its work which can be accessed only by certain number o AEGEE members, due to a position in the Association they hold;

j)      “internal AEGEE body data” is information belonging to a specific body and is for internal use o that body and can be accessed by those people as is defined in the internal rules o the body;

k)    “Ombudsman of AEGEE” is body charged with representing the interests of the data subjects by investigating and addressing complaints reported by the members of AEGEE;

l)      “personal data” is meant any information relating to an identified or identifiable data subject;

m)   “personal data filing system” means any structured set of personal data which are accessible according to the specific criteria, whether centralized, decentralized or dispersed on a functional or other kind of basis;

n)    “processing of personal data” means any set of operations which is performed upon personal data, whether or not by automatic means such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, usage, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

o)    “processing responsible” means a person who is in charge of the safe personal data processing and storage of the data on behalf of AEGEE. A processing responsible shall sign the Contract of Confidentiality, after being appointed by the competent body;

p)    “processor” means a body of AEGEE who has the right to use and apply the data which is handed and trusted by the data subjects (the Comité Directeur, organisers, locals etc.);

q)    “recipient” means any person, body, institution or organisation to which data is disclosed;

r)     “suspension” refers to accessing services provided by all the bodies of AEGEE-Europe, except for those provided by the local the data subject is a member of.

 

Article 3: Scope

AEGEE-Europe undertakes necessary actions to certify the correct application of this statement to the personal data files and the automatic processing of personal data of all data subjects and all AEGEE-Europe’s actions, events and activities.

 

II – Basic principles for data protection

 

Article 4: Levels of protection of the data

(1) Having in mind best practices and aiming to guarantee due usage and corresponding levels of secrecy, all the information of the Association shall be divided into:

a) external data or data accessible for all;

b) internal data or data accessible only for AEGEE members and subject to exceptions granted by the Ombudsman;

c) Internal confidential data or data accessible only for certain AEGEE members holding official position in the Association and responsible for information which they deal with and/or have access to for as long their term lasts.

(2) The Ombudsman shall publish a list of the data according to the division stated in paragraph (1) of the present Article. This list shall be ratified by the Agora.

(3) Changes to the list as defined in paragraph (1) of the present article can be proposed to the Ombudsman.

 

Article 5: Data communication tools and data storage tools

(1) All the data about the Association and its work shall be stored and presented through certain official tools meant for storing and spreading information accordingly.

(2) The Ombudsman shall comprise a list of data communication tools and a separate list of data storage tools according to the levels of protection the data communicated or stored through on the respective medium requires. Possible use of encryption or safety requirements may be indicated in the list.

(3) The Ombudsman shall publish a list of data communication tools and a separate list of storage tools and send an update before each Agora. These lists shall be ratified by the Agora.

(4) Only those data communication and storage tools included in the list shall be used to store, present and spread information about the Association and its work.

(5) To obtain a status of data communication tool of the Association, a formal request shall be sent to the Ombudsman. The Ombudsman shall decide on the matter and send its reply within 2 weeks after the request will be received.

(6) Storing information on any other devices or locations that are not included in the list require an exception granted by the Ombudsman.

(7) At the end of the term of certain AEGEE members all confidential data that was stored on their personal storage devices should be removed. A copy may be kept on storage devices of AEGEE-Europe which is only accessible to those as defined in the data storage tools list.

(8) At any time, any AEGEE member can request the Ombudsman to provide information about the storage and use of his/her personal data. Within the confidentiality limits set out in Article 4, the Ombudsman shall provide the fullest possible account of this data within 2 weeks. 

Article 6: Quality of Data

Personal data undergoing automatic processing shall be:

1)    obtained and processed fairly and lawfully;

2)    stored for specified and legitimate purposes and not used in a way incompatible with those purposes;

3)    adequate, relevant and not excessive in relation to the purposes for which they are stored;

4)    accurate and, where necessary, kept up to date; keeping in mind the obligation of individual members to update their data to the current situation as defined in article 6(3);

5)    preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored.

 

Article 7: Data Security

(1) AEGEE-Europe stores and is responsible for the application of adequate security measures relating to the process of storage and automatic data processing.

(2) AEGEE-Europe uses personal data of each AEGEE member only for those purposes defined in the present statement.

(3) Processing responsible persons have to sign a contract of confidentiality with the Comité Directeur before they are granted access to the databases.

(4) For the purposes of this statement the functions of the Ombudsman of AEGEE are entrusted to the Mediation Commission.

 

III – Rules for handling and storing of personal data

 

Article 8: Rights and Obligations of Data Subjects

(1) A data subject has the right to request all its personal data that is stored; for that purpose, the data subject must contact the processor.

(2) Data subjects should obligatorily define the next kind of personal data:

a)     real name/surname;

b)    email;

c)     local/contact;

d)    date of birth;

e)     nationality;

f)      field of studies;

g)     gender.

(3) 1The Comité Directeur may require extra personal data like home address or social network/messenger identifiers. 2Those extra data will always be provided on an optional basis.

(4) 1A data subject has the right to withdraw the permission to store its personal data. 2This will result in suspension. 3For the coherence of the personal data filling systems and the anonymous statistical data, the following data cannot be withdrawn: local/ contact, year of birth, nationality, field of studies, gender. 4This kind of data can be stored for five years after the suspension and must be deleted afterwards.

(5) Data subjects are obliged to keep their data up to date and make the needed changes when necessary.

(6) 1In any case when a data subject or a group of data subjects holds probable that their data is not stored or processed in accordance to the provisions of the present statement, they may request an enquiry by the Mediation Commission. 2The Commission will give a binding verdict within two weeks after the initial request was made and after contacting both parties. 3Until there is a verdict, the data may not be processed.

 

Article 9: General Rules of Data Processing

(1) Data is collected for specified, explicit and legitimate purposes and is not further processed without the prior data subject’s consent or in a way incompatible with AEGEE purposes.

(2) Certain personal data may be published online in a system open to AEGEE members only in case the data subject gives its consent.

(3) The processing responsible has the necessary access and power in order to ensure proper functioning of the personal data filling system and validity of the data.

(4) The Comité Directeur:

a)     composes and publishes a list of data processing responsibles. 2Changes in this list have to be announced to the Network in a sufficient way;

b)    defines the optional scope of data which AEGEE would like to gather from data subjects by subscription or other means;

c)     has the opportunity to delegate the rights defined in sub paragraph a) and b) paragraph 4 of the present article to any other AEGEE body.

(5) Activities organised by AEGEE:

a)     the information concerning the data subject mentioned in sub-paragraph of the present article is also used in order to confirm your participation in any kind of AEGEE-activities as a member of the AEGEE;

b)    with the purpose of the organisation of different kinds of AEGEE-activities, except the obligatory data any other subsidiary or extra data can be required by the Organiser of current activity;

c)     the whole scope of the information mentioned in sub-paragraph b) paragraph 4 of the present article, given by the data subject by its consent, is used only according to the purposes and aims of the current activity and is valid only for one time usage within such activity.

(6) Activities in co-operation with AEGEE:

a)     in order to apply and take participation in such joint activities the data subject shall give its consent for the usage of the required data according to the provisions of the present article in any such case;

b)    the data usage shall be used only within the current external activity;

c)     in case you apply for an event of a partner of AEGEE the data privacy of that partner is in apply;

d)    in case of a joint activity, it should be announced beforehand which data privacy statement is in apply.

(7) The provisions of this article shall be used while organising any AEGEE-activity.

 

Article 10: Commercial Usage of Data

(1) AEGEE-Europe will not give non-anonymised personal data to third parties, unless the involved data subjects give their consent.

(2) 1The Comité Directeur may give anonymous statistical data about the data subjects to third parties in order to gain profit from this. 2The Mediation Commission should give permission to do so. 3If the Mediation Commission will not respond to the permission request within two weeks from the request application date it will be considered as rejected.

(3) The Comité Directeur may send advertisements by third parties to specific to data subjects (e.g. Law or Engineering students) of AEGEE.

(4) 1To minimise inconvenience, data subjects can only receive up to ten commercial messages a year. 2The Mediation Commission should be notified in advance.

(5) 1Each data subject has right to refuse to get any kind of such advertisements. 2The refusal note shall be first made while signing the data protection statement personally by each data subject. 3The information about the refusal will be automatically reserved in the data base.

 

Article 11: Transition period

1All existing systems should comply with the rules within two years from the date of approval of the document. 2The Agora may grant an exception for a specific system if it appears to be impossible to fix the problems in time and set a new deadline.

 

IV – Final clauses

 

Article 12: Applicable Law

(1) 1Access to the data can be forced by court decision. 2AEGEE-Europe will fully cooperate with the legal authorities in order to fulfil the decision of the court.

(2) AEGEE-Europe shall do its utmost best to protect subject’s data.

(3) AEGEE-Europe shall not be responsible for unauthorized access outside its control, including, but not limited to, hacking, theft of hardware and eavesdropping.

 

Article 13: Amendments and Special Procedures

(1) Amendments to this document can be made by the Agora only with a qualified majority of votes.

(2) 1For cases not regulated, the Comité Directeur may act outside its competence provided it gets a permission from the Mediation Commission to do so. 2If the Mediation Commission will not respond to the permission request within two weeks from the request application date it will be considered as rejected.

(3) Other processing responsibles need to phrase a request for actions outside their competence to the Mediation Commission via the Comité Directeur.

Leave a reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>