Privacy Regulations

This page shows Sophia Aeterna’s Privacy Regulations. These regulations are last updated on June 26, 2023. These Privacy Regulations are a translation of the Dutch version. Only the Dutch version is legally valid. If there are any discrepancies between the Dutch and English version, the Dutch version will be followed.

Preface

Dear reader,

This document has been drawn up to lay down how the association processes personal data, in response to the General Data Protection Regulation, which will enter into force on May 25, 2018. In this document, on the one hand, the rights of individuals to view, change or delete their own data is described. On the other hand, the obligations of the association to act consciously and with respect for privacy are also laid down. The document is therefore extremely important for both boards and members.

The process leading up to the drawing up of this document was as follows. The assessor of 2017/2018 (Benjamin Plomp) was present at the association meetings between associations of the Faculty of Humanities. In addition, there was a meeting of STOP about the GDPR that was attended by two board members. With sufficient information about the new legislation, we started establishing this policy. First of all, the data flows within Sophia Aeterna have been mapped and the registration form has been adjusted. These data flows provided insight into what is or is not necessary to keep. This policy was then drawn up on the basis of the data flows.

This document is meant to justify which data we use, for which purposes this data is processed and kept, who have access to the data and on which conditions. The retention periods we use is described here as well. Furthermore, step-by-step plans for dealing with requests of members to view, change or delete data are included. In this way, we hope that this document will be a practical guide for future boards to act in accordance with the GDPR, as well as a way to make members aware of their rights.

For questions or feedback, the board can be reached by mail: sophia.aeternaleiden@gmail.com

On behalf of Board VI,

Jikke Koning

Praeses 2017-2018

This policy is revised on March 12, 2023 by Board XI.

Wherever the masculine form is used in these regulations, the feminine or gender-neutral form may also be read.

1. Internal

a. Statutes and Internal Regulations

Article 5 of the Internal Regulations (IR) deals with personal data. This article describes which personal information is stored when someone becomes a member. It also made clear what the rights of members are concerning their personal data. Article 5, paragraph 7 of the IR goes as follows:

7. Members have the right at any time to:

a. view the data they have provided to Sophia Aeterna;

b. withdraw the consent given for data processing and thus to be deleted from the database within a reasonable period of time;

c. be deleted from the membership database as soon as possible after the termination of the membership;

d. submit a complaint to the national supervisory authority in the event of a violation of standards from this article or from the General Data Protection Regulation.

Article 24 of the IR, which deals with the archive, also clearly states that data in the archive is processed in accordance with the GDPR, see article 24, paragraph 1 of the IR:

24.1 The board is responsible for the archive of the association. In doing this, it takes into account the rules of the General Data Protection Regulation.

Article 24, paragraph 7 of the IR further states that documents from the archive may only be viewed with permission of the board.

Thus, the IR provides, in combination with this privacy policy, a good guideline for boards on how to handle members' personal data carefully and in accordance with the GDPR.

b. Newsletter

For the newsletter, the programme Mailchimp is used. However, the newsletter will only be sent to Sophia Aeterna's email address. Then it will be sent to the members. The e-mail addresses of the members are therefore not shared with Mailchimp, with which no processing agreement has been concluded.

c. Member administration

The membership file is kept partly analogue and partly digital. The registration forms with signatures are kept in the analogue part. The digital part contains the data from the registration form in a digital file. The digital part of the membership file is held on the computer of the Secretary. We are aware that this is still sensitive, and for that reason, the file is protected with a password. There is no digital back-up of the file, but if it is necessary, we do have the data in the analogue archive. 

The data we request when registering are the following: name, study, study phase, e-mail address, date of birth and signature. It is also possible to state one’s pronouns. As an association, it is necessary to be aware of the name of a new member to properly store and use the other data. We primarily use the e-mail address to send invitations to the General Assembly. In addition, we store and use the e-mail address to distribute information about activities among our members. We ask for information about the study someone is following to determine whether someone is eligible to become a member. The conditions for becoming a member are described in article 4 paragraph 3 of the Statutes. We ask for the study phase because we organise activities for specific target groups, which depend, among other things, on the study phase. We ask for the date of birth so we can determine someone's age and apply the alcohol law. In addition, age can sometimes be relevant for the price categories of, for example, museum and theatre tickets.

Only the board and the member in question have access to this data. The member may at any time request to view, change or delete their data. However, after the deletion of a part of this data, membership is no longer possible. The name and date of registration, as provided upon registering, may also be published in the almanac, if this has been agreed upon during registration by means of the tick box on the registration form. For members who became a member before the new GDPR legislation came into force, this applies retroactively, unless the member objects to this.

This data will be deleted when the membership is cancelled. When the board decides to cancel the memership, the data will be kept for one month, because the member can appeal against the decision of the board within that period, according to article 10 of the Internal Regulations. With 'regular' cancellation, a member will be removed from the membership file as of 1 September. If someone no longer wishes to receive mail, they will be removed from the mailing list. The analogue registration form will then be destroyed and the digital data will be removed from the membership administration. When the membership is cancelled, the member will be asked whether he wants to be included in the file of alumni. He then permits his name, e-mail address, the membership's start date and cancellation date to be saved.

d. Activities

i. First-year's weekend

For the first-year’s weekend, we ask for some additional information to the information that we have requested by registration and which is thus included in our membership file. We already ask for the name and age on the registration form. Other information we ask for is a telephone number and an emergency number. A phone number is requested so that the board can reach the participant at all times during the weekend. An emergency number is requested so that the board can reach a relative in case of an emergency. There is also the option to pass on other matters to the board when registering for the first-year’s weekend, which the participant believes is necessary for the board or a board member to be aware of (e.g. eating preferences or medical data). Only the board and the relevant participant have access to this information.

The data requested specifically for the first-year’s weekend will be deleted immediately after the weekend. This does not apply to the data we request via the registration form. If payment has not yet been made, the e-mail of the registration will still be saved. After payment, the registration email will also be deleted.

Members can register for the first-year’s weekend via the registration form or by sending an email to Sophia Aeterna. The above information will be made known to members through an information letter.

ii. Others

There are a number of activities that are organised by the board and not by committees. Examples include theatre visits, excursions, drinks, etc. Registrations for these are kept in a GoogleDrive file by the Secretary. This also gives the Treasurer easy access to the file. Often the name alone is sufficient for this. For open activities, we also keep track of whether a participant is a member of the study association because special discounts often apply to members. These registration lists and data will be deleted immediately after the activity and after payment. For other activities, you do not have to register and privacy is thus not at stake.

e. Committees

A member who signs up for a committee takes on certain duties and responsibilities. This includes the responsibility to the rest of the committee to be available and reachable, which is why we may also ask a committee member for their phone number. This makes communication easier. Apart from the board and committee members, no one has access to this data.

Committee members also have a responsibility to the association to work effectively and to handle sensitive information responsibly. For this reason, the board can ask a prospective committee member for relevant (work) experience, for example during an application procedure. The board also ensures that the composition of committees is diverse, especially with regard to the study phase, and therefore the board can ask in which study phase a prospective committee member is.

After a possible application procedure, the data collected for this purpose will be immediately deleted.

All committees must ask themselves what data they need, for what purpose, for how long and where it can be stored securely. A rule of thumb is: ask for as little information as possible and remove registrations from the mailbox after the activity. (Don't let the urge to need as little data as possible get in the way of new ideas for activities, though: just explain thoroughly what data is needed and handle it with care once it is collected.) To store the data the committee collects as safely as possible, the password for the mailbox and the drive must be changed every year. In addition, this password must consist of at least 12 characters, of which there is at least one capital letter, one lowercase, one number and one punctuation mark. At the beginning of the procedural documents of each committee, there is a more extensive and concrete explanation. In the future, we may have committee members sign a contract on how to handle personal data to shift the responsibility from the board to the committee members.

A committee does not have access to the bank statements and can therefore not see who has paid for an activity/object, etc. However, the committee does, of course, have contact with the Treasurer of the association about this: after all, the Treasurer must be informed by the committee about which members have subscribed or unsubscribed. Often, the registration list is shared with the Treasurer, in order that he can note there who has paid and so that the committee also knows who has paid. Payment requests to the members are made by the Treasurer and not by a committee.

Some committees organise activities in which alcohol is served, such as the barbecue committee, the December committee and the party committee. If a third party does this, such as in a cafe, the responsibility for age verification lies with the relevant party. If the association or committee itself serves alcohol, the registration list is shared in advance with the Secretary, who checks the membership file to see whether people are coming who are not yet allowed to drink alcohol. The Secretary shares this information with the rest of the board and the organising committee. The emergency response officers present, together with the committee, monitor compliance with the Alcohol Act.

i. Frons

The Frons is unique because the chief editors maintain their own subscriber file. In that file, the name, e-mail address and possible home address of the subscribers is kept. The Frons has their own archive as well. It is thus necessary to deal consciously and responsibly with personal data, such as photos and quotes with acknowledgement.

The Frons has different kinds of subscribers: subscribers who are a member of Sophia and those who are not, and subscribers on the paper and on the digital Frons.

When a Sophia member subscribes to the Frons, he automatically gives permission to share his e-mail address with the Frons. In addition, the Frons has the right to ask subscribers on the paper Frons for their address and to save this information. The e-mail address is necessary to provide the Frons for digital subscribers. For paper subscribers, the e-mail address is primarily required to be able to ask for the address of the subscriber. The address is used for the delivery of the Frons, if it proves impossible to give the Frons to the subscriber at the university. The subscriber has the right not to communicate his address if he does not consider it necessary. However, it is then possible that de Frons cannot provide its services sufficiently.

When someone who is not a member of Sophia subscribes to the Frons, he gives his e-mail address and possible home address to the Frons. Besides, he gives permission to share his e-mail address with Sophia. The Treasurer of Sophia uses this e-mail address to collect the subscription fee.

The deletion period of the data in the subscriber file of the Frons is the same as for the data in the membership file of Sophia Aeterna. When a member cancels their membership, they will be removed from the membership file as of September 1.
The Frons is also dependent on a third party: the printer. The printer's privacy policy states that they will not use the data they receive from the printed matter if it is not necessary. With this, the printer adheres to the GDPR and Frons itself does not have to worry about it.

ii. Almanac Committee

The almanac committee has a similar position, namely that agreements must be made with the printer to ensure that the printer does not store any data and that they work in accordance with the new privacy legislation. Furthermore, the almanac is dependent on the membership file and archive of Sophia Aeterna. The Secretary provides a short membership file for this purpose, in which only the data which may be published in the almanac is included. 

Members give permission on the registration form to use photos of them in the almanac and to be included in the list of members; see also article 1g.

iii. Acquisition-merchandise Committee

The acquisition-merchandise committee enters into cooperation agreements with external parties. In this, there is an advantage for both parties. The advantage can lie in increasing brand awareness by advertising in media such as the newsletter, the Facebook page or website, or the almanac. There is often a financial advantage for Sophia Aeterna in return. In such a case, no personal data is involved.

Other types of collaboration are also possible, for example with a tutoring agency. In that case, it is advantageous for the partner to be able to reach our members for vacancies and the like. However, no data is provided to the partner, but Sophia Aeterna plays the role of intermediary by e-mailing a vacancy to the members. Members can contact the external party themselves.

If members receive discounts at certain companies, they will have to prove that they are members of Sophia Aeterna. The external party then receives information from the member that someone is a member. The responsibility lies with the member and not with the association.

Therefore, in the collaborations entered into by the acquisition-merchandise committee, no personal data is provided to third parties.

iv. Theatre Committee

The theatre committee must timely remove information about personal agendas, if they have for instance been collected for the compiling of a rehearsal schedule. Furthermore, it is useful to ask the translators some time in advance whether they want to be mentioned, if the text would be published. Auditions are generally not recorded. This can happen if the auditee gives permission, but then agreements must also be made about the deletion period of the recording. Stage performances are recorded and kept for an indefinite period. Actors should be made aware of this and ideally asked for permission.

v. Travel Committee

The travel committee stores perhaps the most sensitive data of all committees, including information about identification documents and possibly also medical data. It is important here as well that all registrations are deleted after the trip. In principle, the committee does not need to know anything about medication and the like, since the committee bears no responsibility for the well-being of the participants. Nevertheless, it can be important to have such information in emergency situations. For this reason, upon registration, the option is given to pass on information about medication/dietary wishes/allergies to the committee. The participant can therefore inform the committee of this if they consider it necessary. This information is deleted immediately after the trip.

From 2018-2019 onwards, we have decided to stop asking for copies of passports. It is not necessary for booking airline tickets or hostels. It is the member's responsibility to provide correct information, as it says on the passport. If a participant does not want the entire travel committee to be aware of his full name, the participant can contact the Treasurer - who normally provides the information to the third party - and ask him to only share the information with the relevant third party. In such a case, individual agreements will be made.

Alleen de gegevens die voor het boeken van vluchten en het inchecken noodzakelijk zijn zullen dus worden gevraagd. Iedereen is vervolgens zelf verantwoordelijk om eventueel een kopie mee te nemen tijdens de reis, voor het geval dat het echte legitimatiebewijs verloren raakt.

The travel committee strives not to stay in unmixed hostels, so that the committee and participants can make a room layout based on their own preferences. In the unlikely event that we stay in an unmixed hostel, it might be necessary to also request the gender in the registration. However, the traffic in data can be minimised by allowing matters such as room allocation to be arranged as much as possible by the participants themselves and on site.

vi. Website Committee

The website is freely accessible to everyone. There is a protected page with photos on the website. When one has become a member of Sophia Aeterna, one can also access this page. This requires first and last name. Sophia then receives an email with the request that someone wants to become a member of the website. The Secretary checks whether the member is in the membership file. Permission is then granted or not.

The entire privacy policy is visible to members on the website. In this way, members can see at all times what their rights are in the field of privacy.

f. Workplace

Our physical workplace consists of an office in the Arsenaal, which is shared with other study associations. It is thus important to properly close everything that is stored there. Our belongings are kept in cabinets that are locked. Both the workplace itself and the cabinets can only be opened with the help of a LU card from a board member. Therefore, other people do not have access to it.

In addition, a lock has been applied to the hard disk that is being kept there. Furthermore, documents containing sensitive data are shredded upon removal and not simply thrown away.

Moreover, board members who have sensitive information on their personal computer or laptop should observe the same points and remove unnecessary information as soon as possible. Finally, the password of the mail and drive should be changed every year. The password must be at least 12 characters and contain an uppercase letter, lowercase letter, number and punctuation mark.

g. Archive

The archive consists of several parts: the secretarial archive, the financial archive, the archive of the Frons and the theatre archive.

i. Secretarial archive

The secretarial archive consists of the following items:

  • Minutes of board meetings. We store these digitally to properly comply with agreements and as documentation for subsequent years. In principle, only the board has access to the minutes of board meetings, unless Article 24 paragraph 5 of the IR applies. These will not be deleted.
  • Board applications. We ask applicants to send their curriculum vitae and a motivation letter. This information will not be shared with other applicants. The data will be deleted as soon as the candidate board has agreed to by the Acclamation General Assembly. 
  • Minutes of the General Assemblies. These are kept both digitally and analogously (with the signature of the Chair and Secretary). We keep this for the general reporting of the association. All members have access to the minutes of the General Assemblies at any time. These will not be deleted.
  • Photos. These are stored digitally. New members give permission via the registration form that photos may be used on social media and in the almanac. In principle, the photos on social media will not be removed, unless someone in the photo requests removal. The almanac will not be deleted. We also have a protected environment on the website where photos are published. This page is only accessible to members, as described under 'website'.
  • Almanac. In the almanac, a list of members is included, stating the name and the year and date on which someone became a member. People give permission for this through the registration form. The almanac will not be deleted.  
  • In addition, various items fall under the secretarial archive, such as mail and posters. Personal data involved are names and addresses. These are removed at the request of the person in question. But in principle, these are sent by people themselves, or committee members themselves have agreed to the distribution of certain posters (for example to promote an activity).
  • The mailbox.

Everything that is stored digitally is on the hard disk as well as in an online environment. At the time of writing, this is Google Drive. 

Everything that is stored analogously is kept in a locked cabinet at our workplace. Board members of other study associations who have access to the same room cannot access the documents. The cabinets can only be opened using a board member's LU card.

ii. Financial archive

The approved budget, the achievement of the entire year, achievements of individual events, the bank account statement, past bank cards and receipt books are kept in the financial archive. The Treasurer has the current bank card. The archive will be kept in order that it can serve as an example for years to come. In the year itself, it is kept so that the auditing committee can check whether the association is financially sound. In addition, it is legally required to keep this archive for seven years. This archive is partly stored on paper in a cabinet at Sophia’s workplace and partly in the digital archive, such as is described in Article 24 paragraph 3 and 4 of the Internal Regulations. Members may request access and may view the archive under the supervision of the Treasurer. None of this data will be deleted.

iii. Frons archive

The editions of de Frons are kept in the Frons archive. Personal data in the Frons are names and years of study in the short bios after articles. These will not be deleted. The addresses and e-mail addresses of subscribers are stored. These are removed as soon as someone cancels their subscription.

iv. Theatre Archive

Photos and films are kept in the theatre archive. This is kept as a reminder of the plays and for possible viewing later. The archive is kept on the hard drive of the association. Members may request access and may view the archive under the supervision of a board member. In principle, this data will not be deleted. If there is an objection, photos can be removed and the film blurred.

2. External

To align our collaborations in various areas with our internal privacy policy, the board and committees must consider the conditions under which an agreement can be concluded and which consequences it will have for the protection of members’ data. Committees that will have a lot to do with this include the almanac committee and the acquisition-merchandise committee. Furthermore, the Commissioner is responsible for contact with other associations and the Commissioner will also have to guarantee that the privacy regulations are in accordance with the GDPR at events involving several organising parties as well. It is also important to look carefully at the use of social media when it comes to distributing data to third parties.

b. Processing agreements with external parties

In addition to the data that comes in via e-mail, there are a few other external parties with whom processing agreements must be concluded. The possible external parties with which Sophia Aeterna is in contact are discussed in more detail in chapter 2, article e paragraphs ii en iv.

Should agreements be made in the future with external parties who will have access to data (besides the printer of the almanac and Frons), it is important to include a clause in the contract that the external party may not copy any data and has to delete the data as soon as possible.

c. Partnership agreements with other associations

Our registration form does not say anything about sharing data with other associations. It is important to keep in mind that we do not register our members for, say, a faculty symposium, but that students do so themselves at the faculty symposium committee. They must provide their own details and all conditions that can be attached to such an application form an agreement between the faculty symposium committee and the student; Sophia Aeterna is not a part of this. It is important that agreements are made within the organisation of such a joint project about, for example, photos that are taken during an activity, and that someone is responsible for removing the registrations and other data afterwards.

c. Social media

Sophia Aeterna currently has a Facebook and Instagram account.

Activities are promoted on Facebook and Instagram, and photos are posted afterwards. On Facebook, activities are promoted by the creation of events and on Instagram mainly through the use of announcements in stories. The photos that are posted after activities serve again as a promotion, but also as a review of the activity. These photos serve as a kind of annual report and as inspiration for subsequent years as well. People can also become familiar with Sophia through the Facebook and Instagram pages, it is thus a form of advertising for the association, which can lead to more awareness and the recruitment of new members.

At registration, new members agree to the use of photos, as indicated on the registration form. There are no entire albums on Facebook and Instagram, just a few photos as an indication. These photos can also be removed at the request of the people in them. In principle, the photos will not be removed from Facebook and Instagram. Messages from the board will not be deleted. Events will not be removed as well.

d. Website

We sell used books on the website. The title of the book and the price is on the site. Members can email us and then we will provide them with the email address of the person selling the books. The two members then further arrange the sale of the books among themselves.

When someone wants to view photos on the website, they must register first. To do this, they have to enter their first and last name. In this way, the Secretary can check whether the person who registers actually is a member.

A privacy statement has been visible on the website since 25 May 2018 as well. In addition, the privacy policy can be found on the website. Members are thus made aware of their rights regarding personal data.

Step-by-step plans

a. Request for access to data

A member who is older than sixteen (and is not under guardianship) has the right to see what personal data we store about them. The member does not have to give a reason for this request. However, the member must identify themselves. The association must then send the member an overview with at least the following information:

  • the purpose for which the organisation uses his data; 
  • what types of data the association uses for this purpose;
  • which organisations or types of organisations receive their data;
  • how the association has obtained their data.

Such a request can be made to the board by email. When collecting the member's data, the board should not forget to check the mailboxes and repositories of all committees. A task for the board is to first discuss with the member which data the member would like to see, then there is no need to make a complete overview. Most parts of the overview are already mentioned on the registration form that was introduced in 2018.

b. Request to change data

A member may request the rectification of their data after reviewing their data if that data:

  • are not correct (anymore); 
  • are incomplete or irrelevant to the purpose for which they were collected;
  • are otherwise used in violation of any law.

The association must respond to the request within four weeks, and if the board decides to change the data, this must be done as soon as possible. The board must also inform other organisations with which this data has been shared in the past year of the rectification. (Unless the organisations are no longer traceable or if it would require a disproportionate effort.)

c. Request to delete data

A member can request that the data they have viewed be deleted, if

  • this data is no longer necessary for the stated purpose;
  • the member withdraws the consent given on the registration form;
  • the member objects to the data processing (see Article 21 of the GDPR);
  • the association distributes the data unlawfully;
  • the legal retention period for the data has expired.

d. Data breach notification obligation

In the event of a data breach (access to or destruction, alteration or release of personal data at an organisation without this being the intention of this organisation), the board is obliged to report this to the reporting desk of the Dutch Data Protection Authority. Examples of data leaks are losing an unlocked USB stick, ransomware, misaddressed emails etc. 

Data leaks only need to be reported if this leads to a risk to the rights and freedoms of those involved! That is, this really only applies to medical records and copies of travel documents. The board must also inform the relevant members only if the data breach poses a high risk to the persons involved. This is not necessary every time a data breach is reported to the reporting desk.