WHAT IS GDPR?
General Data Protection Regulation (GDPR) is a law to protect citizen’s personal data and was put in place on May 25th, 2018. GDPR regulates how the processing of personal data is allowed to be handled. All types of organisations must follow the regulation and HI TECH, as an association, is bound to it as well. Usage of personal data should always imprint transparency for the individual who is always entitled to be informed about which personal data the organisation has stored, why it has been collected, change misleading information and have it removed.
This document regulates how HI TECH handles personal data of the associations members.
WHAT IS PERSONAL DATA?
Personal data is information that links to an individual person. Examples of personal data include social security numbers, names, phone numbers, images and addresses.
COLLECTING OF PERSONAL DATA
Processing of personal data must follow certain demands, for example lawful basis. With lawful basis means that one of the following areas must be achieved:
– Consent: The registered person has agreed.
– Contract: The registered person has an agreement with the data controller.
– Legitimate interests: Personal data can be processed if there is an interest that outweighs the individual rights and processing is necessary for the aim.
– Legal obligation: Laws and regulations.
– Public authority tasks.
– Vital interests: If the registered cannot leave consent but must be protected.
To gather personal data the following is required:
- A purpose that the personal data is collected for. The purpose should be described in a concrete and specific way.
- Only the personal data that is demanded for the purpose can be gathered.
- Personal data must be removed when the purpose is achieved.
- Unauthorised parties shall not have access to the personal data.
It is never allowed to gather personal data only for access. All collecting must always have a purpose.
When collecting personal data, the individual must be informed of:
- Who is responsible for the personal data.
- What personal data is collected and the usage of it.
- The individual rights to gain access, change misleading information and have it removed. The individual has the right to know how long the personal data is saved.
WHAT IS HI TECH?
HI TECH (org. number 802432-6467) is a student association at School of Engineering at Jönköping University. The purpose of the association is according to the associations By-law (2018): “The purpose of the Association is to ensure the quality of its members studies, offer the members an opportunity to influencing the education that takes place at the School of Engineering at JU, and provide students with a meaningful complement to their studies in the form of an active social life outside of their studies.” The HI TECH Board is responsible for the association and works for all members. The association also has committees and project groups that works with different areas of the associations operations.
HOW DOES HI TECH HANDLE PERSONAL DATA?
HI TECH processes personal data on a daily basis to help members. For example, the association processes names, e-mail addresses, students JU-username’s, phone numbers and images. Sometimes personal data is used for marketing by the association, it is committees and project groups. A specific and concrete aim is always required, regardless of the usage of personal data. HI TECH shall also avoid collecting sensitive data, for example social security numbers. Members of the association are entitled to contact the HI TECH Board regarding questions of personal data, gain access to it, have misleading information changed and removed. The President of the association is obligated to remove personal data stored in the work computer when necessary. E-mail’s sent to the association are automatically deleted after 5 years, if not asked beforehand. Personal data is stored in a locked work computer or at locked facilities that only certain individuals in the Board have access to. When processing sensitive data, the President of HI TECH is responsible for handling the data securely and ensuring it will be deleted when the reasoning for storing it ceases to exist. If the Board, the committees, members or individuals suspect that a personal data breach has occurred, the incident shall be reported directly to Integritetsskyddsmyndigheten. Reporting an incident must be done before 72 hours after the incident has occurred.
When the Board of HI TECH, its committees or project groups are processing personal data, there is a requirement to consider the lawful basis the personal data is collected on. Depending on the situation, the association uses three lawful bases more frequently:
- Legitimate interests are used when publishing pictures from the associations events. The purpose of publishing pictures from the association’s events is because it is of the members interest to responsive information regarding the associations activities and organisations.
- Contracts used when processing personal data as mentioned in the association’s By-laws.
- Consent is granted to a member in need of help or advice. These circumstances typically concern education or equal treatment, of which personal data is required to assist the member. The member will be informed of why the personal data is being used. For example, personal data could be required to help investigate wrongdoings in an educational matter.
USING OF PERSONAL DATA DURING TICKET SALES
CLOSED EVENTS (CAPS, SITTNINGS, GALA, BANQUETTE, ETC)
Closed events are held at places with an alcohol license for those who have bought a ticket. To be able to control who is attending the event, personal data is collected for each person. Within a week after the event the personal data should be removed. The latest this information should be kept is up to a month after the event.
TRIPS (HIKE TRIP ÅRE, HIKE TRIP LUND, HIKE TRIP EUROPE, ETC)
Those who attend trips need to sign a contract with both their name and signature. This contract regulates each travellers own responsibility during the trip.
EVENTS HELD IN PUBLIC AREAS (HI SLAGET, HINT ON THE RUN, AMAZING RACE BY HIKE, ETC)
To be able to control who is attending the event, personal data is collected for each person. For some events, phone numbers are needed to contact the participants. In those cases the phone number will be collected as well. Within a week after the event the personal data shall be removed.
In order to apply for points, the individual should provide a name, personal number and email. This is to ensure the correct person is receiving the points and can be easily contacted if necessary. The personal data will be kept for up to a year so the calculation of the points can be done accurately. In this situation, a representative from the International Relations Office will also require access to this information.
A member is always entitled to have personal data deleted and this shall happen as soon as possible. When gathering personal data, the reasoning shall be concretely described, detail who is responsible for processing the data and who the member can contact for more information. More personal data than required to suit the goal cannot be collected. Personal data cannot be shared with others unless it is necessary and personal data shall always be protected from unauthorised access. The association shall remove personal data when the aim is achieved or when there is no need to process it.
The Board of HI TECH is responsible of how the association handles personal data. Committees and project groups within HI TECH sometimes handle personal data as well in joint consultation with the Board. For further questions about how the association handles personal data, contact the President of HI TECH by e-mail at firstname.lastname@example.org.