HI TECH AND GDPR
WHAT IS GDPR?
General Data Protection Regulation (GDPR) is a law to protect citizens personal data and was put in place on May 25th, 2018. GDPR regulates how the processing of personal data is allowed to be handled. All types of organisations must follow the regulation and HI TECH, as an association, is bound to it as well. Usage of personal data should always imprint transparency for the individual who is always entitled to be informed about which personal data the organisation has stored, why it has been collected, change misleading information and have it removed.
This document regulates how HI TECH handles personal data of the associations members.
WHAT IS PERSONAL DATA?
Personal data is information that links to an individual person. Examples of personal data include social security numbers, names, phone numbers, images and addresses.
COLLECTING OF PERSONAL DATA
Processing of personal data must follow certain demands, for example lawful basis.
With lawful basis means that one of the following areas must be achieved:
Consent: The registered person has agreed.
Contract: The registered person has an agreement with the data controller.
Legitimate interests: Personal data can be processed if there is an interest that outweighs the individual rights and processing is necessary for the aim.
Legal obligation: Laws and regulations.
Public authority tasks.
Vital interests: If the registered cannot leave consent but must be protected.
To gather personal data the following is required:
o A purpose that the personal data is collected for. The purpose should be described in a concrete and specific way.
o Only the personal data that is demanded for the purpose can be gathered.
o Personal data must be removed when the purpose is achieved.
o Unauthorised parties shall not have access to the personal data.
It is never allowed to gather personal data only for access. All collecting must always
have a purpose.
When collecting personal data, the individual must be informed of:
o Who is responsible for the personal data.
o What personal data is collected and the usage of it.
o The individual rights to gain access, change misleading information and have
it removed. The individual has the right to know how long the personal data
is saved.
WHAT IS HI TECH?
HI TECH (org. number 802432-6467) is a student association at School of Engineering at Jönköping University. The purpose of the association is according to the associations By-law (2018): “The purpose of the Association is to ensure the quality of its members studies, offer the members an opportunity to influencing the education that takes place at the School of Engineering at JU, and provide students with a meaningful complement to their studies in the form of an active social life outside of their studies.” The HI TECH Board is responsible for the association and works for all members. The association also has committees and project groups that works with different areas of the associations operations.
HOW DOES HI TECH HANDLE PERSONAL DATA?
HI TECH processes personal data on a daily basis to help members. For example, the
association processes names, e-mail addresses, students JU-username’s, phone
numbers and images. Sometimes personal data is used for marketing by the
association, it’s committees and project groups. A specific and concrete aim is
always required, regardless of the usage of personal data. HI TECH shall also avoid
collecting sensitive data, for example social security numbers. Members of the
association are entitled to contact the HI TECH Board regarding questions of
personal data, gain access to it, have misleading information changed and removed.
The President of the association is obligated to remove personal data stored in the
work computer when necessary. E-mail’s sent to the association are automatically
deleted after 5 years, if not asked beforehand. Personal data is stored in a locked
work computer or at locked facilities that only certain individuals in the Board have
access to. When processing sensitive data, the President of HI TECH is responsible
for handling the data securely and ensuring it’s deleted when the reasoning for
storing it ceases to exist.
If the Board, the committees, members or individuals suspect that a personal data
breach has occurred, the incident shall be reported directly to Datainspektionen.
Reporting an incident must be done before 72 hours after the incident has occurred.
RULES
When the Board of HI TECH, it’s committees or project groups are processing
personal data, there is a requirement to consider the lawful basis the personal data
is collected on. Depending on the situation, the association uses three lawful bases
more frequently:
o Legitimate interests are used when publishing pictures from the associations
events. The purpose of publishing pictures from the association’s events is
because it’s of the members interest to responsive information regarding the
associations activities and organisations.
o Contracts used when processing personal data as mentioned in the
association’s By-laws.
o Consent is granted to a member in need of help or advice. These
circumstances typically concern education or equal treatment, of which
personal data is required to assist the member. The member will be informed
of why the personal data is being used. For example, personal data could be
required to help investigate wrongdoings in an educational matter.
USING OF PERSONAL DATA DURING TICKET SALES
CLOSED EVENTS (CAPS, SITTNINGS, GALA, BANQUETTE, ETC)
Closed events are held at places with an alcohol license for those who have bought a
ticket. To be able to control who is attending the event, personal data is collected for
each person. Within a week after the event the personal data should be removed.
The latest this information should be kept is up to a month after the event.
TRIPS (HIKE TRIP ÅRE, HIKE TRIP LUND, HIKE TRIP EUROPE, ETC)
Those who attend trips need to sign a contract with both their name and signature. This contract regulates each travellers own responsibility during the trip.
EVENTS HELD IN PUBLIC AREAS (HI SLAGET, HINT ON THE RUN, AMAZING RACE BY HIKE, ETC)
To be able to control who is attending the event, personal data is collected for each
person. For some events, phone numbers are needed to contact the participants. In
those cases the phone number will be collected as well. Within a week after the
event the personal data shall be removed.
INVOLVEMENT POINTS
In order to apply for points, the individual should provide a name, personal number
and email. This is to ensure the correct person is receiving the points and can be
easily contacted if necessary. The personal data will be kept for up to a year so the
calculation of the points can be done accurately. In this situation, a representative
from the International Relations Office will also require access to this information.
IN GENERAL
A member is always entitled to have personal data deleted and this shall happen as
soon as possible. When gathering personal data, the reasoning shall be concretely
described, detail who is responsible for processing the data and who the member
can contact for more information.
More personal data than required to suit the goal cannot be collected. Personal data
cannot be shared with others unless it’s necessary and personal data shall always be
protected from unauthorised access. The association shall remove personal data
when the aim is achieved or when there is no need to process it.
CONTACT
The Board of HI TECH is responsible of how the association handles personal data.
Committees and project groups within HI TECH sometimes handle personal data as
well in joint consultation with the Board. For further questions about how the
association handles personal data, contact the President of HI TECH by e-mail at
president.hitech@js.ju.se.