Hi, we are ESTIEM, and this is our Privacy Policy.
It explains how we handle, store, and protect your personal data. Our goal is to give you transparency, control, and trust over it.
GDPR and Useful Terms
As a European Union-based organisation, ESTIEM is required to comply with the General Data Protection Regulation (GDPR). It is a law enforced in the European Union that is designed to increase the control that a user has over their own data, limiting the freedom that companies and other entities had until now over your personal information. So your personal data is treated in alignment with GDPR.
Here are some terms or concepts that are useful to know, defined in the 4th article of the GDPR.
Any information that can lead to identifying a person directly or indirectly is considered personal data. This includes any pieces of information that together can identify an individual even if they don’t lead to this person on their own.
The organisation that decides why and how to process data (in this case, ESTIEM). Processing can mean to store, adapt, alter, retrieve, and more, in relation to any kind of data.
The Data Processor is any entity that process data on behalf of the controller.
If somebody uses automatic means to analyse your data in order to predict behavior, interest, performance, or any other attribute, this person is profiling you. ESTIEM does not engage in profiling activities, and should this ever change, explicit consent will be necessary, requested, and documented.
Cookies are tiny files that are stored in your device, and they can be installed or read by websites. Those files may contain information essential to a website functioning or they can be used to collect information about you. Not inherently evil on their own, they can be used to invade your privacy or to make you browse the pages you love. Currently, we do not collect cookies. If this changes, users will be notified, and a detailed cookie policy will be provided.
What data we collect and why
Under GDPR, we need a lawful basis to process your personal data. For ESTIEM’s purposes, we rely on the following bases:
Contact Info
Such as name, gender, email, phone number
Such as name, gender, email, phone number. We process this information based on our legitimate interests to maintain communication with you and organise your presence in the network.
ESTIEM-Related Info
Such as Local Group, role, events attended
This data is processed under legitimate interests to ensure fair participation and organisation within the ESTIEM network.
Financial Info
Such as bank account number and amounts
Processed as required to comply with legal obligations for financial transactions and accounting.
Media
Such as photos, videos and recordings from events
We process these materials with your consent, to document and promote our events. You may withdraw your consent at any time by contacting us. Consent preferences can be updated by submitting a request through our online platform.
Who can access your data
Our Leaders have access to all of the files related to their entities. Some entities have a strict collaboration within themselves or even they need to work together to function. In those cases, they may share data within themselves, but in no case the data is to be shared publicly. There must be a reason to share with other entities and it has to be specified when the data is collected.
The Board of ESTIEM serves as the center of coordination for the whole network. Every entity within the organisation is under the responsibility of a Board Member. It is safe to assume that the Board has access to almost every document related to its entities and, for organisational purposes, it may be asked to review other documents to provide feedback, insights, and guidance.
No entity could work without a team of dedicated people. Those volunteers can access the documents relative to the entities they work with, as they tend to be the processors of the entity’s data. Contrary to Leaders and the Board, our volunteers do not have privileged access to any data. Personal data can be shared with volunteers where their efforts are required to fulfill an action requested by the data owner, if specified through the media we’ll use to gather the data.
The IT Committee is responsible for maintaining and improving the IT infrastructure of ESTIEM. They have access to the database of ESTIEM Portal website, and derivatively all data inserted and created by user actions there, as it is required for them to perform their duties.
Our whole portal and part of the login system is hosted on Microsoft services. They have technical access to our database, but reading it would be considered a violation of the contract. ESTIEMers’ login details are shared with Microsoft to allow an easy password recovery. These details include: name, email, Local Group, roles, and mobile number.
The Analysis Committee utilizes anonymised data to evaluate the activity of the network and enables all entities to make decisions based on concrete data. Due to that, they need to access the database as well, from which they extract the data which is then anonymised and shared with the network.
ESTIEM uses Google Workspace as their primary working environment. As such, the personal data provided on ESTIEM Portal, such as name, Local Group, roles and mobile number are also possessed by Google, as well as the data inserted into their systems, such as Google Chat. Additionally, Google Workspace does, by design, log actions taken by accounts such as actions on Google Mail and Google Drive. These logs are retained in Google’s systems for six months.
Data sharing with third parties
ESTIEM may share your data with trusted third parties, such as IT infrastructure providers, solely for purposes that align with our legitimate organisational needs. We have data processing agreements with each third-party provider, which require them to process your data only as instructed by ESTIEM and for no other purpose, implement appropriate technical and organisational measures to protect your data and comply with GDPR and applicable privacy laws.
If personal data is transferred outside of the European Economic Area (EEA), ESTIEM ensures such transfers are safeguarded using Standard Contractual Clauses (SCCs) or by working with providers located in countries deemed to have adequate data protection standards by the European Commission.
Data sharing means
The most notable way of collecting data is the ESTIEM portal, contained in the domain “estiem.org”. Everything going through the IT infrastructure and stored in the database is accessible by the Vice President of Administration, the IT Committee, and the Analysis Committee. Other than that, some less obvious ways through which you can share personal data with us are listed below.
Data Retention
We retain your personal data only as long as necessary for the purpose it was collected. The criteria we use to determine retention periods include:
Membership and Participation
Your contact and ESTIEM-related data are retained as long as you are an active member of the ESTIEM network. Upon request, we will delete your personal data within six months, except where retention is required for legal obligations.
Event-Related Data
Media files and event participation details are kept for as long as necessary to fulfill promotional or historical purposes or until you request deletion.
Financial Data
We retain transaction records in accordance with applicable laws (e.g., tax and accounting requirements) for up to seven years.
Data Security
ESTIEM is committed to protecting your data with high standards of security. We implement measures including encryption of sensitive data during is transmission and storage, access controls to restrict data access only to authorised personnel based on their role and need and data protection training to our Leaders, Board Members, and volunteers who handle personal data to ensure GDPR-compliant practices are maintained across our organisation.
Our Discord server, which can be accessed through this link, is an informal place to spend time together while working or during free time. It can also be a way of sharing reports and collecting Q&A about them. Anything shared here is to be considered publicly available, as the access to the server is not restricted. Q&A may be saved and stored for knowledge management purposes.
Here, the international level of ESTIEM discusses and shares ideas. Everything you post here or any comment you add is to be considered as shared with the whole ESTIEM network as the access is limited to members of organizations associated with ESTIEM. If any post is created to share data with other organizations, it will be specified in the post itself.
For applications, surveys, and other kinds of input gathering, we use Google Forms. These are created and stored in Google Shared Drives, where access is controlled and restricted to only those that are required to process the data. At the end of the form, you will find a checkbox stating who will have access to the answers, and it needs to be accepted in order to send the data to us.
