Dear Data Subject, We wish to inform you that the GDPR provides for the protection of individuals with regard to the processing of Personal Data as a fundamental right. We are committed to safeguarding the privacy of our website visitors; in this policy, we explain how we will treat your personal information.

Pursuant to Article 13 of the GDPR, therefore, We will process your Personal Data according to the present Privacy Policy, which describes how such data is collected, stored, used, communicated and managed by ESN and the related Services.

By using our website and agreeing to this policy, you consent to our use of cookies in accordance with the terms of this policy. Please notify us without delay should you notice any instances in which any violation of the present Privacy Policy occurs.

Last updated: 19 March 2022

Type of Data Processed

We may collect, store and use the following kinds of personal information:

  • information about your computer and about your visits to and use of SIEM website (including your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths);
  • information that you provide when registering with our website;
  • information that you provide when completing your profile on our website (including tentatively your name, profile picture, gender, date of birth, educational details and other information set in your profile fields);
  • information that you provide for the purpose of subscribing to our email notifications and/or newsletters (including your name and email address);
  • information that you provide when using the services on our website or that is generated in the course of the use of those services (including the timing, frequency and pattern of service use);
  • information contained in or relating to any communication that you send to us or send through our website (including the communication content and metadata associated with the communication); and
  • any other personal information that you choose to send to us.

If the Personal Data communicated to us does not belong to the same natural person who communicates it, the latter will be required to explicitly confirm that they have obtained the relevant consent from the Data Subject. In such cases, with the vision of this Privacy Policy and with the above-mentioned confirmation, you also undertake to hold us harmless in case of false or reticent statements, in particular in case you have not actually obtained the consent to the processing from the relevant Data Subjects.

The voluntary sending, on your part, of e-mails to our e-mail addresses does not require further information or requests for consent.

On the contrary, specific summary information will be reported or displayed if needed in the pages of the site prepared for particular services on request (form). You must therefore explicitly consent to the use of the data reported in these forms in order to send any request.

Origin of Processed Personal Data

The Personal Data that We hold in connection with SIEM and related Services is collected directly from the Data Subject or uploaded by the relevant organisation.

Data Controller

The Data Controller is:

Erasmus Student Network

Rue Joseph II / Jozef II-straat 120
1000 Brussels, Belgium
Email: [email protected]

Purpose of Data Processing and legal basis

The processing of users’ Personal Data has its legal basis in their consent and is carried out for the following purposes:

  1. administer our website and business;
  2. personalise our website for you;
  3. enable your use of the services available on our website;
  4. send you email notifications that you have specifically requested;
  5. provide third parties with statistical information about our users (but those third parties will not be able to identify any individual user from that information);
  6. provide third parties with personal data needed to comply with the purpose of this website, this will be done only under previous and explicit approval by the user;
  7. deal with enquiries and complaints made by or about you relating to our website;
  8. keep our website secure and prevent fraud; and
  9. send service-related notifications that may be of importance to continue using the Services, and safety/security notifications related to the participation in programmes featured in our Service;
  10. verify compliance with the terms and conditions governing the use of our website.

Mandatory nature or not of the consent

The user’s consent is mandatory, and in particular to be able to have Main Institutional and/or Personal accounts, for what concerns the purposes under points 3, 4, 8 and 10 above. For the purposes under points 2, 7, and 9 the consent is optional but the lack thereof may worsen the provision of the Services. For the other purposes the consent is optional and will not compromise in any way the provision of the Service, should you desire not to provide your consent for one or more specific purposes, please inform us at the time your Personal Data is communicated to us, or at any time thereafter, by contacting us.

Data recipients

Except as provided hereinafter, we will not provide your personal information to third parties.

Within the limits pertinent to the Processing purposes indicated, users’ data may be communicated to partners, consulting companies, private companies, appointed by the Data Controllers as Data Processors or for legal obligations or to fulfil some users’ specific requests. In such cases we take all the necessary technical and organisational measures to protect the confidentiality and security of your Personal Data from unauthorised access or against loss, misuse or alteration by third parties. We may also disclose your personal information to any member of our organization and supporting organisms (insofar as reasonably necessary for the purposes set out in this policy.

Although not directly communicated to any specific recipient, account contact information may also be available to other users.

Our Services may also depend on third-party tracking tools from our service providers, examples of which include email service provider as well as push-notification service provider. Such third parties may use cookies, APIs, and SDKs in our services to enable them to collect and analyse user information on our behalf. In this context, third parties may have access to information such as your device identifier, MAC address, IMEI, locale (specific location where a given language is spoken), geo-location information, and IP address for the purpose of providing their services under their respective privacy policies.

The possible Data Processors and persons in charge of the Processing will in such cases be punctually identified and at the users’ request be communicated in detail. For any question in this regard, please contact us.

Please note that in such cases users will be also subject to the relevant third-party privacy policies. For any processing carried out by third parties as Data Processors in relation to the Dashboard and related services, users may contact us or directly such third parties.

For all other cases of processing by third parties, please contact them directly in the manner indicated in their privacy policies.

Lastly, We may share your information in connection with potential merger, de-merger, acquisition, change of ownership, change of control, or in general extraordinary transactions. In such cases, the users will be notified via email and/or notice on our site of any change in ownership of the Personal Data.

International data transfers

Information that we collect may be stored and processed in and transferred between any of the countries in which we operate in order to enable us to use the information in accordance with this policy. If and when we transfer Personal Data to affiliated entities or to other third parties across borders and from your country or jurisdiction to other countries or jurisdictions around the world, we will still take all appropriate measures to ensure compliance with the GDPR.

When third parties are involved in the Processing pursuant to this Privacy Policy, Personal Data may be stored on servers outside the European Union. Please remember that in such cases any Processing is also subject to the relevant third parties’ privacy policies. In such cases, information that we collect may also be transferred to countries that do not have data protection laws equivalent to those in force in the European Economic Area. By using SIEM you expressly agree to such transfers.

Personal information that you publish on our website or submit for publication on our website may also be available, via the internet, around the world. We cannot prevent the use or misuse of such information by others.

Period and place of Data retention

The data collected will be stored for a period of time not exceeding the achievement of the purposes for which they are processed (“principle of limitation of storage”, art. 5, GDPR) or according to the deadlines provided for by law, to comply with our legal obligations, to resolve disputes, and enforce our agreements. The verification of the obsolescence of the data stored in relation to the purposes for which they were collected is carried out periodically.

Rights of the Data Subjects

Pursuant to GDPR, users (and/or the Users who communicated the relevant Data) have the right to access the Personal Data provided to us (art. 15 GDPR) and to ask to receive copy of such Data in an intelligible format in order to transmit it to another data controller (art. 20 GDPR). They have the right to obtain their update, rectification or integration (art. 16 GDPR), and to obtain their erasure (art. 17 GDPR). Users also have the right to request the restriction of the Processing of their Personal Data (art. 18 GDPR) or to object, on legitimate grounds, to such Processing (art. 21 GDPR). We inform you, however, that the exercise of such rights may be subject to limitations or exclusions pursuant to the GDPR or other relevant regulations.

Where the users consider that the processing of Personal Data by us has been carried out in violation of the GDPR, without prejudice to any other administrative or judicial remedy, they the right to lodge a complaint with their national supervisory authority, in particular in the Member State of their habitual residence, place of work, or the place where the alleged violation took place.

For any request or communication concerning any of the above-mentioned rights, please contact us. We will respond to any request as soon as possible and in any case within 30 days.

Users may also object to Personal Data being subject to automated decision-making, including profiling practices. We inform you, however, that We do not carry out any processing that may fall within the aforementioned case. Should this situation change in the future, we will promptly update this Privacy Policy.

Lastly, the Data Subjects concerned (and/or the Users who communicated the relevant Data) may at any time communicate their intention to withdraw their consent. In such cases, We may continue to Process the relevant Personal Data only in presence of an alternative legal basis for such further Processing.

Modalities of data processing

The Personal Data provided to us will be processed in compliance with the GDPR and the obligations of confidentiality that govern the activity of the Data Controller. The data will be processed both with computer tools and on paper or any other suitable support, in compliance with the appropriate security measures under Article 5 par. 1 letter F of the GDPR.

Security of personal information

We will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information.

We will store all the personal information you provide on our secure (password- and firewall-protected) servers.

You acknowledge that the transmission of information over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.

You are responsible for keeping the password you use for accessing our website confidential; we will not ask you for your password (except when you log in to our website).

Our Policy Regarding Minors

We do not knowingly collect or solicit personal information from anyone under the age of 18 or knowingly allow such persons to use our Services. If you are under such age, please do not send any information about yourself to us, including your name, address, telephone number, or email address. In the event that we learn that we have collected Personal Data from an individual under the age of 18, we will delete such Data as quickly as possible. If you believe that we might have received any Personal Data from or about an individual under the age of 18, please contact us.

Third-party websites

Our website includes hyperlinks to, and details of, third party websites.

We have no control over, and are not responsible for, the privacy policies and practices of third parties.

Our website uses APIs that shares only public information (e.g. name of the company) with third-party websites in order to integrate some services.

Changes to the Policy

We may update this privacy policy to reflect changes to our Processing and/or Data Protection practices. If we make any material changes, we will notify the users by means of a notice on our sites prior to the change becoming effective. In any case, please visit this Privacy Policy periodically.

Cookies

Our website uses cookies.

A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.

Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.

Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.

We use both session and persistent cookies on our website.

Most browsers allow you to refuse to accept cookies; for example:

  • in Internet Explorer (version 11) you can block cookies using the cookie handling override settings available by clicking "Tools", "Internet Options", "Privacy" and then "Advanced";
  • in Firefox (version 47) you can block all cookies by clicking "Tools", "Options", "Privacy", selecting "Use custom settings for history" from the drop-down menu, and unticking "Accept cookies from sites"; and
  • in Chrome (version 52), you can block all cookies by accessing the "Customise and control" menu and clicking "Settings", "Show advanced settings" and "Content settings", and then selecting "Block sites from setting any data" under the "Cookies" heading.

Blocking all cookies will have a negative impact on the usability of many websites.

If you block cookies, you will not be able to use all the features on our website.

In particular, We resort to Google Analytics to track and report website traffic, and we use login session cookies to allow you to login and access all functionalities of your Account.  [MQ5] 

Glossary

We or Provider or ESN - the Erasmus Student Network; a non-profit international student organisation whose mission is to represent international students, thus providing opportunities for cultural understanding and self-development under the principle of Students Helping Students. ESN develops and operates the Social Inclusion and Engagement in Mobility (SIEM) project and offers the relative Services.

GDPR - the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

Personal Data - any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing - any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Services - any services provided or made available by the Provider via the SIEM platforms as well as relevant interconnected tools or relating thereto.