GDPR-policy for Terminsräkningsföreningen
The Terminsräkningsföreningens (TRF) policy for data protection and information security regarding the processing of personal data according to the General Data Protection Regulation (GDPR).
Content
1. Purpose 2. Definitions 3. Processing of personal data 4. Purpose and legal basis 5. Recipient of personal data 6. Geographical area for document 7. Storage period 8. Safety 9. Personal data processors 10. Rights of individuals as a data subject 11. Contact 12. Changes in the GDPR-policy 1. Introduction and purpose
The purpose with this GDPR-policy is to show in an open and transparent way how Terminräkningsföreningen(TRF) processes personal data. With registration and payment of membership through provided services such as, www.studentlund.se, TRF will collect and process personal data in order to administrate your membership and so that you can take part of Lund's student life in the best possible way.
TRF takes personal privacy seriously and the purpose of this data policy is to ensure that the personal data processed by TRF and relevant organisations linked to the membership is used only for its intended purposes, and that individuals are protected from unauthorized access and use of their personal data.
By signing up for a membership through www.studentlund.se, you as a student join one of the affiliated member organisations of TRF. TRF provides and administers membership, membership registers, student cards and term bills for the individual in which organisations he or she intends to be a member.
This policy describes the information that TRF processes, who has the right to access the member information and what rights the registered user has in connection to the processing of personal data.
This personal data policy has been established by TRF's member organisations at the annual general meeting, årsstämman.
2. Definitions
Personal information refers to all kinds of information that can be directly or indirectly attributed to a physical person who is alive.
Processing of personal data refers to any measures or series of measures taken in respect to personal data e.g. collection, registration, organisation, storage, change, usage, modification, retrieval, gathering, disclosure by transmission, dissemination or other provision of data, compilation or collation, blocking, erasure or destruction.
Personal data controller refers to the legal person who alone or together with others determines the purposes and means for the processing of personal data.
Personal data processor refers to the person who performs Personal Data Processing on behalf of the Personal data controller.
Data protection legislation refers to applicable data protection legislation, such as the General Data Protection Regulation (GDPR) and national legislation implementing the GDPR.
EU/EEA refers to the European Union/European Economic Area.
Regulatory Legislation refers to applicable rules and legislation, for example regarding accounting and student unions.
Recipient refers to a physical or legal person, authority or other organ to which the Personal data controller may disclose Personal Data.
Member refers to a physical person who according to the statute of the member organisation is to be considered a member of a member organisation.
Membership refers to membership signed through TRF in a member organisation.
Member organisation refers to the student unions and student nations affiliated to TRF at Lund University and in the rest of Skåne.
TRF refers to Terminsräkningsföreningen (TRF), org.nr. 845003-1813.
3. Processing of personal data
Collection of Personal Data and Categories of Registered member
Personal data can be collected directly from the member and from external sources, for example from public registers and payment intermediaries. TRF may also save email history or in other ways document member's interaction and communication with TRF.
TRF mainly collects and processes personal data on physical persons who are members or wish to become members of member organisations. TRF also collects and processes personal data from, for example, payers.
Categories of Personal Data
Categories of Personal Data that TRF collects and processes are for example:
- Identification and contact details: For example, name, personal number or equivalent, date of birth, address, e-mail address and telephone number.
- Membership Information: For example, information about membership in member organisations.
- Payment details: For example, information about payments, including the information the individual provides when paying. Depending on the payment method, the information may, for example, include the individual's name, address and telephone number.
- Study information: For example, information on admissions and registrations for the current, upcoming and previous semester.
4. Purpose and legal basis
Fulfillment of Membership
TRF mainly performs Processing of the members Personal Data to document, enforce and administer the Members Membership in Member Organisations. Examples of purposes for Processing are:
- To manage the relationship with Members and administer the Members Membership in Member Organisations.
- To provide proof of membership in the form of a student card.
- To administer the right to travel discounts on student cards.
Legal obligation
In order for TRF to be able to fulfill its legal obligations, TRF performs Processing of Personal Data in accordance with Regulatory Legislation and Data Protection Legislation. Examples of purposes for Processing are:
- To meet the requirements regarding accounting legislation.
- To keep Personal Information up to date and accurate.
Legitimate interest
In some cases, TRF performs Processing of Member Personal Data based on TRF's legitimate interest. TRF has judged that this Processing is necessary for the purpose of the legitimate interests sought by TRF and which TRF has judged outweigh the Member's interests in the protection of Personal Data. Examples of purposes for Processing are:
- To protect the interests of Members and / or TRFs, including security measures.
- To develop, investigate and improve TRF's operations and their Members' user experience by conducting surveys, analyzes and creating statistics.
- To establish, exercise and defend legal claims and handle complaints.
Consent
In some cases, TRF will ask for a Member's consent to the Processing of Personal Data. Before the Member gives his or hers consent, the Member will receive information about the Processing.
Consent can be revoked at any time. The Processing that TRF has already done is not affected, but TRF will not continue to perform Processing of Personal Data if TRF does not have a different basis for the Processing than the one intended for consent.
5. Recipient of personal data
As part of the Processing, TRF may disclose Member's Personal Information to Recipients, such as suppliers and partners. TRF will not disclose more Personal Data than is necessary for the purpose of disclosure and only in accordance with Regulatory Legislation and Data Protection Legislation.
Recipients may perform Processing of Member Personal Data in accordance with Regulatory Legislation and Data Protection Legislation. When the Recipient performs such Processing the Recipient may be responsible for providing Information regarding the Processing to the Member.
TRF may disclose Personal Information to Recipients, for example:
- Student card suppliers, for example "Studentkortet" that provides proof of membership in the form of a Student Card
- Financial and legal consultants, auditors or other service providers to TRF
- Suppliers and partners, for example of IT services
6. Geographical area for document
As a general rule, the Processing of Member's Personal Data takes place within the EU / EEA, but in some cases Personal Data is transferred to countries outside the EU / EEA where Processing is performed.
The transfer to and Processing of Personal Data outside the EU / EEA can take place provided that there is a legal basis and that appropriate security measures are taken. Appropriate safety measures are, for example:
- An agreement that includes EU standard contract clauses or other clauses, codes of conduct or certifications approved in accordance with Data Protection Law
- The country outside the EU / EEA where the Recipient is located has an adequate level of protection set by the EU Commission.
Upon request, the Member can obtain further information on the transfer of Personal Data to countries outside the EU / EEA.
7. Storage period
Personal data is not stored longer than necessary for the purposes Processing of the Personal Data is performed or in accordance with requirements in Regulatory Legislation or Data Protection Legislation. For example, TRF will store Personal Data after the Membership has expired, so that legal claims can be established, asserted or defended. Personal data is also stored based on TRF's legitimate interest.
8. Safety
Within the framework of Data Protection Legislation, TRF shall, through this policy, ensure the confidentiality of Personal Data and that appropriate technical and organisational measures are implemented to protect Personal Data from unauthorized access, disclosure of information, unintentional loss, alteration, destruction or other illegal Processing.
9. Personal data processors
TRF may use approved Personal Data Processors for the Processing of Personal Data. In such cases, TRF takes the necessary measures to ensure that Personal Data Processors Process Personal Data in accordance with TRF documented instructions, requirements for necessary and adequate security measures and in accordance with Data Protection Legislation and Regulatory Legislation.
Examples of Personal Data Assistants are:
- Provider of IT systems for administering Membership
10. Rights of individuals as a data subject
A member has the rights as registered regarding TRF's Processing of Personal Data in accordance with the Data Protection Act. The rights are generally as following:
- To demand that Member's Personal Data be corrected if it is insufficient, incomplete or incorrect.
- To object to the processing of Member's Personal Data.
- To demand deletion of Member's Personal Data.
- To restrict the processing of Member's Personal Data.
- To obtain information that Member's Personal Data is processed by TRF and in that case, get a copy of Personal Information.
- To receive Personal Data that has been provided by the Member and that is being processed based on consent or performance of agreements, in written format or commonly used electronic format and, when possible, transfer such Personal Data to another service provider (so-called "data portability").
- To revoke consent to the Processing of the Members Personal Data.
- To restrict the processing of Member's Personal Data for direct marketing.
You as an individual can file a complaint regarding TRF's Processing of Personal Data to the Data Inspection (www.datainspektionen.se) if you believe that the Processing violates your rights and interests in accordance with Data Protection Legislation.
11. Contact
You can contact TRF with a request for an extract from the register, revocation of consent or regarding other rights as registered, including submitting complaints regarding the processing of your Personal Data.
As a Member, you can update your address and certain other Personal Information on TRF's Website for Members. You can also contact the Member Organisation for help with updating Personal Information.
You can always contact the Terminsräkningsföreningen (TRF) to exercise your rights as a registrant.
Terminsräkningsföreningen (TRF)
Sandgatan 2
223 50 Lund
Org.nr. 845003-1813
Complete contact information is available on TRF's website (trf.lu.se)
12. Changes in the GDPR-policy
TRF updates the policy in accordance with the Statutes of the Terminsräkningsföreningen and comes into force immediately after the approval of the general meeting (stämman). This occurs, for example, when new purposes for the Processing are added or when Processing takes place of additional categories of Personal Data.
The latest version of this policy is available on TRF's website (trf.lu.se).
Last updated November 19, 2020.