BeMSA Privacy Policy

This privacy policy covers our websites (BeMSA.be and BeMSA-Gent.be), mailing lists and surveys/data collection through our BeMSA.be domain.

The Belgian Medical Students' Association (BeMSA) is a Belgian student organisation. From the 2018-2019 academic year, it represents medical students from eight faculties across the country, while also making international connections through the existing network of 137 national member organisations of the International Federation of Medical Students' Associations (IFMSA).

Every year, we organise a series of events at local, national and international levels. In addition, our clinical and research exchange programmes send more than 100 Belgian students abroad every year, while hosting an equal number of foreign students. This allows them to discover innovations in medicine, healthcare systems and healthcare delivery in different settings around the world.

BeMSA brings people together to exchange, discuss and initiate projects with the aim of creating a healthier world. It equips medical students with the skills and resources needed to become health leaders. With the help of the IFMSA, it also advocates for the pressing issues that matter to us in shaping the world we want to live in. And it produces results: our projects, campaigns and activities positively influence doctors to stand alongside the communities they serve.

This privacy policy has been created to explain to you when, why and how we collect personal information about our members, within and outside this site and our mailing lists. This explanation includes how we use and store this information, and the conditions under which we may disclose this information to others, and how we keep this information secure.

Under the General Data Protection Regulation (GDPR), BeMSA qualifies as a "data controller". This means that we are partly or wholly responsible for determining the purposes and means of processing personal data. We are obliged under this law to inform you of the information contained in this privacy policy. Please send questions about our policy to webmaster@bemsa-gent.be. If you want us to delete your personal data, you can also contact us at this e-mail address. Otherwise, your data will be deleted after 3 years.

In line with the core principles of the GDPR, we are committed to the following regarding our use of your personal data:

1. Lawful, fair and transparent data collection: we are committed to ensuring that your data is collected and stored in such a way.
2. Purpose limitation: we are committed to ensuring that the data we collect serves a purpose that has been clearly communicated to you.
3. Data minimisation: in line with the previous point, we also strive to limit our collection to data that is strictly necessary for our purpose.
4. Truthfulness and accuracy: we commit to ensuring that your data is kept as accurate and up-to-date as possible.
5. Storage limitation: we do not keep your data longer than necessary for a specific purpose.
6. Integrity and confidentiality: we undertake to implement or ensure measures that ensure that your data is given an appropriate level of security.

Whether through this privacy policy or by other means, in the spirit of ensuring a higher level of transparency, we will do our best to ensure that you understand the purpose of any data collection we do, how we process it and how you can correct or delete it, should you wish to do so.

BeMSA collects personal information in several ways:

• E-mail and written correspondence
• Application forms / Registration forms
• Direct contact
• Surveys and research forms

In all cases, it will be clear and obvious to you when we collect your data.

We collect information about you when you contact us through any of the various activities described in the list below:

1. BeMSA Professional and Research Exchanges
2. BeMSA National General Meetings (NGA) and Training Events
3. Participation in BeMSA activities and projects
4. Small working groups (SWGs) within BeMSA
5. Opportunities for external representation
6. Surveys and/or research activities through the BeMSA network
7. BeMSA alumni network

In these cases, we may collect the information described below:

1. Name, date of birth, place of birth and country of origin
2. Contact details: e-mail address, passport or identity card details, telephone numbers, postal address or other physical addresses
3. Physical data: gender, health requirements (for the provision of appropriate services)
4. Curriculum Vitae, including current employment, past employment, education and experience in a specific field related to the purpose of data collection
5. Additional information that may be required on a case-by-case basis.

Any additional need for information in particular cases will be clearly communicated to you, including the reasons for its collection and the duration of its retention.

As we have already mentioned, the personal data we actively collect from you is almost always related to one of the seven activities listed under point five "What personal information do we collect". Currently, BeMSA does not engage in targeted advertising, and so we do not share data with external parties for marketing or advertising purposes. The personally identifiable information we collect from you may be used for the following purposes:

• Selection of participants for a BeMSA activity, project or exchange
• Selection of participants to represent BeMSA at an event
• Provision of services or information on our activities
• Impact assessment of BeMSA activities and projects
• Information on opportunities and calls for input to improve our services
• Archived for a certain time to ensure legal liability of related parties based on specific, pre-agreed terms acceptable to both BeMSA and the related parties.

We will regularly evaluate the necessity of this personal data for our activities and adhere to the retention period we indicated when requesting this data or until such time as the data is no longer needed for the originally stated purpose, whichever comes first. Please note that in some cases, specific data is indispensable for the activity in question and without it BeMSA will not be able to select, provide or transfer the request. We would also like to stress that we do not currently carry out any automated decision-making, including profiling, based on the personal data we obtain from you.

Under the GDPR, there are six legal bases for data collection, as set out in Article 6 of EU law. At least one of them must apply when a party processes personal data:

1. Consent: The person has clearly given an organisation permission to process personal data for a specific purpose.
2. Contract: The data processing is necessary for a contract that exists with the person, or because the person has asked for specific steps to be taken before entering into a contract.
3. Legal obligation: Data processing is necessary for the organisation to comply with the law, with the exception of contractual obligations.
4. Vital interests: The data processing is necessary for the organisation to protect an individual's life.
5. Public task: Data processing is necessary for the performance of a task in the public interest or for the organisation's official functions and the task or function has a clear basis in law.
6. Justified interests: Data processing is necessary for legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the data subject's personal data that outweighs these legitimate interests.

BeMSA will ensure that the legal bases are respected at all times and that at least one of the conditions mentioned above is met. All activities related to the collection of personal data by BeMSA and its officers will be supervised by the BeMSA Board to ensure compliance with the aforementioned bases.

BeMSA will not sell, rent or otherwise share your personal data for marketing or targeted advertising purposes. We also want to assure you that any instance of active data sharing will only take place with your consent through a clearly differentiated explanation of the purpose of such sharing before, during or after the data collection process. Following are the entities with which we may share data and for what reason:

• Organisers of our National General Meetings (NGA): at times, we will need to share specific personal data with organisers of our National General Meetings to ensure that they will be able to provide adequate and appropriate services to applicants.
• Agencies, institutions or academics for research purposes: we may authorise third-party organisations to work with our network for data collection or research purposes. In all cases, we will ensure that the process complies with our research policy and that the data collection contains as little identifiable data as possible.
• Software or technical vendors: third-party vendors that enable us to carry out efficient digital processes and provide a satisfactory service to our members.
• BeMSA Local Committees, Officials, Executive Board: in those cases where data is indispensable for application and selection processes, or conveying the relevant information to all parties involved.
• Law enforcement or regulatory authorities: we may need to transfer specific data if we are required to disclose or share your personal data to comply with legal obligations or to protect the rights, property or safety of our members and users.

This is an indicative and not an exhaustive list. Please note that when we share personal data, we take all reasonable steps to ensure that the third party handles it appropriately and securely. In all cases, we only share information that is absolutely relevant and clearly necessary for providing the service or fulfilling the purpose of sharing data. Especially with partners not directly related to our organisation, we will establish a contract to ensure secure handling of this data and clearly limit how they can use the shared data. In the case of law enforcement and regulatory authorities, where contracts do not apply, we will continue to make all reasonable efforts to ensure that your privacy remains protected.

We keep personal information only as long as necessary for the purpose of data collection. This purpose is explained in more detail during data collection. In general terms, we retain personal information for as long as required by law or as necessary for record-keeping and legal claims.

We store most of the data we collect in our domain associated with Google Workspace and our web hosting service. In all cases, we strive or will continue to strive to ensure that the organisations we partner with have adequate data protection and confidentiality clauses regarding data collection that comply with GDPR requirements.

We will establish a robust internal guideline for managing personal data within BeMSA. This will enable us to keep track of, restrict and in specific cases: remove access to your personal data from administrators within BeMSA. In all cases, personal data will only be shared with officers who need it for a specific purpose, in line with what is described during the data collection process.

In order to reduce uncontrollable data dissemination and improve our ability to control access to the personal data we collect, we regularly request and strive for our officers to work in a cloud-based environment entirely within the BeMSA.be domain. We will continuously strive to make the storage of this personally identifiable data as secure as possible.

Parts of this website may contain links to other sites, such as related agencies with resource materials that support our content, or partner organisations we work with. We would like to clarify that we are not responsible for the content or privacy policies of these other sites, and we encourage you to be aware of the privacy policies of these sites before taking any actions.

The European Union's General Data Protection Regulation draws attention to certain rights of citizens of countries within the EU and EEA whose information is collected by an organisation (as data subjects). The following is a brief summary of your rights in relation to data collected by BeMSA:

1. Access: you have the right to request the personal information we hold about you. If you would like a copy of this activity, please contact us at the e-mail address listed below.
2. Correction: you have the right to request a rectification of incomplete, inaccurate or false information about your person held by us.
3. Deletion: you have the right to request deletion of parts or all of your personal data held by us on these grounds without undue delay:
   • If you consider that the data is no longer necessary in relation to the purposes for which it was collected or processed
   • When you withdraw your consent to the use of your data
   • When you have objected to the use of the data
   • When you believe that the use of the data is against the law
4. Object: you can object to the use of your data for marketing, newsletter or mailing purposes at any time. Unless there are compelling legitimate reasons, we will immediately stop using this personal data.
5. Limit our use of your data: this may happen when you consider that you do not want your data to be deleted from our storage, but you no longer consent to the use of the data for the purposes specified during the collection process or prescribed in this privacy policy.
6. Withdraw consent to use: regulations require that withdrawing consent should be as simple as giving it. As such, you are free to withdraw your consent to data we have collected, and we will immediately cease our use of the information for the purpose(s) for which you initially consented.

If you find any breaches that you would like to see corrected or would like more information about our privacy policy, please contact us at president@BeMSA.be with the subject line [GDPR INQ].