BeMSA Privacy Policy

This Privacy Policy pertains to our website (, mailing lists and surveys/data collection done through our domain.

1. Who we are

The Belgian Medical Students’ Association (BeMSA) is a Belgian student-run organization. As of the 2018-2019 academic year, it represents medical students from 8 of the faculties across the country, while also establishing international connections through the existing network of 137 national member organizations of the International Federation of Medical Students’ Associations (IFMSA).

Each year we organize a series of events on a local, national and international level. Additionally, our clinical and research exchange programs send over 100 Belgian students abroad every year, while accommodating the same number of foreign students. This allows them to explore innovations in medicine, healthcare systems and healthcare delivery in various settings across the globe.

BeMSA brings people together to exchange, discuss and initiate projects with the goal of creating a healthier world. It provides medical students with the skills and resources needed to be health leaders. With the help of the IFMSA, it also advocates for the pressing issues that matter to us to shape the world we want to live in. And it does deliver: our projects, our campaigns and our activities positively impact the physicians-to be alongside the communities they serve.

2. Purpose

This privacy policy is made to explain to you when, why, and how we collect personal information about our members, within and outside this site and our mailing lists. This explanation includes how we use, store, and the conditions under which we may disclose it to others, and how we keep it secure.

Under the General Data Protection Regulation (GDPR), BeMSA qualifies as a “data controller”. This means that we are fully or partly responsible for determining the purpose and means for the processing of personal data. We are required under this law to inform you of the information contained within this privacy policy.

3. Our commitment

In line with the core principles of the GDPR, we are committed to the following, in regard to our use of your personal data:

  1. Lawful, fair, and transparent data collection: we are committed to ensuring that your data is collected and stored in such a manner.
  2. Purpose limitation: we are committed to ensuring the data we collect serves a purpose that is clearly informed to you.
  3. Data minimization: in line with the previous item, we are also committed to limiting our collection to data that are strictly necessary for our purpose.
  4. Truth and accuracy: we commit to ensuring that your data is kept as accurately and as up-to-date as possible.
  5. Storage limitation: we will not be keeping your data longer than we need it for a specific purpose.
  6. Integrity and confidentiality: we commit to ensuring or enacting measures that will ensure your data is accorded an appropriate level of security.

Whether it is through this privacy policy or otherwise, in the spirit of ensuring a higher level of transparency, we will strive our best to ensure that you understand the purpose of each data collection that we do, how we process it, and how you can correct or remove it, should you wish.

4. How do we collect personal information?

BeMSA collects personal information through several means:

  • Email and written correspondence
  • Application forms / Enrollment forms
  • Direct contact
  • Surveys and research forms

In all instances, it will be apparent and clear to you when we are collecting your data.

5. What personal information do we collect?

We collect information about you when you engage with us through one of the several activities detailed in the list below: 

  1. BeMSA Professional and Research Exchanges
  2. BeMSA National General Assemblies (NGA) and Training Events
  3. Participation in BeMSA activities and projects
  4. Small Working Groups (SWGs) within BeMSA
  5. External Representation Opportunities
  6. Surveys and/or research activities through the BeMSA network
  7. BeMSA Alumni network

In these cases, we may collect the information detailed below:

  1. Name, date of birth, place of birth, and country of origin
  2. Contact information: email address, Passport or ID-card data, phone numbers, postal or other physical addresses
  3. Physical data: gender, health requirements (for provision of suitable services)
  4. Curriculum Vitae, including current employment, past employment, education, and experience within a specific field related to the purpose of the data collection
  5. Additional information that may be necessary based on a case-by-case basis.

Any additional need for information in any particular cases will be communicated clearly to you, including the reasons for its collection and duration of its retention.

6. How is your information used?

As we have mentioned, the personal data we actively collect from you is almost always related to one of the seven activities listed under section five “What personal information do we collect”. At this moment, BeMSA does not engage in targeted advertising, and thus we do not share any data with external parties for marketing or advertising purposes. The personal, identifiable data that we collect from you may be used for the following purposes:

  • Selection of participants to a BeMSA activity, project or exchange
  • Selection of participants to represent BeMSA at an event
  • Provision of service or information about our activities
  • Impact assessment of BeMSA activities and projects
  • Conveyance of information about opportunities and call for inputs to improve our service
  • Archived for a specific duration of time to ensure legal liability of related parties based on a specific, previously agreed upon terms that are amicable to both BeMSA and the related parties

We will regularly review the necessity of these personal data for our activities and adhere to any storage period that we have detailed when requesting these data or until such time when the data is no longer necessary for the originally stated purpose, whichever comes first. Please note that in some cases, specific information items are indispensable to the related activity, and BeMSA may not be able to select, provide, or convey the application for consideration without them. We would also like to stress that we do not currently engage in automated decision-making, including profiling, based on the personal data we obtain from you.

7. What is the lawful basis of BeMSA data collection?

Based on the GDPR, there are six lawful bases on data collection, as outlined in article 6 of EU law. At least one of these must apply whenever a party is processing personal data:

  1. Consent: The individual has given an organization clear consent for processing personal data for a specific purpose.
  2. Contract: The data processing is necessary for a contract that exists with the individual, or because they have asked to take specific steps before entering into a contract.
  3. Legal obligation: The data processing is necessary for the organization to comply with the law, not including contractual obligations.
  4. Vital interests: The data processing is necessary for the organization to protect an individual’s life.
  5. Public task: The data processing is necessary in order to perform a task in the public’s interest or for the organization’s official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: The data processing is necessary for the legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data that overrides those legitimate interests.

BeMSA will ensure that at all times the lawful bases are respected, and at least one of the conditions stated above is fulfilled. All personal data collection activities by BeMSA and its officers will be supervised by the BeMSA Executive Board to ensure its compliance with the aforementioned basis.

8. Instances of data sharing with a third party

BeMSA will not sell, rent, or otherwise share your personal data for marketing and targeted advertising purposes. We also would like to assure you that any instance of active data-sharing will happen only with your consent through a clearly distinguished explanation of the purpose of said sharing either before, during, or after the data collection process.  The following are the entities with whom we may share data with and for what reason:

  • Organizers of our National General Assemblies (NGA): at some points, we will need to share specific personal data with organizers of our National General Assemblies to ensure that they will be able to provide adequate and suitable services to the applicants.
  • Agencies, institutions, or academics for research purposes: we may allow third party organizations to engage with our network for data collection or research purposes. In all cases, we will ensure that the process is compliant with our research policies and that the data collection contains as little identifiable data as possible.
  • Software or technical providers: third-party agents that allow us to operate efficient digital processes and render satisfactory service to our members.
  • BeMSA Local Committees, Officials, Executive Board: in such cases where data are indispensable to application and selection processes, or the conveyance of the relevant information to all parties involved.
  • Law enforcement or regulatory bodies: we may have to transfer specific data if we are under the duty to disclose or share your personal data in order to comply with any legal obligations or to protect the rights, property, or safety of our members and users.

This is an indicative and not an exhaustive list. Please note that whenever we share personal data, we take all reasonable steps to ensure that it will be handled appropriately and securely by the third party. In all instances, we will share only information that is absolutely relevant and clearly necessary to deliver the service or fulfill the purpose of the data sharing. Especially with partners that are not directly related to our organization, we will have a contract in place in place to ensure secure handling of these pieces of information and clearly limit the way they will be able to use the shared data. In the case of Law Enforcement and Regulatory Bodies, where contracts are not applicable, we will continue to make all reasonable efforts to ensure that your privacy remains protected.

9. How long do we retain personal information?

We retain personal information only as long as it is necessary for the purpose of the data collection. This purpose will be detailed during the data collection process. In general terms: we will retain personal data for so long as required by law, or as may be required for record keeping and legal claims purposes.

10. Where do we store personal information?

We store most of the data we collect in our Google Suites connected domain and our web hosting service. In all cases, we strive or will continue to strive to ensure that the organizations we work with have adequate data-protection and confidentiality clauses on data collection that are compliant with the regulations set out within the GDPR.

11. Security precautions in place to protect the loss, misuse or alteration of your information

We will be putting in place a robust internal guideline on personal data management within BeMSA. This will allow us to keep track, limit, and in specific cases: remove access to your personal data from administrators within BeMSA. In all cases, personal data are only shared to officers who require it to complete a specific purpose, in line with what will be detailed during the data collection process.

Additionally, to reduce uncontrollable data dissemination and improve our ability to control access to the personal data we collect, we regularly request and strive to ensure that our officers work in a cloud-based environment fully within the domain. We will continuously strive to ensure the storage of these personally identifiable pieces of information is done as securely as possible.

12. Other websites

Parts of this website may contain links to other sites, such as related agencies with source material that supports our content, or partner organizations that we work with. We would like to clarify that we are not responsible for the content or privacy practices of these other sites and we encourage you to be aware of the privacy policies of these sites before engaging in any actions.

13. Your rights where we are processing your information

The European Union General Data Protection Regulation highlights certain rights to citizens of states within EU and the EEA whose information is being collected by an organization (as data subjects). The following is a quick summary of your rights pertaining to data collected by BeMSA:

  1. Access: you have the right to request the personal information that we have about you. If you would like a copy of this activity, please contact us at the email address specified below.
  2. Correction: you have the right to request a rectification to incomplete, inaccurate, or false information on your personage within our possession.
  3. Deletion: you have the right to request the deletion of parts or the entirety of your personal data within our possession without undue delay on these grounds:
    1. Where you feel the data is no longer necessary in relation to the purposes for which they were collected or processed
    2. Where you are withdrawing consent for the use of your data
    3. Where you have objected to the use of the data
    4. Where you feel the use of the data is contrary to the law
  4. Objecting: you are free to object to our use of your data at any time for marketing, newsletter, or mailing list purposes. Unless there are overriding legitimate grounds, we will cease the usage of these personal data immediately.
  5. Restricting our use of your data: this may happen when you do not believe you want your data removed from our storage, but you no longer give consent to the usage of the data for the purposes detailed during the collection process or that which are dictated within this privacy policy.
  6. Withdrawing Consent of Use: the regulations dictate that withdrawing consent should be as simple as providing it. As such, you are free to withdraw your consent for data that we have collected, and we will cease our use of the information immediately for the purpose(s) that you have consented to in the first place.

14. Contact information

Should you find some infringements that you would like to be rectified or would like to find more information on our privacy policies, please contact us at with the subject [GDPR INQ] in the subject line.