CME Dispuut
Last updated: 20 January 2026

CME Dispuut , affiliated with TU Delft, attaches great importance to the careful handling and protection of personal data. This Privacy Statement explains which personal data we process, for what purposes, on which legal bases, how long such data is retained, and what rights data subjects have under the General Data Protection Regulation (“GDPR”) [Dutch: Algemene verordening gegevensbescherming (“AVG”)].

1. Data Controller

The data controller responsible for the processing of personal data is:

CME Dispuut – Executive Board
Delft University of Technology
Stevinweg 1 (Room 6.70), 2628 CN Delft

2. Personal Data we Process

Depending on the nature of your relationship with us, we may process the following categories of personal data:

• first name and surname;
• email address;
• telephone number;
• student number, where necessary;
• study programme and/or year group, where relevant;
• date of birth, where necessary for a specific activity or legal requirement;
• bank account number and payment details, where applicable;
• membership status;
• records relating to participation in events and activities;
• dietary requirements or accessibility-related information, where voluntarily provided and strictly necessary;
• photographs and video recordings in which individuals may be identified;
• correspondence and other information submitted through registration forms, email, or other communication channels.

We only process personal data to the extent necessary for the purposes set out in this Privacy Statement.

3. Purposes of Processing

CME Dispuut may process personal data for the following purposes:

3.1 Membership Administration

To register members, maintain membership records, and manage communication in connection with membership.

3.2 Organisation of Events and Activities

To organise and facilitate events, including processing registrations, participant lists, and practical arrangements.

3.3 Communication

To provide members and participants with invitations, announcements, updates, and other information relating to the activities of the Dispuut.

3.4 Financial Administration

To administer membership fees, event contributions, reimbursements, and other related financial matters.

3.5 Promotion and Archiving

To document and promote the activities of the Dispuut through photographs, videos, and other media, including publication on websites, social media channels, or internal communication platforms.

3.6 Safety and Accessibility

Where necessary, to take into account dietary preferences, medical necessities voluntarily disclosed, or accessibility needs in the context of specific events or activities.

4. Legal Bases for Processing

We process personal data only where there is a lawful basis for doing so under the GDPR. Depending on the circumstances, processing may be based on:

• the performance of a contract, including the administration of membership or participation in an event;
• consent, for example where explicit permission is required for certain forms of publication or optional communication;
• legitimate interests, such as the internal organisation of the Dispuut, communication with members, and the promotion of activities, provided that such interests are not overridden by the rights and freedoms of the data subject; or
• compliance with a legal obligation, where we are required to retain or process certain data under applicable law.

5. Photographs and Video Recordings

Photographs and video recordings may be made during events and activities organised by CME Dispuut.

Where individuals are identifiable in such materials, these images may constitute personal data. We aim to handle such materials with due care and in accordance with applicable law. In particular:

• participants may be informed in advance that photographs or recordings may be made during an event;
• for targeted or portrait-style images focused primarily on one or a limited number of individuals, consent may be requested where appropriate;
• for general atmosphere images taken during activities, processing may take place on the basis of our legitimate interests in documenting and promoting the Dispuut, subject to a careful balancing of interests.

Any individual who objects to the use or publication of an identifiable image of themselves, or who wishes to withdraw previously given consent, may contact us using the contact details provided in this Privacy Statement. We will assess such requests with due care and take appropriate action where required.

6. Retention Periods

We do not retain personal data for longer than is necessary for the purposes for which it was collected, unless a longer retention period is required by law.

In general, we apply the following retention periods:

• membership administration data*: up to [2 years] after the end of membership;
• event registration data: up to [6 months] after the relevant event;
• financial records: for the period required under applicable legal or administrative obligations;
• mailing list data: until the individual unsubscribes or the communication is no longer relevant;
• photographs and video recordings: for as long as they remain relevant for archival, historical, or promotional purposes, unless a valid objection is made or consent is withdrawn where consent formed the legal basis.

*There is not an active membership as of this moment of the statement.

7. Sharing of Personal Data

We only share personal data where necessary for the purposes described in this Privacy Statement. Data may be shared with:

• board members and committee members, insofar as necessary for the performance of their duties;
• payment service providers, banks, or treasurers involved in financial administration;
• service providers used for email, cloud storage, registration systems, or other technical support;
• third parties involved in the organisation of a specific activity, where strictly necessary.

Where third parties process personal data on our behalf, we will ensure that appropriate safeguards are in place, as required by applicable law.

We do not sell personal data to third parties.

8. Security Measures

CME Dispuut [Full Name] takes appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

Such measures may include, among other things:

• restricting access to personal data to those who require it for their role;
• using password-protected systems and, where available, multi-factor authentication;
• storing data in secure digital environments;
• periodically reviewing access rights and data storage practices.

9. Rights of Data Subjects

Under the GDPR, data subjects may have the right to:

• request access to their personal data;
• request rectification of inaccurate or incomplete data;
• request erasure of personal data, where applicable;
• request restriction of processing;
• object to certain forms of processing;
• withdraw consent at any time, where processing is based on consent; and
• request data portability, where applicable.

Requests concerning the exercise of these rights may be submitted to:

hello@cmedispuut.nl

We will respond within the period prescribed by applicable law.

10. Complaints

If you have any questions, concerns, or complaints regarding this Privacy Statement or the way in which CME Dispuut processes personal data, you may contact us using the contact details above.

You also have the right to lodge a complaint with the competent supervisory authority, including the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), where applicable.

11. Amendments

CME Dispuut reserves the right to amend this Privacy Statement from time to time. Any updated version will be published on the relevant website or otherwise made available to data subjects.

Extra Statement regarding the Website

Comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.