Privacy & copyrights
Privacy Statement Howest
Howest attaches great importance to your privacy. Therefore, we only process personal data that is required for our operations and in order to be able to offer you the best possible service. We handle the information we have collected about you with the utmost care.
The present privacy statement describes what information we collect about you, for what purpose this information is used and with whom and under what conditions this information may be shared with third parties. We also explain in which way we store your data and how we protect your data against possible misuse and what rights you have with respect to your personal data.
We collect and process personal data of data subjects involved. By data subjects we understand:
- Staff members, lecturers, guest lecturers, research staff, job students, volunteers
- Applicants (free applications or in response to a Howest job offer)
- Contractor personnel supplying specific services (e.g. catering)
- External service providers (e.g. maintenance of software packages we use)
- (potential) candidate-students
- Participants/visitors to events, congresses, contact days, info days, assignments as service to organizations, fairs, …
- External contacts (e.g. teachers or other staff members of secondary education, (potential) work placement companies, (potential) suppliers, (potential) speakers, press contacts, work field committees)
- Ex-students (alumni)
- Ex-staff members, formers lecturers, formers guest lecturers, former research staff members
- Visitors to our website(s)
The data controller is Howest, with registered office in 8500 Kortrijk, Marksesteenweg 58 and phone number +32 56 241290. Our other addresses and phone numbers can be found on our website https://www.howest.be. Please do not hesitate to contact us for all your questions regarding this privacy statement. The Howest Data Protection Officer can best be contacted by email: firstname.lastname@example.org.
What is personal data and what does processing mean?
Personal data includes all information about an identified or identifiable natural person ("data subject"); with your name or national registry number, we know immediately (directly) who you are, but a combination of your address, age and gender (indirectly) also allows us or another party to recognize you to a certain extent. So, personal data is all data that can be linked to you in one way or another, such as e-mail address, telephone number or even IP address (the internet address of your computer).
Processing of personal data means any operation such as collection, recording, storage, consultation, use, update, transmission, provision, deletion, ...
Which personal data do we process and for what purpose?
Howest ensures that the processing of personal data is limited to the intended purpose(s). Howest processes personal data in order to achieve these purposes.
Education and research matters
This concerns the registration, the management, the optimization and the control with regard to:
- Student administration (including enrolment, de-enrolment, communication of results, student file, study credits, learning account, diploma, publication diploma booklet, study tracks, study grants, invoicing, student council, school accidents, educational leave, rental contracts, lost diplomas, registration of decease)
- Educational logistics (this includes class rooms, schedules)
- Organization of study programmes (this includes student follow-up system, registration of attendance, registration of participation in evaluation, division into groups, follow-up, coaching, evaluation including the possibility of appeal, monitoring, mentoring, deliberation, educational field trips, recording and distribution of some lessons, entry test, plagiarism detection)
- Organization of work placements and projects (this includes work placement fair, work placement companies/locations, work placement reports)
- Work field contacts (this includes the organization of seminaries and other contacts with the work field, services, start-ups)
- Research files (this includes the creation of a file, sending the file to partners and the granting authorities, user group)
- Surveys in the framework of research
- Library (including archiving and making bachelor papers available to students)
- Organization of internationalization (this includes follow-up, mobility file)
- Outflow guidance
Some classes are recorded in view of making these available to students (including other student groups) online afterwards. The students are informed about these recordings and in principle never appear on screen. If questions are asked, the student can ask to stop the recording. In certain cases, the choice can be made to have a student appear on screen, with the student's permission, e.g. during practical tests. It can also happen that a student, as part of coaching or evaluation, makes a video and passes it on to the lecturer. In case the lecturer should want to use such a video for a purpose other than coaching or evaluation of the student involved and also wants to show the video to other students, he will only be allowed to do so with the permission of the student involved.
In some evaluations via online systems, Howest may require that these evaluations be monitored via a specific tool and technology. In order to have the exam or other evaluation take place in a fair and correct way, we are forced to check the identity in the first place. This identity verification is also effected in the case of a classical examination, as stipulated in the OER (Education and Examination Regulations), whereby the student must at all times be able to prove his or her identity to the examiner or supervisor by means of the student card or identity card. As it now concerns a digital examination, this identification is effected by means of a camera. As part of the registration procedure, a Howest staff member can manually verify the identity of the student after the exam on the basis of the photo on the student card.
In view of possible fraud, other elements can be recorded, such as the IP address, the time and duration of use of the tool (sometimes broken down by question/answer), the login details, the screen content.
During the exam, the camera can be used to make audio, video and photo recordings of both the screen and the student (and his environment) in order to check for irregularities. Irregularities can be detected in the recordings so that these can be verified manually in case of a possible irregularity. The recordings are only used in view of detecting possible irregularities (and infringements against the OER).
Some tools used in online exams also detect which software is running on your computer to ensure that no fraud can be committed. These tools report the detected software and refuse to boot. However, the information related to the detected software is not forwarded in these cases.
At the enrolment of students, the electronic identity card is read in order to ensure the accuracy of the data in our student administration system. This is necessary, among other things, for the link with the Databank Hoger Onderwijs, the Higher Education Database (DHO) of the Flemish Government, and in order to be able to draw up correct credit certificates and diplomas.
In some cases, a number of social data is also collected at the time of enrolment. As far as possible, these data are further processed through anonymization or pseudonymization in view of the justified importance for the promotion of educational and career opportunities. Data related to migration background is also processed in a similar way, but on the legal basis of consent.
For surveys, an “informed consent” is always required, in which the necessary arrangements are laid down.
The legal grounds for the processing operations in this category of education and research are mainly our obligations regarding the agreement to provide education and the legal obligations imposed on an educational institution. The outflow guidance too is part of the obligations concerning the agreement to provide education. A small number of processing operations are based on consent or specific agreement (e.g. voluntary participation in a student event or in a survey). Contacts with the work field come under the scope of legitimate interest.
These pertain to the registration, management, optimization and control in relation to:
- Personnel (this includes personnel file, recruitment, dismissal and resignation, temporary contracts, contracts with guest lecturers, applicants, volunteers, internal jobbing students, internal trainees, payroll administration, other allowances, contact details in case of an emergency)
- Career (this includes leave, sickness, overtime, appointments, retirements, decease, career break, cumulative activities, debt mediation and seizure of wages, time registration, work planning follow-up)
- The well-being and functioning of our employees (this includes employee evaluations, employee training and competencies, medical examinations, work-related accidents, ergonomics, campaigns in view of improving organization or well-being, organization of awareness-raising campaigns, team events)
- Miscellaneous (this includes company vehicles, season tickets for public transport, insurances, administrators and shareholders, communication of new recruitments through an internal company channel)
The legal grounds for these processing operations mainly concern our obligations with regard to the employment contract and our legal obligations. A small number of processing operations are based on consent or on a specific agreement (e.g. voluntary participation in a staff event).
This pertains to the registration, management, optimization and control in relation to:
- Marketing (this includes collecting data relating to potential students for marketing purposes, collecting data relating to the parents of these students, visual material, sending mailings or newsletters, managing press contacts, sending press releases, sending and following up social media messages, organizing events for target groups)
- Quality assurance or other optimization objectives (this includes inflow and outflow surveys, other surveys, module surveys, analytics of the use of the learning platform)
- IT (this includes accounts and authorizations in various systems that are necessary for the data subject, print management, laptops, telephones and associated subscriptions, monitoring of the systems, quotas, licenses, privileged accounts, communication tools)
- Alumni (this includes keeping the data up to date, invitations to events and follow-up training programmes)
- Building (this includes badges, keys, alarm codes, camera surveillance, maintenance and notifications, lockers, registration of visitors, reservation of parking space, rental of classes and premises)
- Sponsorship and donations (this includes: sending a thank-you letter; in the case of sponsorship, entering into a sponsorship agreement; in the case of a donation or gift, drawing up a tax certificate.
In the case of a donation or gift, the law allows Howest as a Higher Education Institution to draw up a tax certificate. In the case of sponsorship, an organisation can receive a specific compensation, for example the mention of the name and/or logo on the website. For a sponsorship agreement, the organisation receives an invoice, to which the VAT legislation applies. Processing in the context of sponsorship has agreement as a legal basis.
- Contact tracing on campus (this includes data collection, consisting of registration of location data via qr codes and contact details, and follow-up, consisting of contacting persons who had an encounter with an infected person, with the aim of limiting the spread of covid-19 on campus).
- Miscellaneous (this includes questions for the ombudsman, registration and disbursement of expenses, budget management, approval and control of purchases, accounting, archiving, applications from data subjects in the scope of the processing of personal data, psychosocial and social services)
The creation and use of visual material with recognizable persons is always subject to the law; so, with the knowledge and consent of the data subject.
Monitoring of the IT systems is subject to legitimate interest and aims to be able to further ensure the proper functioning of the systems whereby anomalies in use are analysed, in view of the security and compliance with Fair Use Policy of Howest IT.
Video conference communication tools, such as Microsoft Teams, are used for communication purposes. If the purpose requires so (e.g. in case of evaluations in order to be able to review the evaluation afterwards for further evaluation or detection of fraud or possibility of appeal) these conversations can also be recorded by one of the participants. In the event of chat tools, such as LiveZilla, the chats are stored by default, thus allowing Howest subsequently to identify improvement actions within the framework of quality assurance in order to improve the service. The standard communication tools to be used are mentioned in the Fair Use Policy of Howest IT. Other tools can only be used after successful screening.
Marketing data is collected through the organization of or participation in specific events (e.g. SID-ins, Knappe Koppen, open teaching days, congresses, fairs). Marketing actions are always subject to the legislation in force, and therefore (depending on the specific context) on the basis of consent or on the basis of legitimate interest.
The analytics of the use of the learning platform and other specific platforms are only used for quality assurance purposes and are not used for the evaluation of the student.
Quality assurance also includes the archiving (and in specific cases the aggregating) of personal data in view of the long-term quality monitoring. Alumni, quality assurance and a large part of the IT and various processing operations are effected in the scope of legitimate interest.
The contact tracing data collected on campus are kept internally for 14 days after which they are destroyed. Only in case of notification of an infection, this data will be used by an employee functioning as an internal contact tracer for the service for prevention and protection and, based on the data managed by this application, this service will retrieve the data related to this infection. Through this additional risk analysis, possible additional measures can be taken, such as contacting the other potentially infected persons, evaluating and adjusting existing measures and locating possible sources of contamination of COVID-19. Processing in the context of contact tracing has permission as a legal ground.
This pertains to:
- Processing contact forms (e.g. request for information, event registration)
- Processing of student registrations, provisional or other (including reading of e-id data)
- Collection and processing of data in view of the protection of our website(s) and guarantee of proper functioning
The agreement for the training programme constitutes the legal ground for the websites that are part of the learning environment.
Howest also holds the responsibility for a number of specific websites, e.g. for specific projects within the training programme. These specific websites have their own privacy statement and may refer to the present privacy statement as far as some general information is concerned.
Special categories of personal data
Within GDPR (General Data Protection Regulation), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016), articles 9 and 10, a number of special categories of personal date are defined as data related to race or ethnic origin, politic opinions, religious or philosophical convictions, the membership of a trade union, genetic information, biometric information in view of the unique identification of a person, health, sexual behaviour or sexual orientation, criminal convictions and criminal offences.
Howest only processes this data in the following exceptional circumstances:
- Biometric information in view of the unique identification will not be processed. Sometimes, online evaluations do use a (web) camera, but in this case there is no processing in view of identification; so, this cannot be considered as processing within this special category of personal data. The same applies to the passport photos of the students. Here, there is no processing in view of identification either.
- Data regarding the health of students are processed as part of talent coaching and student services (amongst others, granting facilities) with the explicit consent of the data subject. Moreover, this data is only accessible for those staff members who need the information.
- Regarding health, there is also the processing in order to register absences of students and staff members, work-related accidents and school accidents. Moreover, some specific diseases and allergies can also be minimally registered in view of prevention (at work, during courses, during events).
- The Flemish legislation requires an extract from the criminal records at the recruitment of officials to prove that the applicant has a blank criminal record. The request for this extract is therefore restricted to this specific objective.
In some cases, Howest uses automated individual decision-making, whereby an assessment is automatically executed which subsequently results into granting a score (marks). In these cases, the legal basis consists pf the fact that this is necessary for the execution of an agreement between Howest and the data subject. In any case, the student always has the right to request a human intervention.
Howest does not carry out profiling in any way.
In those cases where an automated tool is used for the detection of a possible anomaly at an online examination, this is merely a tool that indicates which parts of an online examination must be checked by means of human intervention.
Who has access to this personal data?
Howest is the controller. This means that we decide which data we collect and to what purpose. In legal terms, we determine the purpose of the processing. But this does not mean that every Howest staff member has access to everything. Your personal data will only be available to the services and the staff members who need this for their work. A large part of the IT access control is also logged in view of inspection regarding the compliance of the Howest IT Fair Use Policy.
For some services (e.g. IT, social secretariat, marketing, catering) we work together with specialized partners. During these interventions these partners can have access to your data, but they always act according to our guidelines laid down in a contract which guarantees that they apply the same high privacy standards. They cannot use the personal data for another purpose. Sometimes Howest is not the only controller. This is e.g. the case for the organization of events with external partners or for some cooperation formats with social media platforms.
Transfers of personal data
We also exchange personal data with a number of governments and organizations. Nevertheless, we never merely give your personal data to third parties. We only do so provided there is a legal ground.
Social media messages are posted on the respective platforms (this also includes Facebook, Twitter, LinkedIn, Flikr, YouTube, Instagram, Snapchat, Eventbrite). In view of the optimization of these social media messages, there is a cooperation with an external party which further processes these posts. This external party is processor by order of Howest and only uses this data within the scope of the assignment with Howest.
Howest appeals to the (marketing) services of third parties, such as Facebook, to be able to address a specific target group via social media. This can be effected by means of Facebook look-a-like audiences whereby Howest transmits (relevant) data of students to Facebook with the aim that Facebook shows an advertisement to profiles which are similar to the profiles of the students that we have entered as input. Facebook offers a number of guarantees in the field of these transfers (amongst others pseudonymisation via hashing). The actual presentation of the advertisement comes under the Facebook liability and privacy statement. The legal basis for this transfer by Howest is consent (provided cookies are transferred) or justified interest (if no cookies are transferred and if it concerns students who are enrolled in a Howest study programme).
In view of filling in job applications, Howest also uses personal data obtained via LinkedIn Recruiter. The legal ground for this transfer completely lies with LinkedIn.
Because of legal obligations, there is also a data transfer with the Databank Hoger Onderwijs (DHO) managed by AHOVOKS. Howest sends all information regarding enrolment and results to the databank and can consult the databank in the framework of personal data and previous studies. AHOVOKS is a Flemish government agency.
Personal data is provided to third parties with whom Howest or the study programme cooperates in the context of direct marketing and outflow guidance to the labour market or further study. Personal data will only be provided to these third parties if the student gives permission for this at first enrolment. This permission can be changed by the student at any time via iBamaFlex.
Results of students are shared with their secondary schools in view of their quality care. This transfer only applies if the student grants permission at the first registration and can be managed by the student through iBamaFlex.
For international exchange students, some specific personal data must be transmitted to the guest institution (name, sex, email address, date of birth, nationality, study programme). This is the information that is collected in the Learning Agreement. Other information (such as study results and language knowledge) is given to the guest institution by the student himself/herself. Often, Howest also has to nominate online with the guest institution, whereby the same basic information is asked, including, if the occasion arises, a mobile phone number and address. The guest institution will inform Howest about the study results and work placements. Depending on the financing of these exchange programmes, an exchange of personal data (name, sex, email address, address, date of birth, nationality, university of applied sciences/university of the destination, scholarship information, credits obtained) also takes place with EPOS (this is the agency for the Erasmus+ programme in Flanders) and the European Commission for Erasmus-related study programmes. If, for this exchange, a financing request is submitted to the Flemish government, the national registry number, the name and the study programme are also transmitted to the Flemish government (VLUHR).
‘Moveon’ is the software/database in which we store all personal data of the students who enrol for, long-term and short-term, individual international mobility. The students enrol themselves. International incoming students who want to take an exchange programme at Howest also must enrol here and enter personal data.
For work placement in companies the necessary information is transmitted to the company. Afterwards, the company informs Howest about the progress of the work placement. For work placement in international companies, the exact same information, as mentioned above for exchange students, is transmitted to the work placement company in the Learning Agreement for Traineeship.
For the organization of events, Howest will transmit the necessary personal data to other parties involved in the organization of this event. The legal basis here is the original entry to participate in the event (agreement or consent).
In view of offering the appropriate software licences to Howest students and staff members, Howest has an Academic Software cooperation with Signpost. To be able to offer this service, Howest must transmit the appropriate information to Signpost.
In order to purchase study materials, Howest has entered into a cooperation agreement with Standaard Boekhandel. To offer this service, Howest needs to provide the appropriate information to Standaard Boekhandel.
Howest uses Office 365 and Google Drive. A part of the personal data (also email) is therefore stored on these platforms. There are also a number of more specific cloud platforms, such as e.g. for the learning environment (Canvas software managed by Instructure), for video recordings of courses (Panopto managed by Panopto), for user information and recordings at online exams (Respondus Lockdown Browser and Respondus Monitor software managed by Respondus), for chats (LiveZilla managed by LiveZilla), for repositories with software code (GitHub ClassRoom within GitHub Education managed by GitHub), for several virtual machines (Azure managed by Microsoft), for plagiarism detection (several partners). Howest entered into contracts with all these parties which offer the appropriate guarantees in the field of data protection and information security.
Eduroam means education roaming. It is a system which allows Howest students and staff members to use the WiFi infrastructure of other organizations that are affiliated to Eduroam. In addition, it is also used within Howest to give European students or staff members of European educational institutions in a safe and fast way access to the internet.
Personal data is provided to GUIDO plc with whom Howest has entered into a cooperation agreement between data controllers in the context of the ISIC student cards. This card is necessary for the agreement as it is required for access to the campus, identity control during exams and various payments on campus (vending machines, cash register, printers, etc.). Even when ISIC student cards for certain specific groups are not delivered by default (but can be delivered on simple request), the personal details are passed on to GUIDO plc.
Personal data is provided to UGent with whom Howest has entered into a cooperation agreement for access to the library.
For legal obligations, there are also information transfers in relation to amongst others the governmental services Dimona (entry into service and leaving service with the RSZ), Capelo (retirement pensions), tax authorities, inquiries in the scope of judicial investigations.
The receivers referred to can be situated in locations outside the European Economic Area (EEA). In this case, the protection of your data is guaranteed as it is situated in countries which have an adequacy decision from the European Commission, or that appropriate contractual provisions have been entered into with these receivers.
The legal grounds for these transfers are legal obligations, necessary for the agreement or legitimate interest. Where permission is being used as a legal basis, this will always be specified individually.
The security and storage period of personal data
Howest never stores the personal data longer than the time required. For a number of the mentioned processing operations, there is a legal minimum term which is respected.
In principle, personal data of students are stored as long as they has a relation with the university of applied sciences or on the basis of a legal ground with accompanied purpose. Official reports including student information (name, first name, place of birth, date of birth and obtained results) are stored for 50 years. The student files of the graduated students are also stored for the same period. This file contains all the student information. The objective is to allow that (former) students can apply for an extract for a very long period after graduation (mostly around the time of their retirement date).
Personal data entered at an online registering is stored during a term of 5 years. Paper files are stored until 1 year after unsubscribing and are then destroyed.
Personal data of staff members are stored as long as they have a relation with Howest, to the exception of this data for which the staff member himself/herself has given permission for a longer storage period and to the exception of this information which should be stored for a longer period on a legal basis.
Personal data of third parties (co-contractors) are stored for the period that is required for the execution of the contractual agreements entered into.
Personal data of participants to a survey and/or inquiry are stored in accordance with the period indicated in the “informed consent” granted in advance, if applicable.
Personal data processed on the occasion of an event registration are stored during the period allowed by the data subject. As this information is also often used for an invitation to a sequel event, this period mostly amounts to 3 years.
For a number of specific cloud platforms (e.g. Respondus) the storage term is determined by the cloud platform. For Respondus it amounts to 1 year. For the other platforms it is determined by the purpose for which the data is processed. In order to allow possibilities of appeal on the occasion of evaluations, these storage periods mostly amount to 1 year.
Information protection is a necessary condition for the protection of personal data. Therefore, Howest provides for appropriate technical and organizational measures to guarantee the confidentiality, integrity and availability of personal data and to secure these against any form of loss or unlawful processing.
In this policy document, Howest pays the necessary attention to general principles such as:
- Purpose limitation
- Storage limitation
- Data protection by design
- Accountability obligation
- Contractual agreements
Rights of data subjects in the framework of personal data processing
Which rights do you have in the framework of the processing of the personal data?
Depending on the purpose and the legal ground on the basis of which Howest processes personal data, the data subjects involved can exercise the following rights:
- The right to ask which personal data is processed and in case this data should not have been given directly to Howest, ask for information about the source of this data;
- The right to ask to correct data when it is false;
- The right to ask ‘to be forgotten’ provided a number of conditions has been complied with;
- The right to ask to supply specific information which the data subject can transfer to another organization;
- The right to file objection against the processing of personal data in the framework of completely automated processing operations, against legitimate interest and against marketing;
- The right to limitation of data processing can be invoked when the processing is not legitimate, or in anticipation of a decision regarding the right to correction or the right to objection.
How can you exercise these rights as data subject?
To appeal to these rights, you can contact us to exercise your rights, accompanied by a motivation for your request. To obtain certainty about the justification of a request or the identity of an applicant, Howest may ask for additional information. Howest reserves the right, for duly justified reasons, not to respond to a request. This is e.g. the case when a request is apparently unfounded or undue.
To exercise these reasons, but also for further questions about the several rights and obligations in the field of data protection, or if you think that your personal data is processed in an unjustified and/or incorrect way by Howest, you can contact the Data Protection Officer of Howest via email@example.com. Other contact information can be found in the section “Contact”.
When you are of the opinion that insufficient response has been given to a request or complaint, you can, depending on the context, address to the Vlaamse Toezichtcommissie or the federal data protection authority Federale Gegevensbeschermingsautoriteit:
Koning Albert II-laan 15, 1210 Brussel
Tel +32 (0)2 553 50 47
Remaining rules, remaining privacy declarations
This document does not include all applicable rules in relation to personal data processing. There are also a number of other documents:
- Howest Onderwijs- en examenreglement (OER)
- Howest IT Fair Use Policy
Because of their specific character, the Student services and Talent Coaching departments have extra privacy declarations, so that the students involved who rely on these services, obtain clear and completely relevant information.
For some services that are completely independent of the processing by Howest, there are specific websites with a specific privacy declaration.
Wijzigingen aan de privacyverklaring
Our services are constantly subject to changes. Therefore, the present privacy declaration can be updated from time to time so as to reflect changes in the way in which we work or in legislation. So, you can check this every time you transfer personal data to us. The date of the latest updates will always be mentioned in the title of this privacy declaration.
In case important amendments are made to the Privacy Declaration, for instance amendments which have an effect on the way in which we want to use your personal data, we will communicate this this in a more direct way (including, for some services, notification of amendments in the privacy declaration by email).