Rector's Directive No. 16/2018 ****************************************************************************************** * ****************************************************************************************** To implement: Regulation (EU) No. 2016/679 of the European Parliament and of the Council o of natural persons with regard to the processing of personal data and on the free movement and repealing Directive 95/46/EC (General Data Protection Regulation) Date of effect: 25 May 2018 ****************************************************************************************** * Principles and Rules of Personal Data Protection ****************************************************************************************** *========================================================================================= * Part One – Fundamental Provisions *========================================================================================= *========================================================================================= * Article 1 – Subject-matter *========================================================================================= 1.This Rector’s Directive (“the Directive”) provides the principles and rules for processi data at Charles University (“the University”) and the responsibilities of persons ensuri protection at the University, and defines the rights and duties of employees, students, also other natural or juridical persons involved in activities related to personal data 2.This Directive is based on Regulation (EU) No. 2016/679 of the European Parliament and o on the protection of natural persons with regard to the processing of personal data and movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulat Regulation”) and on Act No. 101/2000 Sb., on the protection of personal data and to chan as amended (“the Act”) where the Directive supplements and elaborates on some of the pro the Regulation and the Act governing the relations within the University and provides or procedures for their implementation. *========================================================================================= * Article 2 - Definitions *========================================================================================= 1.For the purposes of this Directive: a.“personal data” means any information relating to an identified or identifiable natura subject”); an identifiable natural person is one who can be identified, directly or in particular by reference to an identifier such as a name, an identification number, loc online identifier or to one or more factors specific to the physical, physiological, g economic, cultural or social identity of that natural person; b.“processing” means any operation or set of operations which is performed on personal d of personal data, whether or not by automated means, such as collection, recording, or structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosu transmission, dissemination or otherwise making available, alignment or combination, r erasure or destruction; c.“restriction of processing” means the marking of stored personal data with the aim of processing in the future; d.“profiling” means any form of automated processing of personal data consisting of the data to evaluate certain personal aspects relating to a natural person, in particular predict aspects concerning that natural person's performance at work, economic situati personal preferences, interests, reliability, behaviour, location or movements; e.“pseudonymisation” means the processing of personal data in such a manner that the per no longer be attributed to a specific data subject without the use of additional infor that such additional information is kept separately and is subject to technical and or directive to ensure that the personal data are not attributed to an identified or iden person; f.“filing system” means any structured set of personal data which are accessible accordi criteria, whether centralised, decentralised or dispersed on a functional or geographi g.“controller” means the natural or legal person, public authority, agency or other body jointly with others, determines the purposes and means of the processing of personal d purposes and means of such processing are determined by Union or Member State law, the the specific criteria for its nomination may be provided for by Union or Member State h.“processor” means a natural or juridical person, public authority, agency or other bod processes personal data on behalf of the controller; i.“processors acting in a chain” means a situation when another person in the role of (p processor is involved in personal data processing based on a written consent of the Un j.“recipient” means a natural or juridical person, public authority, agency or another b the personal data are disclosed, whether a third party or not. However, public authori may receive personal data in the framework of a particular inquiry in accordance with Member State law shall not be regarded as recipients; the processing of those data by authorities shall be in compliance with the applicable data protection rules according of the processing; k.“third party” means a natural or juridical person, public authority, agency or body ot data subject, controller, processor and persons who, under the direct authority of the processor, are authorised to process personal data; l.“consent” of the data subject means any freely given, specific, informed and unambiguo of the data subject's wishes by which he or she, by a statement or by a clear affirmat signifies agreement to the processing of personal data relating to him or her; m.“personal data breach” means a breach of security leading to the accidental or unlawfu loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, otherwise processed; n.“genetic data” means personal data relating to the inherited or acquired genetic chara natural person which give unique information about the physiology or the health of tha and which result, in particular, from an analysis of a biological sample from the natu question; o.“biometric data” means personal data resulting from specific technical processing rela physical, physiological or behavioural characteristics of a natural person, which allo unique identification of that natural person, such as facial images or dactyloscopic d p.“data concerning health” means personal data related to the physical or mental health person, including the provision of health care services, which reveal information abou health status. 2.Additional definitions are stated in Article 4 of the Regulation. *========================================================================================= * Article 3 – Principles Relating to Processing of Personal Data *========================================================================================= 1.Personal data must be: a.processed lawfully, fairly and in a transparent manner in relation to the data subject fairness and transparency”); b.collected for specified, explicit and legitimate purposes and not further processed in is incompatible with those purposes (“purpose limitation”); further processing for arc in the public interest, scientific or historical research purposes or statistical purp be considered to be incompatible with the initial purposes; c.adequate, relevant and limited to what is necessary in relation to the purposes for wh processed (“data minimisation”); d.accurate and, where necessary, kept up to date; every reasonable step must be taken to personal data that are inaccurate, having regard to the purposes for which they are pr erased or rectified without delay (“accuracy”); e.kept in a form which permits identification of data subjects for no longer than is nec purposes for which the personal data are processed (“storage limitation”); personal da for longer periods insofar as the personal data will be processed solely for archiving the public interest, scientific or historical research purposes or statistical purpose implementation of the appropriate technical and organisational directives required by in order to safeguard the rights and freedoms of the data subject; f.processed in a manner that ensures appropriate security of the personal data, includin against unauthorised or unlawful processing and against accidental loss, destruction o appropriate technical or organisational directives (“integrity and confidentiality”). 2.Persons stated in part two of this Directive are responsible for compliance with the pri paragraph 1 and must be able to demonstrate, pursuant to Article 5 (2) of the Regulation with these principles (“accountability”). *========================================================================================= * Article 4 – Lawfulness of Processing *========================================================================================= 1.In accordance with Article 6 of the Regulation the processing is lawful only if and to t at least one of the following applies: a.the data subject has given consent to the processing of his or her personal data for o specific purposes (the conditions for consent are detailed in Articles 7 and 8 of the b.processing is necessary for the performance of a contract to which the data subject is order to take steps at the request of the data subject prior to entering into a contra c.processing is in accordance with generally binding legal regulations in force and is n compliance with a legal duty to which the controller is subject; d.processing is necessary in order to protect the vital interests of the data subject or natural person; e.processing is in accordance with generally binding legal regulations in force and is n performance of a task carried out in the public interest or in exercise of official au in the controller; f.processing is necessary for the purposes of the legitimate interests pursued by the co a third party, except where such interests are overridden by the interests or fundamen freedoms of the data subject which require protection of personal data, in particular subject is a child. 2.The provision of paragraph 1 (f) does not apply to processing of personal data carried o University when the University acts as a public authority in matters vested in the Unive 111/1998 Sb., to regulate higher education institutions, as amended (the Higher Educatio another legal regulation. In such cases paragraph 1 (c) applies. *========================================================================================= * Article 5 - Processing of Special Categories of Personal Data *========================================================================================= 1.The processing of personal data revealing racial or ethnic origin, political opinions, r philosophical beliefs, or trade union membership, and the processing of genetic data, bi uniquely identifying a natural person, data concerning health or data concerning a natur life or sexual orientation shall be prohibited in cases to which paragraphs 2 and 3 do n 2.Exceptions to the prohibition of processing of personal data under paragraph 1 are state of the Regulation, in particular the personal data specified in paragraph 1 may be proce that the data subject has given explicit consent to the processing of such personal data more specified purposes. Consent must be given in writing, signed by the data subject, a indicate the data to which it applies, for which purpose and for what period it is given giving the consent. By signing the consent form, the data subject also confirms to have his rights in advance. The employee processing the personal data must be able to prove t consent over the entire period of the data processing. 3.An exception to the prohibition under paragraph 1 also applies to the following data: a.data concerning the state of health in personal records of employees and students prov data were voluntarily provided by the data subject to be kept in records and they are benefit (e.g., the data affects admission to study, provision of services to special-n accommodation in dormitories, or calculation of the tax liability or other levies impo b.data concerning membership in trade unions active at the University recorded in person files of the employees providing that the data were voluntarily provided by the data s kept in records and they are kept for payment of membership fees or other levies, incl for such payments; c.special category of personal data processed for the purposes of projects/research. 4.Processing which does not require identification of the data subject is governed by Arti Regulation. *========================================================================================= * Part Two – Accountability of Persons Ensuring Personal Data Protection *========================================================================================= *========================================================================================= * Article 6 – The University *========================================================================================= The University is the body accountable for personal data processing under Article 1 (2). I a controller and a processor. To comply with the requirements of the Regulation and the Ac data protection this part of the Directive defines persons participating in ensuring the a purpose. *========================================================================================= * Article 7 – University Level *========================================================================================= 1.The standing of the Rector arises from the Higher Education Act, the Constitution of the other internal regulations of the University. The Rector acts as a governing body of the responsible for compliance with the principles, rules, and procedures applicable to pers processing externally as well as internally within the University in cases performed at level of the University and in those cases where the powers have not been delegated to o stated in this part. 2.Vice-Rectors are accountable to the Rector of the University for compliance with the pri and procedures applicable to personal data processing performed within their fields of a powers stated in Article 11 of the Constitution of the University. 3.The Chief Financial Officer is accountable to the Rector of the University for complianc principles, rules, and procedures applicable to personal data processing performed withi stated in Article 13 of the Constitution of the University. *========================================================================================= * Article 8 – Faculties and Other Units *========================================================================================= 1.The deans of individual faculties of the University are accountable to the Rector for co the principles, rules, and procedures applicable to personal data processing performed b and students of the faculty of the University in the fulfilment of their work or study d other natural or juridical persons processing personal data based on a contract with the University, in the matters they are vested with under section 24 of the Higher Education 15 and 16 of the Constitution of the University, other internal regulations of the Unive Rector’s directives. 2.The directors of other units of the University are accountable to the Rector of the Univ compliance with the principles, rules, and procedures applicable to personal data proces by the employees of another unit of the University or by students for whom the unit prov in the fulfilment of their work or study duties or by other natural or juridical persons personal data based on a contract with the other unit of the University, in the matters vested with under Articles 15 and 16 of the Constitution of the University, the rules fo governance of the other unit, other internal regulations of the University, and Rector’s 3.The deans of individual faculties of the University and directors of other units of the appoint no later than within ten days of the date of effect of this Directive a contact personal data protection at the faculty or other unit who will cooperate with the data p officer under Article 13 in performing his tasks under Article 15 concerning personal da activities at the given faculty or other unit of the University. The deans of the facult directors of other units inform under part three the data protection officer of the appo undue delay. *========================================================================================= * Article 9 – Accountability of Managers for Personal Data Processing *========================================================================================= 1.A manager is accountable for compliance with the principles, rules, and procedures (stat Directive, in the Regulation, and in the Act) applicable to the processing of personal d within the field he is entrusted with, including safe data storage, and manages in this processing of personal data performed by employees subordinate to him. 2.A manager carries out in the field he is entrusted with the assessment of the impact of processing operations on the protection of personal data under Article 35 of the Regulat purpose, he seeks the advice of the data protection officer under part three. 3.The register of personal data processing activities maintained under part five records, processing activities, the names of the managers in individual faculties or other units University within whose powers the given processing falls. In case of doubt concerning t powers, the decision on the competent person for the given processing activity is made b a.the Rector in the case of personal data processing involving the central level of the b.the dean in the case of personal data processing within the powers of the given facult c.the director of another unit in the case of personal data processing within the powers other unit; d.the Chief Financial Officer in the case of personal data processing within the powers Office which do not involve the central level of the University. 4.For new activities the accountable manager or managers will be determined before commenc personal data processing. 5.Persons stated in paragraph 3 inform without undue delay the data protection officer und 6.Managers must ensure that their subordinate employees involved in personal data processi themselves to confidentiality. A template of the confidentiality obligation recommended in the employment contracts forms Appendix No. 2 to this Directive. *========================================================================================= * Article 10 – University Employees *========================================================================================= 1.The University employees who are involved in personal data processing have a duty to bec with this Directive, the Regulation, other relevant generally binding legal regulations guidance documents on methodology issued by the data protection officer under Article 15 manager superior to the employee is responsible for the employee’s becoming acquainted w documents. 2.Persons stated in paragraph 1 have a duty to process personal data always only within th under conditions determined by the manager who is in charge of the given personal data p activities. 3.Persons stated in paragraph 1 have a duty to keep the personal data confidential and to confidential the security directives the disclosure of which would endanger the personal The confidentiality obligation continues after termination of employment, study, or perf relevant work. The scope of the confidentiality obligation is stated in the employment c 4.If an employee of the University or other person in an employment relationship with the a faculty, or other unit is involved in personal data processing the person is responsib the personal data processing performed. When processing personal data, the person must f instructions and guidance documents on methodology issued by the data protection officer three and provide information to the data protection officer as requested. 5.A person in an employment relationship with the University, faculty, or other unit of th entitled to raise questions or make suggestions concerning personal data processing and the data protection officer under part three either directly or via a contact person und (3). *========================================================================================= * Article 11 – Students and Lifelong Learning Participants *========================================================================================= 1.In cases when personal data might be processed in the course of the processing of final students (bachelor’s, master’s and dissertation theses), participants in rigorosum proce participants in lifelong learning, the thesis advisor or supervisor has a duty to introd or the participant in rigorosum proceedings or in a lifelong learning programme, to the from this Directive and the Regulation and to ensure possible further steps in complianc Directive. 2.In cases when a teacher of a subject requires that students, or participants in rigorosu or in a lifelong learning programme, prepare as part of the instruction of the subject a requiring personal data processing, the teacher must introduce the student, or the parti rigorosum proceedings or in a lifelong learning programme, to the duties arising from th the Regulation and ensure possible further steps in compliance with this Directive. 3.Further details of personal data processing activities under this Article may be stipula Rector’s directive on the advice of the data protection officer. *========================================================================================= * Article 12 – Other Persons Involved in Personal Data Processing, Processors Acting in a Processing Contract *========================================================================================= 1.Where persons without direct legal relationship to the University (e.g., employees of jo of the University and other institutions, co-researchers of research projects from other co-authors of publications, etc.) are involved in the processing of personal data for wh University acts as the controller or the processor, it is necessary to introduce such pe duties arising from this Directive and the Regulation and the persons must agree to comp Directive for example through a contract between the University and the cooperating inst other appropriate binding form. 2.The University will make a contract to provide the services of a personal data processor persons who will fulfil the role of processor providing sufficient guarantees to impleme technical and organisational directives in such a manner that processing will meet the r of legal regulations applicable to personal data processing and ensure the security and personal data as well as the rights and freedoms of data subjects. 3.It is the duty of the employee who negotiates or possibly enters into a contract on beha the University, to verify the reliability of the personal data processor and compliance requirements for legal personal data processing on the part of the potential processor. the manner of verification and its results is created and inserted in the file of the re case together with the documents used as the basis for verification; the record is also file of the relevant personal data processing. The employee under the first sentence als provide a notification of the details of the personal data processor using the procedure 20. 4.Previous written consent of the University to processors acting in a chain when the proc processing services via third parties may be granted only where it is necessary to fulfi the University. 5.Where personal data processing is to be carried out by the University in the role of pro personal data processing may involve a partial processor (processors acting in a chain) that the personal data controller agreed to it in the personal data processing contract written authorisation. The authorisation may be granted either for a person of specific general where the partial processor is selected by the University within the scope of th in such case the controller is entitled to object to the partial processor selected. If data controller objects to the partial processor, it is not possible to involve such par in the personal data processing. If the verification carried out in accordance with para reveals that the guarantees in case of a specifically authorised partial processor are n the personal data controller is notified of the fact. Such partial processor may be invo data processing only if the personal data controller requests it despite the objections the University. All communication, the documents used as the basis for verification, and of verification are inserted in the file of the relevant business case and the file of t personal data processing. 6.Where personal data processing is to be carried out by the University in the role of par within the framework of processors acting in a chain, i.e., as a processor processing pe for another processor, before entering into the contract the person negotiating the cont of the University requests the documents proving that the processor was granted authoris personal data controller to involve a partial processor in personal data processing; the mean either a specific authorisation to involve the University as partial processor, or authorisation to involve a partial processor and a confirmation that the personal data c raised no objections to the University as partial processor. The documents and related c are inserted in the file kept for the relevant case and in the file of the relevant pers processing. 7.A personal data processing contract made between the University and a processor, or poss University and the controller or partial processor, must have the parameters in accordan 28 of the Regulation. *========================================================================================= * Part Three – Data Protection Officer *========================================================================================= *========================================================================================= * Article 13 – Status of the Data Protection Officer *========================================================================================= 1.The data protection officer (also “the officer”) is directly subordinate to the Rector. 2.The officer is involved in all processes and matters related to protection and processin data at the University. 3.The officer is supported by the University in maintaining his professional knowledge and access to personal data, processing operations, and to all resources needed for the perf in Article 15. 4.The University does not give any specific instructions to the officer concerning the ful duties. However, the Rector may assign to the officer additional tasks and duties. Such though may not result in a conflict of interest with the execution of his office of data officer. 5.The officer is under the duty of confidentiality in relation to the performance of his t of confidentiality continues also after termination of employment. 6.The information on the officer including the contact details is provided at the publicly section of the University website. *========================================================================================= * Article 14 – Appointment of the Data Protection Officer *========================================================================================= The officer is appointed by the Rector based on his professional qualities, in particular and practical experience in the field of personal data protection and the ability to fulfi listed in Article 15. The Rector may remove the officer from his office. *========================================================================================= * Article 15 – Tasks of the Data Protection Officer *========================================================================================= 1.The officer performs in particular the following tasks: a.provides information and advice to employees and students of the University who carry processing of personal data concerning their duties under this Directive, the Regulati generally binding legal regulations applicable to personal data protection; b.monitors compliance with this Directive, the Regulation, other generally binding legal applicable to personal data protection, and with the policies of the University in the personal data protection including increasing the awareness and professional training involved in processing operations; c.supervises the implementation of personal data protection and processing; d.provides expert assistance in terms of assessment of the impact on personal data prote monitors its implementation under Article 35 of the Regulation; e.after prior consultation with the persons listed in Articles 7 and 8 notifies the case data breach to the supervisory authority under Article 33 of the Regulation and commun of personal data breach to the data subject Under Article 34 of the Regulation; f.cooperates and communicates with the supervisory authority; g.acts as the contact point for the supervisory authority in matters concerning personal including prior consultation under Article 36 of the Regulation; h.accepts from the employees of the University submissions to initiate a new personal da to change the existing one and takes views on such submissions; i.communicates with the data subjects who may contact him in all matters related to the their personal data and exercising of their rights under this Directive and the Regula j.issues guidance documents on methodology concerning personal data processing at the Un are to be followed by persons involved in personal data processing at the University; k.carries out other tasks arising for his position from the Regulation, the Act, or othe binding legal regulations, or arising from this Directive and other internal regulatio University and Rector’s directives. 2.The officer supervises the operation of the register of personal data processing of the stated in Article 19. 3.When performing his tasks, the officer bears in mind the risk related to processing acti the same time takes into account the nature, scope, context, and purposes of the process *========================================================================================= * Article 16 – The Powers of the Data Protection Officer at the University *========================================================================================= 1.If the officer finds out that there is a danger of breach of the rules for the protectio data arising from the Regulation, the Act, or this Directive, or if a breach occurs, the a duty to inform the managers thereof under Article 9 and recommend in writing the remov defective or risky condition. Under Article 9, a manager has a duty to discuss the condi officer within a reasonable time, and if he agrees with the findings of the officer, he from further defective or risky conduct. The manager also has the duty, under Article 9, directives to ensure that the situation does not occur again. 2.If a manager, under Article 9, does not agree with the recommendation of the officer, he this in writing to the officer and states the reasons why he believes that no breach of in the first sentence of paragraph 1 occurred or that there is no danger that such breac such case the officer communicates this fact to persons competent in the relevant subjec in Articles 7 and 8 and refers to them the entire file of documents. 3.The officer has a duty to suggest that general or specific directives in the field of pe protection be adopted to persons stated in Articles 7 and 8 whenever: a.based on his findings under paragraph 1, he concludes that there is a danger of breach breach occurred; b.it is appropriate further to the general application practice in the field of personal protection. 4.The provisions of paragraphs 1 and 4 are not to the prejudice of the officer’s duty to n prior consultation with the persons listed in Articles 7 and 8, cases of personal data b supervisory authority and to communicate them to the data subject under Article 15 (1) ( *========================================================================================= * Part Four – Data Subject *========================================================================================= *========================================================================================= * Article 17 – Data Subject *========================================================================================= A data subject is a natural person whose personal data are processed. During personal data activities at the University the data of the following data subjects are processed: a.employee of the University (or a person in an employment relationship with the Universit b.job applicant; c.applicant for admission to study; d.student of the University; e.former student of the University (including graduates); f.a participant in a lifelong learning programme; g.a student of another higher education institution or a student on a short-term study sta University; h.a business partner (supplier, purchaser, customer); i.a participant in research; j.external collaborator (e.g., supervisor, co-researcher, co-author of a publication); k.a visitor or participant in an event organised by the University; l.a participant in administrative or judicial proceedings with the University; m.another person. *========================================================================================= * Article 18 – Information Provided to Data Subject *========================================================================================= 1.The University in the role of controller provides information to a data subject pursuant of the Regulation in a concise, transparent, intelligible, and easily accessible form, u plain language. 2.Where personal data are collected from the data subject, the controller provides, at the personal data are obtained, the data subject with all the following information: a.contact details of the University; b.contact details of the data protection officer; c.the purposes of the processing for which the personal data are intended as well as the the processing; d.where the processing is based on Article 4 (1) (f), the legitimate interests pursued b or by a third party; e.the recipients or categories of recipients of the personal data, if any; f.where applicable, the fact that the University intends to transfer personal data to a (i.e., to a country that is not a member of the European Union) or international organ reference to the appropriate safeguards and the means by which to obtain a copy of the have been made available. 3.In addition to the information referred to in paragraph 2, the University provides the d further information stated in Article 13 (2) of the Regulation necessary to ensure fair processing. 4.Where personal data have not been obtained from the data subject, the controller provide subject with the following information: a.contact details of the University; b.contact details of the data protection officer; c.the purposes of the processing for which the personal data are intended as well as the the processing; d.the categories of personal data concerned; e.the recipients or categories of recipients of the personal data, if any; f.where applicable, the fact that the University intends to transfer personal data to a (i.e., to a country that is not a member of the European Union) or international organ reference to the appropriate safeguards and the means by which to obtain a copy of the have been made available. 5.In addition to the information referred to in paragraph 4, the University provides the d further information stated in Article 14 (2) of the Regulation necessary to ensure fair processing. 6.The University in the role of controller makes all communications pursuant to Articles 1 of the Regulation. 7.Information under this article is provided in electronic form on the website of the Univ the information systems of the University, or in other appropriate provable form. *========================================================================================= * Article 19 – Rights of Data Subject *========================================================================================= 1.The rights of the data subject form an integral part of the personal data protection at processing. 2.Above all, the data subject has a right: a.to access to personal data pursuant to Article 15 of the Regulation; b.to be informed of the personal data processing; c.to rectification pursuant to Articles 16 and 19 of the Regulation; d.to erasure pursuant to Articles 17 and 19 of the Regulation; e.to restriction of processing pursuant to Articles 18 and 19 of the Regulation; f.to data portability pursuant to Article 20 of the Regulation; g.to object pursuant to Article 21 of the Regulation; h.automated individual decision-making governed by Article 22 of the Regulation. 3.Data subjects may contact the data protection officer in all matters related to the proc personal data and exercise of their rights under this Directive and the Regulation. 4.All communications to the data subjects including information on their rights and notifi case of the exercise of rights of the data subject are provided in a concise, transparen and easily accessible form, using clear and plain language, where among other things the recipient of information is taken into account. To ensure the intelligibility of the inf provided, multi-layered information is used where appropriate. 5.A record is created of compliance with the information duty, exercise of rights of data handling of exercise of rights of data subjects including refusal of a request by a data The record includes the documents used as a basis by the responsible person including th through which the data subject exercised the right. Unless explicitly stated otherwise, inserted in the file of the relevant personal data processing and archived for a period limitation periods and lapse periods of civil and public delicts that may be committed i personal data processing. 6.Where the data subject exercises his rights, in order to protect the rights and legally interests it is necessary to verify in an appropriate form the identity of the data subj requests access and the data subject has a duty to provide sufficient proof of identity. considered sufficient proof of identity when the application is sent by email with an el signature, via data box or by means of a postal service operator where the document is s authenticity of the signature of the acting person is officially verified and the applic the identification details in the scope required by section 14 (2) of Act No. 106/1999 S free access to information. 7.The data protection officer provides to the data subject upon his request under Articles Regulation information on adopted directives without undue delay and in any case no late one month of receiving the application. This time limit may be extended by two more mont due to the complexity and number of applications. The officer informs the data subject o extension including the reasons for the delay within one month of receiving the applicat subject submits the application in electronic form, then the information is provided in if possible, unless the data subject requests that the information be provided in anothe *========================================================================================= * Part Five – Register of Personal Data Processing Activities *========================================================================================= *========================================================================================= * Article 20 – Registration and Recording of Personal Data Processing Activities *========================================================================================= 1.An electronic register of personal data processing activities at the University (“the re created to provide an overview of personal data processing at the University. The Inform Institute of the University (“the institute”) is authorised to operate the register. The institute is responsible for the operation of the register. 2.Faculties and other units of the University processing or intending to process personal this Directive or wanting to change the current mode of personal data processing must no protection officer of this fact via the email address gdpr@cuni.cz. 3.The notification pursuant to paragraph 2 must contain a complete characteristic of the r data processing in the following scope: a.name of the agenda, or processing activity; b.description of the processing activity; c.types of data subjects pursuant to Article 17 whose data are processed by the activity d.list of personal data or groups of the data that are processed by the activity; e.types of documents that are processed by the activity; f.information on the transfer of personal data outside the University; g.location of the processed personal data and identification of the information system o if used in the processing activity; h.information on when and how the personal data are or will be removed from the agenda; i.the roles involved in the processing activity; j.managers accountable for the processing activity pursuant to Article 9; k.the legal basis and purpose of the processing activity; l.information on processors, if they are involved in the agenda, including the scope of available to them and the processing they carry out; m.general description of the technical and organisational security directives to secure data that are appropriate to the risks to the rights and freedoms of data subjects pur 32 (1) of the Regulation. 4.The person submitting notification is entitled to commence new or change the existing pe data processing only after receiving the consent issued by the data protection officer b notification pursuant to paragraph 3 and the subsequent assessment of the personal data activity and its protection. In case the data protection officer fails to give consent, are consulted with persons listed in Articles 7 and 8. 5.The data protection officer or a person designated by him enters the information on the data processing activity or on changes to existing personal data processing activity in based on the details pursuant to paragraph 3 above after the data protection officer exp consent to the processing or change of personal data processing pursuant to paragraph 4. *========================================================================================= * Part Six – Making Personal Data Public and Disclosing them to Third Parties *========================================================================================= *========================================================================================= * Article 21 – Making Personal Data Public *========================================================================================= 1.Making personal data public means giving access to the data to persons or groups of pers specifically identified, in particular by means of mass media, other public communicatio a public list (e.g., in the publicly accessible section of the University website). 2.A student may, after logging into the information system of the University (“the system” setting so that an anonymous user may retrieve his personal data. 3.If retrieving a student’s personal data is enabled, the following data of the student wi a.surname and name (or surname and names); b.degrees; c.faculty; d.programme of study, field of study, specialisation, if any; e.year of study; and f.in case of completed study the academic year of completion. 4.A student may, after logging into the system, set up which other data about him should b 5.An anonymous user of the system or a logged-in user other than a University employee or anonymous user”) cannot retrieve the student’s data based on entered criteria unless the whose data the anonymous user intends to retrieve enabled such search using the procedur paragraph 2. 6.A person who studied at the University and has completed his studies may enable the retr data using one of the following ways: a.if he knows his log-in data for the system he may log into the system and enable the r data directly in the settings of the system; b.he may request a change in the settings via email to the address helpdesk@is.cuni.cz o protection officer. 7.The data of persons who studied at the University and have completed their studies are n for an anonymous user unless such persons enabled the retrieval using the procedure desc paragraph 6; this provision is without prejudice to the provision of paragraph 8. 8.With regard to the publishing of final theses under section 47b of the Higher Education of persons who defended a final thesis after 1 January 2006, the following data are made a.surname and name (or surname and names); b.degrees; c.date of birth; d.faculty; e.programme of study, field of study, specialisation, if any; f.the name of the department which published the topic of the thesis; g.type of thesis (bachelor’s, diploma, rigorosum, dissertation); h.title of the thesis; i.full text of the thesis including appendices; j.language of the thesis; k.key words of the thesis; l.abstract; m.thesis advisor; n.consultant; o.reviewers of the thesis; p.report of the thesis advisor; q.report of the reviewer or reviewers; r.date of defence; s.record of the course of defence; t.result of defence (grade). 9.If a student is currently a member of self-governing academic bodies or advisory bodies University, the data pursuant to paragraph 11 a), b), c), h), i), and j) are made public such student and he may enable the publishing of other data under paragraph 13. If a stu in teaching, the data pursuant to paragraph 11 a), b), c), f), i), j), k), l), m), n), a public concerning such student. If a student is involved in creative activities of the U data pursuant to paragraph 11 a), b), c), f), m), and n) are made public concerning such 10The data of applicants for admission to study are not made public, an anonymous user is retrieve data of the applicants for admission to study. 11The University publishes by means of its website the outputs from the system containing data of employees and basic data of their employment: a.name; b.surname; c.degrees; d.type of employment (employment contract, agreement to perform work, agreement to compl e.faculty or other unit of the University where the person is employed; f.the workplace, i.e., an organisational unit or units of faculty or of another unit of where the work is performed; g.position (full professor, associate professor, assistant professor, assistant, lecture h.offices at the workplace and in the bodies of the University, faculties, and other uni i.contact details in relation to the University (addresses of workplaces, location of of and fax numbers, email addresses); j.the subject area or other specialisation of the employee; k.office hours; l.the course of academic qualifications; m.the share of individual types of creative activities of the University; n.information on publications; o.instruction implemented at the University. 12The data pursuant to paragraph 11 are made public on a mandatory basis for employees wit employment contract. The same data are made public on a mandatory basis for employees wo basis of an agreement to perform work, unless the superior of such employee decides othe on an employee and his employment relationship are not made public for employees working agreement to complete a job, unless the employee’s superior decides otherwise. 13Additionally, the employee has the right to enable publishing and to choose its specific following data: a.photograph; b.curriculum vitae; c.personal website related to the employee’s activities at the University; d.other data published by the employee himself, if any. 14In the case of joint workplaces of the University and other institutions (primarily the hospitals and institutes of the Czech Academy of Sciences), the University also publishe the employees of such other institutions if they are involved in the activities of the U scope under paragraph 11 a), b), c), and f) to o). 15A participant in lifelong learning may, after logging into the system, enable the retrie by an anonymous user. 16If retrieval of data of a participant in lifelong learning is enabled, the following dat a.surname and name (or surname and names); b.degrees; c.faculty or other unit of the University; d.lifelong learning programme; e.year of study; f.in case of completed study in lifelong learning programmes, the academic year of compl 17A participant in a lifelong learning programme may, after logging into the system, set u data should be displayed. 18An anonymous user of the information system cannot retrieve the data on a participant in learning programme based on entered criteria unless the participant whose data the anony intends to retrieve enabled such search using the procedure pursuant to paragraph 15. 19A participant in a lifelong learning programme who studied at the University and has com studies in the lifelong learning programme may enable the retrieval of his data using on following ways: a.if he knows his log-in data for the system he may log into the system and enable retri directly in the settings of the system; b.he may request a change in the settings via email address helpdesk@is.cuni.cz or via t protection officer. 20In case of academic officials and persons who are currently members of self-governing ac advisory bodies of the University who are not in an employment relationship to the Unive pursuant to paragraph 11 a), b), c), h), and i) are made public. *========================================================================================= * Article 22 – Disclosing Personal Data to Third Parties *========================================================================================= 1.The disclosure of personal data to third parties other than the University is governed b Directive, the Regulation, and the generally binding legal regulations in force. 2.Every disclosure of personal data to a third party other than the University must be rec register, including the scope of provided data, purpose of disclosure, and identificatio party. 3.The managers for the given activities or fields of processing pursuant to Article 9 are for compliance with the correct procedure for disclosure of personal data to third parti the University in accordance with this Directive, the Regulation, and the generally bind regulations in force. *========================================================================================= * Article 23 – Personal Data Security *========================================================================================= 1.Documents and mobile/external/portable technical data carriers that are at the disposal University and that contain personal data protected under this Directive must be kept on cabinets or in rooms designed for this purpose in the workplaces of the University, or w in other secure places depending on the characteristics of the relevant data processing, secured by encryption. Only copies of these documents or carriers may be taken out of a University under conditions stipulated in paragraph 3. In the case of online transfer of the University, the personal data transferred must be encrypted and must be protected in way pursuant to the Regulation and ensured by a contract with the recipient or the proce transferred data. The essential elements of the contract with the processor are stated i to this Directive. 2.Computers and other technical means on which data are stored containing personal data pr this Directive must be secured against free access by unauthorised persons, usually by p encryption, or locking. Data stored on such technical means that are not related to the the University (e.g., personal files of Employees and students of the University) are no this directive. 3.Copies of personal data protected pursuant to this Directive must be made on technical d in compliance with the operating rules stipulated for individual data processing activit in lockable cabinets at the workplaces of the University or where applicable, at other s depending on the characteristics of the relevant data processing or they must be secured If these copies are carried away from the premises of the University, additional safety be taken (locking, encryption, etc.) to prevent both accidental access to the data by an person and intentional unauthorised attempt to access the data. 4.If an employee or a student of the University finds out or suspects that a personal data occur or has occurred he has a duty to immediately notify the data protection officer an stated in Articles 7 and 8. 5.Notification of cases of personal data breach to the supervisory authority under Article regulation and communication of the personal data breach to the data subject under Artic Regulation is carried out by the data protection officer after prior consultation with t listed in Articles 7 and 8. *========================================================================================= * Part Seven – Transitional and Final Provisions *========================================================================================= *========================================================================================= * Article 24 – Transitional and Final Provisions *========================================================================================= 1.Rector’s Directive No. 28/2015 regulating processing of personal data of students, appli admission to study, employees and other persons at Charles University is hereby repealed 2.In cases of existing personal data processing activities the powers of the managers unde be determined no later than within ten days of the date of effect of this Directive. 3.The data protection officer under Article 15 (1) is authorised to interpret individual p this directive. 4.An audit of compliance with this Directive is performed by the data protection officer u (1). 5.This directive becomes effective on 25 May 2018 . Appendices: Appendix No. 1 – Essential elements of the contract on personal data processing Appendix No. 2 – Confidentiality obligation of employees In Prague on 27 April 2018 Prof. MUDr. Tomáš Zima, DrSc., MBA Rector *========================================================================================= * Appendix No. 1 to Rector’s Directive No. 16/2018 – - Principles and Rules of Personal Da *========================================================================================= ------------------------------------------------------------------------------------------ Essential elements of personal data processing contract ------------------------------------------------------------------------------------------ A full list of essential elements of every contract between a controller and a processor i Article 28, in particular in paragraphs 2 and 3, of the General Data Protection Regulation 32 of the new act on the protection of personal data that is in preparation. The contract with the processor must always clearly set out the subject matter and duratio processing, the nature and purpose of the processing, the type of personal data and catego subjects, and all the obligations and rights of the controller and the processor. The subject matter of the processing may be identical with the subject matter of the contr “The subject matter of the contract consists in processing of the below stated personal da The duration of the processing should always be identical to the duration of the contract termination of the contract the processor returns the data to the controller or is obliged data. The nature of personal data processing means how the data are processed, whether in writin electronically. This applies not only to the processing itself but also to obtaining the d subjects. The purpose of the processing means a specific description of our need, that is for exampl employment relations, maintain the register of students, produce and hand over the student identity cards, or to process a medical report of a patient. The type of personal data means the specific identification of the data, such as the name, date of birth, birth certificate number, identity card/passport number, residence, contact diseases, etc. The category of data subject means whether the person is an adult or a child, employee, or patient, or a third party, a contractor, etc. The rights and obligations of the controller and the processor may be broadly defined, but contract should contain at least clauses similar to those listed below: • “The processor is not allowed to transfer without the previous written consent of the co part of his obligations arising from this contract to a third party (another processor). the obligations or a part of the obligations of the processor are transferred with previ consent of the controller to a third party, the processor shall be liable for any damage third party to the extent of his own liability, as if the damage was caused by himself, limitation.” • If the prior consent of the data subject is required for the processing of personal data must be stated in the contract: “The controller/processor agrees to obtain prior written processing of personal data under this contract from individual data subjects whose pers be processed under this contract.” • “The processor agrees to take all security, technical, and organisational directives to personal data and other directives required in Article 32 of the Regulation; in particul agrees to take all directives to prevent unauthorised or accidental access to personal d destruction or loss of the data as well as abuse of the data including directives relate operation of information systems in which the personal data are processed.” • The processor further agrees: a.not to use personal data for a purpose other than that stated in this contract and to personal data only on documented instructions from the controller with the exception o this duty is imposed on the processor directly by a legal regulation; b.to take with due professional care all control and protective directive to protect the and to enable controls, audits, or inspections carried out by the controller or by ano body under legal regulations; c.to comply with all control and protective directives to protect the personal data with professional care; d.to provide to the controller without undue delay or within a time limit set by the con cooperation required for the discharge of the legal duties of controller related to pe protection, the processing thereof, and the discharge of the personal data processing e.to inform the controller of all facts having an impact on personal data processing; f.to notify the controller of any doubts concerning compliance with the law or a persona g.if required, to provide to the controller all support and assistance in contact and ne the Office for Personal Data Protection and with data subjects; h.to react without undue delay to the requests of data subjects, to inform them of all t to provide access to processing information upon request; i.after the termination of the provision of services related to processing, to duly hand personal data in accordance with the needs of the controller, i.e., either erase all p return them to the controller based on the controller’s instructions; j.to comply with all other duties imposed by legal regulations even if they are not expl the contract; k.to make all possible efforts to eliminate any unlawful state in relation to transferre under this contract that would result in a breach of duties by acts of the relevant co immediately after such state has occurred. • Any information containing personal data exchanged by the contracting parties during imp this contract is confidential. The processor agrees not to disclose the information to a and not to use the information contrary to the purpose for which it was provided (i.e., of discharge of this contract), unless explicitly stipulated otherwise in this contract. agrees not to disclose information related to this contract to any other person and not information for any purpose other than that stipulated in this contract over the term of as well as after its termination (except for cases when he has a duty to do so under a l or when both contracting parties agree thereon in writing). The processor must make sure persons authorised to process personal data commit themselves to confidentiality or that to the legal duty of confidentiality.” It is recommended that contractual penalty for breach of the above duties and obligations be stipulated and in the case of a repeated breach on the part of the processor the contra stipulate the right to immediately withdraw unilaterally from the contract. The contract should also state that all documents related to personal data processing incl provided by the controller to the processor and those created by the processor, must be st at a secure location at the following address ….. (fill in an address that is as close to possible, however it must be in the Czech Republic). If the processor is a foreign person, it is recommended that the contract contain the foll “All documents and communication related to personal data processing and to ensuring the a under the contract shall be in Czech language and any disputes shall be resolved in accord law before a court having territorial and subject-matter jurisdiction over the controller controller’s registered office. Arbitration is excluded.” Even if the contract is made for a fixed term it is advisable to include the possibility t the contract before the term expires for the case when the processor makes mistakes which the controller to withdraw from the contract, however it is prudent to terminate the contr applicable it may be economically advantageous for Charles University because other better be available. As the period of notice of termination of the contract should be reciprocal, notice should be stipulated so that it does not endanger Charles University in case of ter contract by the processor. ------------------------------------------------------------------------------------------ Appendix No. 2 to Rector’s Directive No. 16/2018 - Principles and Rules of Personal Data P ------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------ Recommended wording of the duty of confidentiality to be included in employment contracts ------------------------------------------------------------------------------------------ “The employee agrees not to disclose information and facts obtained during employment that by the employer as confidential under section 276 (3) of Act No. 262/2006 Sb., the Labour (“the Labour Code”), or subject to trade secret under section 504 of Act No. 89/2012 Sb., as amended, or that are not made public or intended for publication by the employer. The employee further agrees not to disclose personal data obtained during employment the d which would jeopardise the security of such personal data in accordance with section 47 of Coll. on personal data processing, as amended. The employee notes that this duty of confid extinguished by the termination of employment. The employee further notes that breach of these obligations may be deemed a breach of the obligations under section 301 (d) of the Labour Code. In case of damage arising in relatio of the duty of confidentiality the employee is liable for the damage to the employer in ac section 250 (1) of the Labour Code.” download [ URL "UKEN-804-version1-or16_2018_ochrana_osobnich_udaju_en_final_4.docx"]