Personal Data Protection ****************************************************************************************** * (GDPR) ****************************************************************************************** ****************************************************************************************** * Information on the Processing and Protection of Personal Data at Charles University ****************************************************************************************** *========================================================================================= * 1. Preamble *========================================================================================= In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council 2016 on the protection of natural persons with regard to the processing of personal data a movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulatio Charles University informs data subjects about the conditions under which personal data ar *========================================================================================= * 2. Personal Data Controller *========================================================================================= The personal data controller is Charles University, Ovocný trh 560/5, 116 36 Prague 1, ID ID no. CZ00216208, Databox ID: piyj9b4 (“Charles University”). Charles University is a public institution of higher education, in accordance with Act no. on institutions of higher education, as amended. As a part of its mission, Charles Univers and independently carries out educational activities, and in relation thereto, research, d innovative, artistic, or other creative activities, and activities associated therewith. *========================================================================================= * 3. Data Protection Officer *========================================================================================= The data protection officer at Charles University is Mgr. Petra Kubáčová, gdpr(zavinac)cun "gdpr(zavinac)cuni.cz"] , phone: +420 771 232 578. Should you have any questions or requests concerning the processing and protection of your you may contact the data protection officer. *========================================================================================= * 4. The principles for processing personal data at Charles University *========================================================================================= Charles University considers the protection of personal data to be important and pays care it. We process your personal data only in the scope necessary for executing the university in relation to the services you use at Charles University. We protect personal data to the possible and in accordance with law. The principles and rules for processing personal data University are governed by Rector's Directive No. 16/2018 - Charles University (cuni.cz) [ cuni.cz/UKEN-804.html"] . The regulation applies the principles and rules arising from the a.The principle of lawfulness, which requires that we always process your personal data in law and based on at least one legal title. b.The principle of fairness and transparency, which requires that we process your personal and in a transparent manner and that we provide you information about the manner of thei together with information about who has access to your data. This includes our obligatio of any case of a serious breach of security or compromise relating to your personal data c.The principle of purpose limitation, which allows us to collect your personal data only defined purpose. d.The principle of data minimisation, which requires that we process personal data that is relevant, and adequate in relation to the purpose of the processing. e.The principle of accuracy, which requires that we take all reasonable measures allowing your personal data is regularly updated or corrected. f.The principle of storage limitation, which requires that we store your personal data onl necessary for the specific purpose in relation to processing. As soon as the period or p processing expires, we will delete your personal data or anonymized the data (altering t they are no longer personally connected to you). g.The principle of integrity and confidentiality, non-repudiation, and availability, which that we secure and protect your personal data against unauthorized or unlawful processin destruction. For these reasons, we take technical and organizational measures for protec personal data. In addition, we ensure that only authorized staff has access to your pers h.The principle of accountability, which requires that we are able to demonstrate complian the conditions stipulated above. *========================================================================================= * 5. For what purposes do we process personal data? *========================================================================================= For fulfilling its mission, Charles University processes personal data for the following p a. Educational activities i.Studies iiInstruction iiEntrance proceedings and exams ivExchange visits v.Lifelong learning viLibrary services b. Research, development, and creative activities i.Research projects iiOrganizing academic conferences iiiPublication and editorial activities ivProcedures for attaining associate professorships and professorships c. Administrative and operational organization i.Human resources and wages iiFinance and accounting iiProperty management ivOperating agendas v.E-infrastructure (computing and storage systems, computer networks, electronic mail, voi viProviding information pursuant to Act no. 106/1999 Sb., on free access to information viHealth and safety at the workplace, fire protection, crisis management, and the protecti viPublic procurement d. Protection of property and security i.Camera systems iiAccess to secure areas iiSecurity monitoring for operation of the computer network ivHandling security incidents v.Building security e. Commercial activities i.Karolinum bookshop and UK Point iiCharles University e-shop iiFood and accommodation services ivCommercial contracts f. Information and promotional activities i.Websites iiMarketing and advertising iiAlumni ivJunior university v.Healthcare activities viOperation of healthcare facilities viOperation of joint workplaces with university hospitals *========================================================================================= * 6. Category of persons for which we process personal data *========================================================================================= Charles University processes personal data for the following categories (data subjects): a.University staff (or a person in a legal relationship with the university), b.Job applicants, c.University applicants, d.University students, e.Former university students (including alumni), f.Participants in the lifelong learning programme, g.Students of other universities or students on short-term study visits at the university, h.Business partners (suppliers, customers), i.Researchers and contributors, j.External co-workers (e.g. supervisors, co-researchers, co-authors), k.Visitors or participants in events organized by the university, l.Parties to administrative or court proceedings with the university, m.A person requesting information, pursuant to Act no. 106/1999 Sb., on free access to inf n.Other persons. *========================================================================================= * 7. Categories of processed personal data *========================================================================================= Charles University processes personal data provided directly by private individuals (wheth consent or other legal grounds) and other personal data created as a part of the activity data and essential for securing the data. This could include the following categories of p a.Address and identification data (first name, surname, date and place of birth, marital s citizenship, address (including electronic addresses), telephone numbers, personal ID nu identifiers, signatures, etc.) b.Descriptive data (education, foreign language knowledge, professional qualifications, kn skills, number of children, portrait photos, video/audio recordings of persons, military employment, health insurance company, membership in interest groups, criminal record, et c.Study data (records of studies and study activities, study results, awards) d.Financial data (bank account number, wages, remuneration, fees, obligations and debts, o purchases, taxes, etc.) e.Work-related data (records of work and work-related activities, employers, workplaces, a positions, work assessments, awards, etc.) f.Operational and location data (typically data from electronic systems relating to a spec subject – e.g. data on the use of information systems, data operation and electronic com of telephones, access to various areas, records from camera systems, etc.) g.Data about the activities of a data subject (publication activity, professional activity in conferences and projects, business travel or study visits, etc.) h.Data about other persons (address and identification data for a family member, spouse, c etc.) i.Special categories of personal data (sensitive personal data indicating one’s health sta in trade unions, etc.) *========================================================================================= * 8. Legal basis for processing personal data *========================================================================================= Personal data as a part of the above activities are processed based on adequate legal grou a.Fulfilling legal obligations relating to the controller: We require your personal data in this case for the purpose of processing in order to ful legislative obligation as the controller. It relates in particular to Act no. 111/1998 S institutions of higher education; Act no. 130/2002 Sb., on the support of research and d public-sector funds; Act no. 262/2006 Sb., the Labour Code; Act no. 563/1991 Sb., on acc 127/2005 Sb., on electronic communication; Act no. 480/2004 Sb. on certain information-s Act no. 181/2014, on cybersecurity; and others. b.Executing agreements: We require your personal data to enter into contractual relations and for executing the also prior to entering into agreements. c.Consent of the data subject: Consent that you have provided to process your personal data for one or more specific pu d.The following authorized interest of the controller in particular: • The protection of property and preventing fraud, • The transfer of personal data within a segment of the university for internal administ operational purposes, • Providing security for the computer network and information. *========================================================================================= * 9. Transferring personal data *========================================================================================= For the purpose of fulfilling legal obligations, Charles University may transfer select da data subjects (e.g. to public authorities). This applies similarly to cases where authoriz transferring personal data inside Charles University has been provided by the individual c subjects. *========================================================================================= * 10. Period for storing personal data *========================================================================================= Data are stored only for the period necessary in relation to the specific activity of proc data, and in accordance with the valid Archiving Procedures, the data are then destroyed o store the personal data that we process with your consent only for the duration of the pur the consent was provided. *========================================================================================= * 11. Rights of data subjects *========================================================================================= The right of data subjects to information on processing Data subjects are entitled to information on whether or not the controller processes their and in what manner this processing is carried out. The right to access personal data If a controller processes the personal data of data subjects, the data subjects are entitl copy of the data upon providing sufficient proof of their identity. The right to corrections and supplementation If the controller processes erroneous or outdated personal data, the controller is obliged data upon request of the data subjects. The right to deletion (the right to “be forgotten”) If consent was given to process data and there does not exist other legal grounds, or if t believes that the controller no longer needs the personal data (because the purpose of the has expired), the data subject is entitled to request the termination of processing and de personal data. The right to restricted processing This involves restricting processing to just storing the data if the data subject contests the personal data and the controller needs an additional period for verifying the data or has objected to the processing based on the legitimate interest of the controller. The right to data portability The controller provides personal data in a structured, commonly used electronic format dir subject. The controller may provide the personal data of a data subject to another control involves automated processing that is based on consent or an agreement, and if it is techn The right to object Data subjects may object to the processing of personal data that pertains to them only in of processing that is carried out in the public interest or based on the legitimate intere controller. The right to review automated decisions If data subjects are subject to decisions established solely on automated processing, they review these decisions and any human intervention on the part of the controller. The right to lodge complaints or to protection Data subjects are entitled to lodge complaints against the processing of personal data wit authority (in the Czech Republic, this is the Office for Personal Data Protection) or to r protection in relation to the supervisory authority, the controller, or the processor. *========================================================================================= * 12. Exercising the rights of data subjects *========================================================================================= Data subjects are entitled to exercise their rights arising from the GDPR, commencing on 2 The data subjects must exercise their rights against the controller of personal data by se to Charles University’s databox piyj9b4, by sending an e-mail to the officer gdpr(zavinac) "gdpr(zavinac)cuni.cz"] , or by personal or electronic submission to the officer via the R Office of Charles University. For more information on the manner of submission, visit the www.cuni.cz/UKEN-605.html [ URL "https://www.cuni.cz/UKEN-605.html"] . Prior to processing the request, Charles University is entitled and obliged to verify the requesting party. *========================================================================================= * 13. The right to lodge a complaint with the supervisory authority *========================================================================================= Data subjects are entitled to lodge a complaint against the processing of personal data wi supervisory authority, which is the Office for Personal Data Protection. Contact: The Office for Personal Data Protection address: Pplk. Sochora 27, 170 00 Prague 7 phone: +420 234 665 111 web: www.uoou.cz [ URL "https://www.uoou.cz/en/"]