In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – the GDPR – Charles University informs data subjects about the conditions under which personal data are processed.
The personal data controller is Charles University, Ovocný trh 560/5, 116 36 Prague 1, ID no. 00216208, Tax ID no. CZ00216208, Databox ID: piyj9b4 (“Charles University”).
Charles University is a public institution of higher education, in accordance with Act no. 111/1998 Sb., on institutions of higher education, as amended. As a part of its mission, Charles University freely and independently carries out educational activities, and in relation thereto, research, development, innovative, artistic, or other creative activities, and activities associated therewith.
The data protection officer at Charles University is Mgr. Petra Kubáčová, , phone: +420 771 232 578.
Should you have any questions or requests concerning the processing and protection of your personal data, you may contact the data protection officer.
Charles University considers the protection of personal data to be important and pays careful attention to it. We process your personal data only in the scope necessary for executing the university’s activities or in relation to the services you use at Charles University. We protect personal data to the maximum extent possible and in accordance with law. The principles and rules for processing personal data at Charles University are governed by Rector’s Measure No. 16/2018 – Principles and Rules of Personal Data Protection. The regulation applies the principles and rules arising from the GDPR:
The principle of lawfulness, which requires that we always process your personal data in accordance with law and based on at least one legal title.
The principle of fairness and transparency, which requires that we process your personal data fairly and in a transparent manner and that we provide you information about the manner of their processing together with information about who has access to your data. This includes our obligation to inform you of any case of a serious breach of security or compromise relating to your personal data.
The principle of purpose limitation, which allows us to collect your personal data only for a clearly defined purpose.
The principle of data minimisation, which requires that we process personal data that is necessary, relevant, and adequate in relation to the purpose of the processing.
The principle of accuracy, which requires that we take all reasonable measures allowing us to ensure your personal data is regularly updated or corrected.
The principle of storage limitation, which requires that we store your personal data only for the period necessary for the specific purpose in relation to processing. As soon as the period or purpose for processing expires, we will delete your personal data or anonymized the data (altering the data so that they are no longer personally connected to you).
The principle of integrity and confidentiality, non-repudiation, and availability, which requires that we secure and protect your personal data against unauthorized or unlawful processing, loss, or destruction. For these reasons, we take technical and organizational measures for protecting your personal data. In addition, we ensure that only authorized staff has access to your personal data.
The principle of accountability, which requires that we are able to demonstrate compliance with all of the conditions stipulated above.
For fulfilling its mission, Charles University processes personal data for the following purposes:
a. Educational activities
Entrance proceedings and exams
b. Research, development, and creative activities
Organizing academic conferences
iPublication and editorial activities
Procedures for attaining associate professorships and professorships
c. Administrative and operational organization
Human resources and wages
Finance and accounting
E-infrastructure (computing and storage systems, computer networks, electronic mail, voice networks)
Providing information pursuant to Act no. 106/1999 Sb., on free access to information
Health and safety at the workplace, fire protection, crisis management, and the protection of citizens
d. Protection of property and security
Access to secure areas
Security monitoring for operation of the computer network
Handling security incidents
e. Commercial activities
Karolinum bookshop and UK Point
Charles University e-shop
Food and accommodation services
f. Information and promotional activities
Marketing and advertising
Operation of healthcare facilities
Operation of joint workplaces with university hospitals
Charles University processes personal data for the following categories (data subjects):
University staff (or a person in a legal relationship with the university),
Former university students (including alumni),
Participants in the lifelong learning programme,
Students of other universities or students on short-term study visits at the university,
Business partners (suppliers, customers),
Researchers and contributors,
External co-workers (e.g. supervisors, co-researchers, co-authors),
Visitors or participants in events organized by the university,
Parties to administrative or court proceedings with the university,
A person requesting information, pursuant to Act no. 106/1999 Sb., on free access to information,
Charles University processes personal data provided directly by private individuals (whether based on consent or other legal grounds) and other personal data created as a part of the activity of processing data and essential for securing the data. This could include the following categories of personal data:
Address and identification data (first name, surname, date and place of birth, marital status, title, citizenship, address (including electronic addresses), telephone numbers, personal ID numbers, digital identifiers, signatures, etc.)
Descriptive data (education, foreign language knowledge, professional qualifications, knowledge and skills, number of children, portrait photos, video/audio recordings of persons, military service, former employment, health insurance company, membership in interest groups, criminal record, etc.)
Study data (records of studies and study activities, study results, awards)
Financial data (bank account number, wages, remuneration, fees, obligations and debts, orders, purchases, taxes, etc.)
Work-related data (records of work and work-related activities, employers, workplaces, assignments and positions, work assessments, awards, etc.)
Operational and location data (typically data from electronic systems relating to a specific data subject – e.g. data on the use of information systems, data operation and electronic communication, use of telephones, access to various areas, records from camera systems, etc.)
Data about the activities of a data subject (publication activity, professional activity, participation in conferences and projects, business travel or study visits, etc.)
Data about other persons (address and identification data for a family member, spouse, child, partner, etc.)
Special categories of personal data (sensitive personal data indicating one’s health status, membership in trade unions, etc.)
Personal data as a part of the above activities are processed based on adequate legal grounds:
Fulfilling legal obligations relating to the controller:
We require your personal data in this case for the purpose of processing in order to fulfil our legislative obligation as the controller. It relates in particular to Act no. 111/1998 Sb., on institutions of higher education; Act no. 130/2002 Sb., on the support of research and development from public-sector funds; Act no. 262/2006 Sb., the Labour Code; Act no. 563/1991 Sb., on accounting; Act no. 127/2005 Sb., on electronic communication; Act no. 480/2004 Sb. on certain information-society services; Act no. 181/2014, on cybersecurity; and others.
We require your personal data to enter into contractual relations and for executing the agreements, or also prior to entering into agreements.
Consent of the data subject:
Consent that you have provided to process your personal data for one or more specific purposes.
The following authorized interest of the controller in particular:
• The protection of property and preventing fraud,
• The transfer of personal data within a segment of the university for internal administrative and operational purposes,
• Providing security for the computer network and information.
For the purpose of fulfilling legal obligations, Charles University may transfer select data for specific data subjects (e.g. to public authorities). This applies similarly to cases where authorization for transferring personal data inside Charles University has been provided by the individual consent of data subjects.
Data are stored only for the period necessary in relation to the specific activity of processing personal data, and in accordance with the valid Archiving Procedures, the data are then destroyed or archived. We store the personal data that we process with your consent only for the duration of the purpose for which the consent was provided.
The right of data subjects to information on processing
Data subjects are entitled to information on whether or not the controller processes their personal data and in what manner this processing is carried out.
The right to access personal data
If a controller processes the personal data of data subjects, the data subjects are entitled to obtain a copy of the data upon providing sufficient proof of their identity.
The right to corrections and supplementation
If the controller processes erroneous or outdated personal data, the controller is obliged to correct the data upon request of the data subjects.
The right to deletion (the right to “be forgotten”)
If consent was given to process data and there does not exist other legal grounds, or if the data subject believes that the controller no longer needs the personal data (because the purpose of the processing has expired), the data subject is entitled to request the termination of processing and deletion of the personal data.
The right to restricted processing
This involves restricting processing to just storing the data if the data subject contests the accuracy of the personal data and the controller needs an additional period for verifying the data or the data subject has objected to the processing based on the legitimate interest of the controller.
The right to data portability
The controller provides personal data in a structured, commonly used electronic format directly to the data subject. The controller may provide the personal data of a data subject to another controller only if it involves automated processing that is based on consent or an agreement, and if it is technically feasible.
The right to object
Data subjects may object to the processing of personal data that pertains to them only in the case of processing that is carried out in the public interest or based on the legitimate interest of the controller.
The right to review automated decisions
If data subjects are subject to decisions established solely on automated processing, they are entitled to review these decisions and any human intervention on the part of the controller.
The right to lodge complaints or to protection
Data subjects are entitled to lodge complaints against the processing of personal data with the supervisory authority (in the Czech Republic, this is the Office for Personal Data Protection) or to request court protection in relation to the supervisory authority, the controller, or the processor.
Data subjects are entitled to exercise their rights arising from the GDPR, commencing on 25 May 2018. The data subjects must exercise their rights against the controller of personal data by sending a request to Charles University’s databox piyj9b4, by sending an e-mail to the officer , or by personal or electronic submission to the officer via the Registrar’s Office of Charles University. For more information on the manner of submission, visit the web page https://www.cuni.cz/UKEN-605.html.
Prior to processing the request, Charles University is entitled and obliged to verify the identity of the requesting party.
Data subjects are entitled to lodge a complaint against the processing of personal data with the supervisory authority, which is the Office for Personal Data Protection.
The Office for Personal Data Protection
address: Pplk. Sochora 27, 170 00 Prague 7
phone: +420 234 665 111