







                                   Guideline 3 – Use of private e-mail addresses












            ******************************************************************************************

            *
            ******************************************************************************************
            UKRUK/69642/2018-2

            29 June 2018

            Only work e-mail accounts under the “cuni.cz” domain may be used for Charles University em

            send work e-mail messages at Charles University, to send e-mail messages to students, and 
            communication at Charles University, as well as sending e-mail messages to third parties. 
            the GDPR, it is not admissible to use private e-mail accounts or accounts at other organiz

            work e-mail messages, to communicate with students, to handle the official administrative 


            Communication from e-mail accounts of other workplaces regarding activities of Charles Uni
            agenda is possible only if the person in question has an employment relationship to anothe
            exclusively via the accounts managed by a domain of some of the faculty hospitals, the Cze

            Sciences (including the joint workplaces of Charles University and the Czech Academy of Sc
            or under the official domain of some of the public universities. For example: the supervis
            student who works at a faculty hospital may use the account managed by cuni.cz and the acc

            the domain of the faculty hospital to communicate with the PhD student.

            Forwarding e-mail messages to an employee at another Charles University workplace, i.e. au

            forwarding from an e-mail account under the cuni.cz domain to another e-mail account of th
            possible only if the organization managing the target e-mail account is one of the organiz
            in the previous paragraph. Forwarding to accounts managed by other domains is not admissib

            GDPR.

            The guideline does not otherwise restrict the location or type of e-mail boxes of data sub

            whom the communication occurs. For example, if a student enters an e-mail address for comm
            external provider, it is, of course, possible to continue sending e-mails to the student a


            In addition, It is only possible to include personal data in e-mails, the disclosure of wh
            impact on the specific person or data that the data subject communicates by e-mail (the da
            initiated the communication).


            Justification:
            If e-mails are sent outside the cuni.cz domain, personal data contained in the e-mail coul

            to third parties (e.g. organizations that operate such domains). Charles University has no
            consent for such transfers, and thus it is a violation of the GDPR. In addition, communica
            (private) e-mail addresses directly with data subjects exposes this violation and hence ea

            complaints to be filed against Charles University’s procedure.

            Last but not least, the use of e-mail accounts outside the cuni.cz domain (or outside the 

            cooperating university hospitals, the Academy of Sciences, etc.) is problematic from the s
            cybersecurity.