UKRUK/69642/2018-2

29 June 2018

Only work e-mail accounts under the “cuni.cz” domain may be used for Charles University employees to send work e-mail messages at Charles University, to send e-mail messages to students, and any other communication at Charles University, as well as sending e-mail messages to third parties. With respect to the GDPR, it is not admissible to use private e-mail accounts or accounts at other organizations to send work e-mail messages, to communicate with students, to handle the official administrative agenda, etc.

Communication from e-mail accounts of other workplaces regarding activities of Charles University’s agenda is possible only if the person in question has an employment relationship to another workplace and exclusively via the accounts managed by a domain of some of the faculty hospitals, the Czech Academy of Sciences (including the joint workplaces of Charles University and the Czech Academy of Sciences), CESNET, or under the official domain of some of the public universities. For example: the supervisor of a PhD student who works at a faculty hospital may use the account managed by cuni.cz and the account managed by the domain of the faculty hospital to communicate with the PhD student.

Forwarding e-mail messages to an employee at another Charles University workplace, i.e. automatic forwarding from an e-mail account under the cuni.cz domain to another e-mail account of the employee is possible only if the organization managing the target e-mail account is one of the organizations specified in the previous paragraph. Forwarding to accounts managed by other domains is not admissible under the GDPR.

The guideline does not otherwise restrict the location or type of e-mail boxes of data subjects with whom the communication occurs. For example, if a student enters an e-mail address for communication at an external provider, it is, of course, possible to continue sending e-mails to the student at this address.

In addition, It is only possible to include personal data in e-mails, the disclosure of which would have no impact on the specific person or data that the data subject communicates by e-mail (the data subject has initiated the communication).

Justification:

If e-mails are sent outside the cuni.cz domain, personal data contained in the e-mail could be transferred to third parties (e.g. organizations that operate such domains). Charles University has not provided consent for such transfers, and thus it is a violation of the GDPR. In addition, communication from foreign (private) e-mail addresses directly with data subjects exposes this violation and hence easily allows complaints to be filed against Charles University’s procedure.

Last but not least, the use of e-mail accounts outside the cuni.cz domain (or outside the domain of cooperating university hospitals, the Academy of Sciences, etc.) is problematic from the standpoint of cybersecurity.