Guideline 3 – Use of private e-mail addresses


29 June 2018

Only work e-mail accounts under the “” domain may be used for Charles University employees to send work e-mail messages at Charles University, to send e-mail messages to students, and any other communication at Charles University, as well as sending e-mail messages to third parties. With respect to the GDPR, it is not admissible to use private e-mail accounts or accounts at other organizations to send work e-mail messages, to communicate with students, to handle the official administrative agenda, etc.

Communication from e-mail accounts of other workplaces regarding activities of Charles University’s agenda is possible only if the person in question has an employment relationship to another workplace and exclusively via the accounts managed by a domain of some of the faculty hospitals, the Czech Academy of Sciences (including the joint workplaces of Charles University and the Czech Academy of Sciences), CESNET, or under the official domain of some of the public universities. For example: the supervisor of a PhD student who works at a faculty hospital may use the account managed by and the account managed by the domain of the faculty hospital to communicate with the PhD student.

Forwarding e-mail messages to an employee at another Charles University workplace, i.e. automatic forwarding from an e-mail account under the domain to another e-mail account of the employee is possible only if the organization managing the target e-mail account is one of the organizations specified in the previous paragraph. Forwarding to accounts managed by other domains is not admissible under the GDPR.

The guideline does not otherwise restrict the location or type of e-mail boxes of data subjects with whom the communication occurs. For example, if a student enters an e-mail address for communication at an external provider, it is, of course, possible to continue sending e-mails to the student at this address.

In addition, It is only possible to include personal data in e-mails, the disclosure of which would have no impact on the specific person or data that the data subject communicates by e-mail (the data subject has initiated the communication).


If e-mails are sent outside the domain, personal data contained in the e-mail could be transferred to third parties (e.g. organizations that operate such domains). Charles University has not provided consent for such transfers, and thus it is a violation of the GDPR. In addition, communication from foreign (private) e-mail addresses directly with data subjects exposes this violation and hence easily allows complaints to be filed against Charles University’s procedure.

Last but not least, the use of e-mail accounts outside the domain (or outside the domain of cooperating university hospitals, the Academy of Sciences, etc.) is problematic from the standpoint of cybersecurity.

Last change: January 7, 2019 14:45 
Share on: Facebook Share on: Twitter
Share on:  
Contact Us

Charles University

Ovocný trh 5

Prague 1

116 36

Czech Republic

CU Point - Centre for Information, Counselling and Social Services


Phone: +420 224 491 850

Erasmus+ info:



How to Reach Us