Table of contents

Data Protection (GDPR)

Information about the processing and protection of personal data at UK

 

1. Preamble

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as GDPR – Charles University informs data subjects about the conditions under which personal data are processed.

 

2. Personal data controller

The data controller is Charles University, Ovocný trh 560/5, 116 36 Praha 1, ID: 00216208, VAT: CZ00216208, mailbox ID: piyj9b4 (hereinafter referred to as “Charles University” or “UK”).

111/1998 Coll., on Higher Education Institutions, as amended. Within the framework of its mission, the Charles University freely and independently carries out educational and related scientific, research, development, innovation, artistic or other creative activities and related activities.

 

3. Data Protection Officer

The Data Protection Officer of Charles University is Mgr. Petra Kubáčová, gdpr@cuni.cz, phone: +420 771 232 578.

You can contact the Data Protection Officer in case you have any questions or requests regarding the processing and protection of your personal data.

 

4. UK Personal Data Processing Policy

Charles University considers the protection of personal data to be important and pays great attention to it. We process your personal data only to the extent necessary for the University’s activities or in connection with the service you use at Charles University. We protect personal data to the maximum extent possible and in accordance with applicable law. The principles and rules for the processing of personal data at Charles University are regulated by Rector’s Measure No. 16/2018 – Principles and rules for the protection of personal data. The Directive applies the principles and principles resulting from the GDPR regulation:

  a.

The principle of lawfulness, which requires us to process your personal data in accordance with the law and on the basis of at least one legal basis.

  b.

The principle of fairness and transparency, which obliges us to process your personal data openly and transparently and to provide you with information about how it is processed, together with information about to whom your personal data will be transferred. This also includes our obligation to inform you in cases of a serious breach of security or leakage of personal data.

  c.

The purpose limitation principle, which allows us to collect your personal data only for a clearly defined purpose.

  d.

The principle of data minimisation, which requires us to process only personal data that is necessary, relevant and proportionate in relation to the purpose of its processing.

  e.

The principle of accuracy, which requires us to take all reasonable steps to ensure that we regularly update or correct your personal data.

  f.

The principle of storage limitation, which requires us to keep your personal data only for as long as necessary for the specific purpose for which it is processed. Therefore, as soon as the period for processing or the purpose of processing has passed, we will delete your personal data or anonymize it, i.e. modify it so that it is not linked to your person.

  g.

The principle of integrity and confidentiality, non-repudiation and availability, which requires us to secure and protect your personal data from unauthorised or unlawful processing, loss or destruction. For these reasons, we take numerous technical and organizational measures to protect your personal data. At the same time, we ensure that only authorized employees have access to your personal data.

  h.

The principle of accountability, which requires us to be able to demonstrate compliance with all of the above conditions.

 

5. For which purposes we process personal data

In fulfilling its mission, Charles University processes personal data for the following purposes:

  a.

Educational activities

  1. Study

  2. Teaching

  3. Admission procedure

  4. Exchange stays

  5. Lifelong learning

  6. Library services

 

  b.

Research, development and creative activities

  1. Project solutions

  2. Organisation of professional conferences

  3. Publication and publishing activities

  4. Habilitation and professorial procedures

 

  c.

Administration and operation of the organisation

  1. Personnel and payroll

  2. Economics and Accounting

  3. Asset management

  4. Operational agendas

  5. E-infrastructure (computer and storage systems, computer network, electronic mail, voice network)

  6. Provision of information according to Act No. 106/1999 Coll., on free access to information

  7. Health and Safety at Work, Fire Protection, Crisis Management and Public Protection

  8. Public procurement

 

  d.

Asset protection and security

  1. Camera systems

  2. Access to secure areas

  3. Security monitoring of computer network operation

  4. Handling security incidents

  5. Object security

 

  e.

Commercial activity

  1. Karolinum Bookstore and UK Point

  2. E-shop UK

  3. Catering and accommodation services

  4. Contract commercial activity

 

  f.

Information and promotional activities

  1. Websites

  2. Marketing and propagation

  3. Graduates

  4. Junior University

 

  g.

Medical activity

  1. Operation of medical facilities

  2. Operation of joint workplaces with teaching hospitals

 

6. Categories of persons whose personal data we process

Charles University processes personal data of the following categories of persons (data subjects):

  a.

an employee of the University (or a person in an employment relationship with the University),

  b.

jobseeker,

  c.

study applicant,

  d.

University student,

  e.

former student of the university (including alumni),

  f.

a participant in the CŽV programme,

  g.

a student at another university or a student on a short-term study placement at a university,

  h.

business partner (supplier, customer, client),

  i.

research participant,

  j.

external collaborator (e.g. supervisor, co-researcher, co-author of a publication),

  k.

a visitor or participant in an event organised by the University,

  l.

a party to an administrative or judicial proceeding with the University,

  m.

applicant for information according to Act No. 106/1999 Coll., on free access to information,

  n.

another person.

 

7. Categories of personal data processed

Charles University processes both personal data provided directly by individual natural persons (whether on the basis of consent or other legal grounds) and other personal data created as part of processing activities and necessary for their provision. This may include the following categories of personal data:

  a.

Address and identification data (name, surname, date and place of birth, marital status, birth number, title, nationality, address (including electronic), telephone number, ID number, digital identifier, signature, etc.)

  b.

Descriptive data (education, knowledge of foreign languages, professional qualifications, knowledge and skills, number of children, portrait photograph, video/audio record of the person, military service, previous employment, health insurance, membership of interest organisations, criminal record, etc.)

  c.

Study data (records of studies and study activities, study results, study awards)

  d.

Economic data (bank connections, salary, remuneration, fees, payables and receivables, orders, purchases, taxes, etc.)

  e.

Work data (records of work and work activities, employer, workplace, job classification and position, job evaluation, job awards, etc.)

  f.

Operational and location data (typically data from electronic systems relating to a specific data subject – e.g. data on the use of information systems, data traffic and electronic communications, telephone usage, access to various premises, CCTV footage, etc.)

  g.

Data on the activities of the subject (publications, data on professional activities, participation in conferences, involvement in projects, data on work or study trips, etc.)

  h.

Information about another person (address and identification data of a family member, spouse, child, partner, etc.)

  i.

Special categories of personal data (sensitive personal data capturing health information, trade union membership, etc.)

 

8. Legal grounds for processing personal data

The processing of personal data in the context of the above activities is based on the relevant legal grounds, which are:

  a. Fulfilling a legal obligation applicable to the trustee:

We need to process your personal data here in order to comply with our legal obligation as a controller. These include Act No. 111/1998 Coll., on Universities; Act No. 130/2002 Coll., on the Support of Research and Development from Public Funds; Act No. 262/2006 Coll., on the Labour Code; Act No. 563/1991 Coll., on Accounting; Act No. 127/2005 Coll., on Electronic Communications; Act No. 480/2004 Coll., on Certain Information Society Services; Act No. 181/2014 Coll., on Cyber Security; and others.

  b. Performance of the contract:

We need your personal data here for the purpose of entering into a contractual relationship and the subsequent performance thereof, or also before entering into a contract.

  c. Consent of the data subject:

The consent you have given us to process your personal data for one or more specific purposes.

  d. The legitimate interest of the administrator, which consists in particular in:

  • the protection of assets and the prevention of fraud,
  • the transfer of personal data within the University unit for internal administrative and operational purposes,
  • ensuring the security of the computer network and information.

 

9. Transfer of personal data

In order to fulfil its legal obligations, the UK may transfer selected data to designated bodies (for example, public authorities). Similarly, this also applies where the authority for the transfer of personal data outside the UK is given by the individual consent of the data subjects.

 

10. Retention period of personal data

The data are stored only for the time necessary in relation to the personal data processing activity and are then destroyed or archived in accordance with the applicable Records Code. Personal data that we process with your consent is only kept for the duration of the purpose for which the consent was given.

 

11. Rights of data subjects

Right of the data subject to information on processing

The data subject shall have the right to be informed whether the controller processes his or her personal data and how the controller carries out such processing.

 

Right of access to personal data

Where the controller processes the personal data of the data subject, the data subject shall have the right to obtain a copy thereof if he or she provides sufficient proof of his or her identity.

 

Right to rectification and completion

If the controller processes incorrect or outdated personal data, it is obliged to correct them at the request of the data subject.

 

Right to erasure (right to be forgotten)

If consent to processing has been given and there is no other legal basis, or if the data subject considers that the controller no longer has a need for his or her personal data (because the purpose for processing them has passed), the data subject has the right to request the termination of the processing and the erasure of his or her personal data.

 

Right to restriction of processing

This is a restriction of processing to the mere storage of data where the data subject contests the accuracy of the personal data and the controller needs a longer period of time to verify it or the data subject has objected to processing based on the controller’s legitimate interest.

 

Right to data portability

The controller shall provide the personal data in a structured, commonly used electronic format directly to the data subject. The controller may provide personal data of the data subject to another controller only if the processing is automated and based on consent or contract and if technically feasible.

 

Right to object

The data subject may object to the processing of personal data concerning him or her only if the processing is carried out in the public interest or on the basis of a legitimate interest of the controller.

 

Right to review of an automated decision

Where a data subject is subject to a decision based solely on automated processing, he or she has the right to a review of that decision and, where appropriate, to human intervention by the controller.

 

Right to a complaint or to protection

The data subject has the right to lodge a complaint about the processing of personal data with a supervisory authority (in the Czech Republic this is the Office for Personal Data Protection) or to seek judicial protection against the supervisory authority, the controller or the processor.

12. Exercise of the data subject’s rights

The data subject is entitled to exercise his/her rights under the GDPR, starting from 25 May 2018. The data subject must exercise the rights against the data controller by sending a request to the UK data box piyj9b4, by email to the Data Protection Officer gdpr@cuni.cz or by personal or electronic submission to the Data Protection Officer via the UK mailroom. More information on the method of submission is provided on the website https://www.cuni.cz/UK-655.html.

The UK has the right and obligation to verify the identity of the applicant before processing the application.

13. The right to lodge a complaint with the supervisory authority

The data subject has the right to lodge a complaint about the processing of personal data with the supervisory authority, which is the Data Protection Authority.

Contact:

Data Protection Authority

Address: Pplk. Sochor 27, 170 00 Prague 7

Tel.: 234 665 111

Website: www.uoou.cz

Table of contents