INFORMATION ON THE PROCESSING OF PERSONAL DATA
|
This document, in accordance with Regulation (EU) 2016/679 of
the European Parliament and of the Council of 27 April 2016 on the protection
of natural persons with regard to the processing of personal data and on the
free movement of such data, and repealing Directive 95/46/EC (hereinafter also
referred to as the “GDPR”), sets out detailed information on the processing of
personal data of applicants for study, students, and graduates (hereinafter
referred to as the “data subject”) by the higher education institution CEVRO
University, registered institute, ID No.: 275 90 101, with its registered
office at Jungmannova 17, 110 00 Prague 1 – Nové Město (hereinafter also
referred to as “CU”), as the controller of such personal data.
This document provides a clear, complete, and accurate
overview of the scope of personal data processed that the data subject shares
with CU. CU declares that it has implemented appropriate technical and
organizational measures to ensure the protection of the personal data of data
subjects. CU has also adopted all necessary measures to minimize the risk of
unauthorized or accidental access to personal data of data subjects, their
alteration, destruction, or loss, as well as unauthorized transfers or
unauthorized processing.
In the event of any additional questions regarding the
processing of personal data, it is possible to contact the Data Protection
Officer: Mgr. Julie Poklopová, Attorney-at-law, or her deputy, Mgr. Adam
Silovský, Attorney-at-law, via the email address poverenec.gdpr@cevro.cz, or by
sending a written request to the address Jungmannova 17, 110 00 Prague 1 – Nové
Město. The Data Protection Officer may also be contacted in person at the
address Jungmannova 17, 110 00 Prague 1 – Nové Město, at a time agreed in advance.
I. CU, as the controller of the
personal data of data subjects, determines the purposes and means of processing
such personal data.
I. The controller processes personal data for the purpose of:
a)
processing submitted applications for
study, in all their forms, and ensuring the conduct of the admission procedure;
b)
ensuring the conclusion and subsequent
performance of study agreements in all forms of study (Article 6(1)(b) GDPR).
Such a relationship gives rise to further statutory obligations, and CU is
therefore required to process personal data also for this purpose (Article
6(1)(c) GDPR);
c)
marketing activities, in order for CU to be
able to present its services (Article 6(1)(a) GDPR);
d)
protection of its legitimate interests
(Article 6(1)(f) GDPR), which are described in more detail below;
e)
compliance with statutory obligations in
relation to accounting;
f)
fulfilment of its statutory obligation to
record data on students in the student registry for registration, budgetary,
and statistical purposes.
II. CU considers it necessary to
process the above-mentioned data for the purposes stated above, as without such
data it would not be possible to fulfil the contractual relationship with the
data subject.
I. CU also processes the personal data of data subjects for
the purpose of protecting its legitimate interests. CU considers direct
marketing to be one of its legitimate interests, as only in this way can it
effectively develop and improve the services it provides. Another legitimate
interest of CU is the protection of its property, for which purpose CCTV
systems are installed on the premises of CU’s registered office; the use of
such systems is governed by a specific internal regulation (available for
inspection at the controller’s premises). Further legitimate interests of CU
include the taking of photographs and video recordings at events organized or
co-organized by CU. Such events include, in particular, professional
conferences, seminars, lectures, social events for students, and graduation
ceremonies. Photographs and video recordings may be taken during these events
and may be used in CU’s promotional materials, on CU’s website, and on its
social media platforms (facebook.com, instagram.com).
II. In order to protect their personal data, the data subject
is entitled to object and request that their personal data be processed only to
the extent necessary for the fulfilment of CU’s legitimate interests.
Collection
of Personal Data
I. CU obtains the personal data of data subjects on the basis
of a completed application for study, through which the applicant for study
themselves provides their personal data to CU.
II. If the applicant is subsequently admitted and enrolls in
the study program, CU may obtain additional personal data on the basis of the
concluded study agreement and/or in the course of the studies. Such personal
data may include, in particular but not exclusively, examination results, a
study email address, information on books borrowed from the CU library, and
records of the student’s likeness captured at events organized by CU or by another
entity.
III. For marketing purposes, CU may obtain personal data from
publicly available sources.
IV. CU further obtains the personal data of data subjects
from third parties (as controllers) who are authorized to access and process
the personal data of data subjects. In relation to these controllers, CU acts
as a processor of personal data. CU acts as a processor of personal data in
relation to companies:
a) www.scio.cz, s.r.o., which provides the National Comparative
Examinations;
I. For the purpose of ensuring the proper
course of studies, CU processes the following categories of personal data:
a)
basic identification data – first name,
last name, date of birth, permanent residence address, contact address,
personal identification number, place of birth, and in the case of foreign
nationals also passport number
b)
contact details – telephone number and
email address;
c)
information on previous education – at secondary
or higher education level (depending on whether it concerns bachelor’s,
master’s, or postgraduate studies) – including information on the name of the
(secondary or higher education) institution, its address, field of study or
study program and faculty, year of the school-leaving examination or state
examination, and the awarded academic degree;
d)
accounting data – bank account number and
variable symbol;
e)
personal data relating to the course of
studies – attendance records and results of written tests and oral examinations;
f)
sensitive data – processed within the
information system, on the basis of a legal obligation arising from Decree No.
277/2016 Coll. on the submission of statistical data by higher education
institutions.
g)
capture of the data subject’s likeness in
photographs
h)
identification via IP address, MAC address,
or mobile device identification when the data subject connects to the Wi-Fi
network;
i)
access to the study email mailbox.
I. The lawfulness of the processing of personal data is
determined pursuant to Article 6(1) GDPR, under which processing is lawful if
it is necessary for the performance of a contract, for compliance with a legal
obligation, for the protection of CU’s legitimate interests (protection of its
property, marketing), or if the processing is carried out on the basis of
consent granted by the student.
II. The lawfulness of processing that is necessary for
compliance with a legal obligation to which the controller is subject is based,
for example, on Act No. 563/1991 Coll., on Accounting, pursuant to which
invoicing data are processed and stored, and on Act No. 111/1998 Coll., on
Higher Education Institutions.
I. CU is obliged and entitled to transfer the personal data
of data subjects to third parties (recipients, e.g. processors) in the exercise
of public authority, for the fulfilment of its statutory obligations, for the
performance of contractual obligations, or on the basis of its legitimate
interests.
II. CU is obliged to provide the personal data of data
subjects to public authorities, such as the Ministry of Education, Youth and
Sports of the Czech Republic, tax authorities, courts, authorities involved in
criminal proceedings, and the Police of the Czech Republic.
III. CU transfers the personal data of data subjects to the
following entities as processors on the basis of a personal data processing
agreement:
a) To Masaryk University, Faculty of Informatics,
with its registered office at Žerotínovo nám. 617/9, 601 77 Brno, ID No.:
00216224, which operates an information system; CU uses this system as an
internal automated information system for the purpose of fulfilling its
statutory obligation imposed by Section 88 of Act No. 111/1998 Coll., on Higher
Education Institutions, and for the transfer of data to the Ministry of
Education, Youth and Sports. CU provides the processor in particular with the
following personal data of the data subject: first name, last name, date of
birth, personal identification number, personal email address, school email
address, telephone number, bank details, place of birth (including district and
state), permanent and temporary residence, contact address, identity card number,
passport number, date of commencement and completion of education, data on
marital status, number of children, previous education, health condition,
disability, health or social disadvantage, individual study plan, and
information on the school-leaving examination;
b) To bfinance.cz accounting s.r.o., with its
registered office at Praha-Štěrboholy – Štěrboholy, K učilišti 40/20, District
of the Capital City of Prague, Postal Code 102 00, ID No.: 28918991, which
provides accounting services to CU, for the purpose of fulfilling CU’s
statutory obligations pursuant to Act No. 563/1991 Coll., on Accounting. CU
transfers to the processor the personal data of data subjects to the extent of
first name, last name, and the variable symbol for payments generated for the
data subject;
c) To the law firm Pečený, Fučík, Langer, with its
registered office at Purkyňova 2, Prague 1, ID No.: 11371544, which provides
legal services to CU;
d) To partner institutions that provide
professional internships and traineeships for CU students; a list of such
institutions will be provided by CU upon request;
e) To Magnas Performance s.r.o., with
its registered office at Příkrá 271/16, Braník, 147 00 Prague 4, ID No.:
02802414, which provides advertising services to CU and may therefore process
the personal data of data subjects who consent to the capture of their likeness
(and possibly other personal data) in advertising materials;
f) To ELTODO, a.s., with its registered office at Novodvorská 1010/14,
Prague 4, 142 00, ID No.: 45 274 517, which provides CU with the management and
maintenance of CCTV systems. Personal data of data subjects consisting of the
capture of their likeness on CCTV recordings may be made accessible to the
processor solely in cases where the processor is addressing a technical
malfunction of the CCTV systems;
g) To MAMA TELMA AI s.r.o., with its
registered office at Revoluční 764/17, Staré Město, 110 00 Prague 1, ID No.:
14022087, which provides CU with security-related services, specifically the
operation of a warning system for building visitors. The processor is provided
with the data subjects’ telephone numbers, first names, and last names;
h) To Wolters Kluwer ČR, a.s., ID No.:
63077639, with its registered office at U Nákladového nádraží 3265/10,
Strašnice, 130 00 Prague 3, which provides CU and its students with the ASPI
legal information system. The processor is provided with the personal data of
data subjects to the extent of first name, last name, and an email address
registered under the CU domain;
i) To Tritius Solutions a.s., with its
registered office at Škrobárenská 502/1, Trnitá, 617 00 Brno, ID No.: 05700582,
which provides CU with services related to the CU library lending system. The
processor is provided with the personal data of data subjects to the extent of
first name, last name, telephone number, year of birth, and an email address
registered under the CU domain;
j) To CESNET, an interest association of legal entities, with its
registered office at Generála Píky 430/26, Dejvice, 160 00 Prague 6, ID No.:
63839172, which provides CU with services related to the verification of the
identification of data subjects participating in short-term study programs
(e.g. Erasmus). The processor is provided with personal data to the extent of
first name and last name;
k) To ECOMAIL.CZ, s.r.o., with its registered office
at Na Příkopě 388/1, Staré Město, 110 00 Prague 1, ID No.: 02762943, which
provides CU with marketing services, in particular the distribution of
newsletters. The processor is provided with personal data to the extent of
first name, last name, and email address;
l) To AITOM Digital s.r.o., with its registered office
at Na Cihlářce 3177/30, Smíchov, 150 00 Prague 5, ID No.: 24171816, which
provides CU with services consisting in the administration of websites and web
forms, such as study applications. The processor is provided with the personal
data of data subjects to the extent of first name, last name, email address, in
some cases telephone number, data on citizenship, personal identification
number, gender, permanent residence address, and in some cases the name of the
secondary school;
m) To
MICROSOFT s.r.o., with its registered office at Vyskočilova 1561/4a, Michle,
140 00 Prague 4, ID No.: 47123737, which provides CU with cloud applications
and services. The processor is provided with the personal data of data subjects
to the extent of first name, last name, and an email address registered under
the CU domain;
n) To
GTS ALIVE, s.r.o., with its registered office at Na Maninách 1092/20,
Holešovice, 170 00 Prague 7, ID No.: 26193272, which provides ISIC/ALIVE cards
to data subjects; these cards serve as student identification cards and also as
access cards to CU buildings. The processor is provided with the personal data
of data subjects to the extent completed by the data subject in the relevant
form, as well as the capture of the data subject’s likeness in a photograph;
I. CU transfers the personal data of data subjects to third
countries and international organizations within the framework of the Erasmus
project. Such personal data are transferred on the basis of the informed
consent of the data subjects. CU provides the personal data of data subjects
only to the foreign higher education institution selected by the data subject
in their application. All personal data are processed in accordance with the
GDPR. These data are processed exclusively in connection with the performance
of the study agreement and subsequent activities in accordance with the subject
matter of that agreement by the host institution, the national agency, and the
European Commission.
I. CU will process and store personal data at least for the
duration of the contractual relationship. Certain personal data required, for
example, for tax and invoicing purposes will be retained for a longer period,
namely for 5 years starting from the end of the accounting period to which they
relate.
II. Certain personal data that are processed for the purpose
of fulfilling a legal obligation, pursuant to Section 3(1)(i) in conjunction
with Section 11(5) of Act No. 499/2004 Coll., on Archives and Records
Management, will be retained in accordance with the statutory retention periods.
III. Personal data that are not subject to the provisions set
out in paragraph II of this article will never be retained longer than the
maximum period prescribed by law. After the expiry of the retention period,
personal data will be securely and irreversibly destroyed in such a manner as
to prevent their misuse.
I. CU informs data subjects that the
controller of their personal data is CEVRO University, registered institute, ID
No.: 275 90 101, with its registered office at Jungmannova 17, 110 00 Prague 1
– Nové Město, registered with the Municipal Court in Prague, Section U, File
No. 350.
II. CU declares that all information
it is obliged to provide to data subjects pursuant to Article 13(1)(c)–(f) and
Article 13(2)(a) GDPR is set out in this document, specifically in Sections
II–IV and Sections VIII–X.
III. The data subject is entitled to exercise their rights by
sending a message to the email address poverenec.gdpr@cevro.cz. The data
subject may also contact the Data Protection Officer in person, by prior
arrangement. Data subjects may further exercise their rights by sending a
written request to CU at the address Jungmannova 17, 110 00 Prague 1 – Nové
Město, or by submitting an inquiry via the ISDS data box uz3paee. For the
protection of the personal data of data subjects, the Data Protection Officer
will not provide information to applicants in cases where there are doubts as
to their identity. In order to remove such doubts, the Data Protection Officer
may be contacted in person at an agreed time.
IV. All information, communications, statements, and corrections
of personal data in the event of their modification are provided by CU free of
charge. In the case of repeated requests, CU is entitled to request payment of
an administrative fee reflecting the administrative costs of processing the
request. CU is prepared to provide data subjects, upon request, with a copy of
the personal data being processed. In the case of repeated requests, CU is
entitled to charge a reasonable fee covering the administrative costs
associated with providing such a copy. In the event of abuse of the right under
this paragraph, CU is entitled to refuse access to the data.
V. CU will provide the information
pursuant to paragraph III of this section in written or electronic form,
provided there is no doubt as to the identity of the applicant. In particular,
CU will have no doubts as to the applicant’s identity if the request is sent
from the applicant’s email address, if the request is signed with a qualified
electronic signature, via the study email account, or via the ISDS data box. In
the event of doubts, CU (in order to protect personal data) reserves the right
to provide the requested information to the applicant in person after
verification of their identity, at a time agreed in advance. CU reserves the
right not to provide information orally or by telephone.
VI. CU is obliged to provide such
information to the data subject within one month of receipt of their request.
In justified cases, CU may reasonably extend this period, however by no more
than an additional two months.
VII. If there is a change in personal data (for example a
change in marital status, surname, bank account number, permanent residence
address, or telephone number), the data subject is entitled to request that
such change be reflected. In connection with this right, the data subject is
obliged to notify CU of the change in personal data. The data subject may
notify such change by sending a written notice to CU, via the ISDS data box, by
email, or in person at CU’s registered office. The data subject is obliged to
provide supporting documentation for the change in personal data if requested
to do so. CU will rectify the personal data without undue delay, and no later
than within one month of receipt of the notification of the change in personal
data. The same procedure shall apply mutatis mutandis in the case of
clarification of inaccurately stated personal data.
VIII. CU hereby informs data
subjects of their right to lodge complaints or submit initiatives with the
supervisory authority if they believe that the processing of their personal
data infringes the GDPR. Data subjects have the right to lodge a complaint with
a supervisory authority in the Member State of their habitual residence or in
the place where the alleged infringement of their rights in relation to
personal data occurred. The supervisory authority in the Czech Republic is the
Office for Personal Data Protection, with its registered office at Pplk.
Sochora 27, 170 00 Prague 7.
IX. In certain specified cases, the data subject is entitled
to request that CU erase their personal data. Such a situation may arise, for
example, where the processed data are no longer necessary for the purposes
specified herein, or where the consent given for the processing of personal
data has been withdrawn (and there is no other legal basis on which the
personal data would be processed).
IIX. The above right to erasure of personal data pursuant to
paragraph VIII of this section does not apply to the circumstances envisaged in
Article XI, paragraph II of this document, nor to cases where CU is fulfilling
its legal obligations or where processing is necessary for the establishment,
exercise, or defence of CU’s legal claims. If CU exercises its right to refuse
a data subject’s request for erasure of their personal data under this
paragraph, CU is obliged to notify the data subject of this decision within one
month, duly justify its decision, and at the same time inform the data subject
of their rights.
XI. CU processes the personal data
of data subjects only to the extent strictly necessary. In the event that a
data subject has doubts as to the necessity of the processing of such personal
data, the data subject is entitled to request that their personal data be
processed only to the minimum extent necessary. In this connection, the data
subject is entitled to request the restriction of the scope of the processing
of their personal data.
XII. Where the processing of a data subject’s personal data
is based on their consent, the data subject is entitled to withdraw such
consent at any time, free of charge, by sending a notice to CU or to the
contact email address of the Data Protection Officer (poverenec.gdpr@cevro.cz).
In the case of an electronic request, however, it is necessary to eliminate any
doubts as to whether the applicant is indeed the data subject concerned.
XIII. The data subject is entitled to request the portability
of their personal data that they have provided to or made available to CU. The
data subject may request that such data be provided directly to them for the
purpose of transfer, or that they be transmitted directly to a controller of
their choice. Such personal data will be provided in a machine-readable format
(e.g. XML). The transfer of personal data will be carried out in a manner that
minimizes potential security risks during transmission (e.g. through the use of
encryption).