Data processing and protection – GDPR - Public web - Czech technical university in Prague

You are here

The CTU´Data protection Officer:
Mgr. Ing. Josef Svoboda, Ph.D.

E-mail:
dpo@cvut.cz

Phone:
+420 224 353 414
+420 737 206 378

Address:
Jugoslávských partyzánů 1580/3
160 00 Praha 6 - Dejvice

Office:
Betlémský palác, Husova 5, Prague 1, 4th floor

Related documents

Order of the Rector 04/2018 on the Protection and Processing of Personal Data at Czech Technical University in Prague
GDPR desatero: Doporučení k ochraně osobních údajů na ČVUT (in Czech)

Personal data processing purposes (Older versions archive)

Information on personal data processing and protection at CTU in Prague

1. Preamble

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council  of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter only as the GDPR – the Czech Technical University in Prague hereby informs the data subjects about the conditions under which their personal data is processed.

2. Data Controller

The Data Controller is: the Czech Technical University in Prague, Jugoslávských partyzánů 1580/3, 160 00 Praha 6 - Dejvice, ID: 68407700, Tax ID: CZ68407700, Data Box ID: p83j9ee (hereinafter only as “CTU”).

CTU is a public university established in accordance with Annex No. 1 to Act No. 111/1998 Coll., on Higher Education Institutions and on Amendments and Supplements to some other Acts (the Higher Education Act), as amended (hereinafter only as the “Act”); according to this Act, CTU is an executor of public administration, both state administration and self-administration. CTU is a legal entity. Pursuant to Section 2 (c), Act No. 111/2009 Coll., on Basic Registers, CTU is a public authority.

3. Data Protection Officer

The CTU’s Data Protection Officer is:  Ing. Josef Svoboda, Ph.D., dpo@cvut.cz, phone: +420 224 353 414.

You may contact the Data Protection Officer if you have any questions or requests regarding the processing and protection of your personal data.

4. Principles of personal data processing at CTU

CTU considers personal data protection an issue of key importance and gives it due attention. We only process your personal data to the extent that is necessary for the activity of the university, or is related to a service provided by CTU that you are using. We protect personal data to the maximum extent and in accordance with applicable legislation. The principles and rules of processing of personal data at CTU are regulated by the RECTOR’S ORDER No. 04/2018 on the Protection and Processing of Personal Data at CTU. The order applies the following principles and rules arising from the GDPR:

  1. The principle of legality, which imposes on us the obligation to process your personal data in accordance with legal regulations and on the basis of at least one legal title.
  2. The principle of fairness and transparency, which imposes on us the obligation to process your personal data openly and transparently and to provide you with information on how it is processed, together with information about who can access your personal data. This also includes the obligation to inform you about any serious breach of security or personal data leaks.
  3. The principle of purpose limitation which imposes on us the obligation to collect your personal data only for a clearly defined purpose.
  4. The principle of data minimization, which imposes on us the obligation to process only personal data that is necessary, relevant and appropriate to the purpose of its processing.
  5. The principle of accuracy, which imposes on us the obligation to take all reasonable measures to ensure regular updates and corrections of your personal data.
  6. The principle of limited storage, which imposes on us the obligation to store your personal data only for a period of time that is necessary for the particular purpose for which the data is being processed. Thus, when the period of processing or the purpose of processing ends, we will erase or anonymize your personal data; in other words, we will modify it so that it cannot be traced back to you.
  7. The principle of integrity and confidentiality, non-repudiation and availability, which imposes on us the obligation to secure and protect your personal data from unauthorized or unlawful processing, loss or damage. For this reason, we have taken a number of technical and organizational precautions to protect your personal data. At the same time, we ensure that only authorized personnel may access your personal data.
  8. The principle of accountability, which imposes on us the obligation to be able to demonstrate compliance with all the aforementioned requirements.

5. Purposes for which we process personal data 

In order to fulfil its mission, CTU processes personal data for the following purposes:

  1. Educational activity
    1. Studies.
    2. Instruction.
    3. Admission procedure.
    4. Exchange programmes.
    5. Lifelong learning.
    6. Services of the library .
  2. Science and research, development and creative activity
    1. Implementation of projects.
    2. Organization of specialized conferences.
    3. Publishing and editorial activity.
    4. Habilitation proceedings and proceedings to appoint professors.
  3. Administration and operation of organization
    1. HR agenda and wages.
    2. Financial management and accounting.
    3. Property management.
    4. Operating agendas.
    5. E-infrastructure (computing and storage systems, computer network, electronic mail, voice network).
  4. Protection of property and security
    1. CCTV systems.
    2. Access to secured areas.
    3. Security monitoring of computer network operation.
    4. Dealing with security incidents .
  5. Commercial activity
    1. CTU e-shop.
    2. University bookshop with specialized literature.
    3. Catering and accommodation services.
    4. Contractual commercial activity.
  6. Information and promotional activity
    1. Web presentation.
    2. Marketing and promotion.
    3. Alumni.
    4. Children’s university.

6. Categories of persons whose personal data we process

CTU processes personal data of the following categories of persons (data subjects):

  1. University employees (or persons who have an employment contract with CTU),
  2. Job applicants,
  3. Study applicants,
  4. Students of the university,
  5. Former students of the university (including alumni),
  6. Participants in LLL programmes,
  7. Students of other universities or students arriving for short-term study stays at the university),
  8. Business partners (suppliers, purchasers, customers),
  9. Participants in research,
  10. Outside collaborators  (e.g., supervisors, collaborators in projects, co-authors of publications),
  11. Attendants of or participants in events organized by the university,
  12. Participants in administrative or legal proceedings with the university,
  13. Others.

7. Categories of processed personal data

CTU processes personal data provided directly by individual natural persons (whether based on consent or other legal reasons) as well as other personal data generated in the framework of processing activities and necessary for their provision. This includes the following categories of personal data:

  1. Address and identification data (name, surname, date and place of birth, marital status, birth registration number, university degree, nationality, address (including electronic address), telephone number, ID card number, digital identifier, signature, etc.)
  2. Descriptive data (education, language skills, professional qualifications, knowledge and skills, number of children, portrait photography, video/audio record of the person, military service, previous employment, health insurance company, membership in interest organizations, criminal record, etc.)
  3. Study data (records of studies and study activities, study results, study awards)
  4. Economic data (bank account details, salary, bonuses, fees, liabilities and receivables, orders, purchases, taxes, etc.)
  5. Employment data (records concerning employment and job-related activities, employer, workplace, job position and title, assessment, awards, etc.)
  6. Operation and location data (typically data from electronic systems relating to a specific data subject – e.g., data on the use of information systems, on data traffic and electronic communications, on the use of the telephone, on access to various premises, CCTV records, etc.).
  7. Data on activities of the subject (publication activity, data on expert activities, participation in conferences, involvement in projects, data on business or study trips, etc.)
  8. Data concerning another person (address and identification data of a family member, spouse, child, partner, etc.)
  9. Special category of personal data (sensitive personal data concerning health, membership in labour unions, etc.)

8. Legal reasons for personal data processing

Personal data processing in the framework of the aforementioned activities takes place based on the following relevant legal grounds:

  1. Fulfilment of legal obligations of the Controller:
    We need your personal data to be able to process it in order to meet our legal obligations as a Controller. This includes in particular obligations stipulated in Act No. 111/1998 Coll., on Higher Education Institutions; Act No. 130/2002 Coll., on the Support of Research and Development from Public Funds; Act No. 262/2006 Coll., the Labour Code; Act No. 563/1991 Coll., on Accounting; Act No. 127/2005 Coll., on Electronic Communications; Act No. 480/2004 Coll., on Certain Information Society Services; Act. No. 181/2014 on Cyber Security; and other acts.
  2. Contractual obligations:
    We need your personal data in order to be able to conclude a contract and to meet the subsequent contractual obligations. In some cases we may need your personal data also before the conclusion of a contract.
  3. Consent of the data subject:
    The consent you gave us to process your personal data for a single or several specific purposes.
  4. Controller’s legitimate interest, which consists in particular in:
    • Property protection and fraud prevention,
    • Transfer of personal data within a constituent part of the university for internal administrative and operational purposes,
    • Ensuring the security of the computer network and information.

9. Transfer of personal data

In order to fulfil its legal obligations, CTU can transfer selected data to designated entities (e.g., public authorities). This applies equally to cases when the authorization to transfer personal data outside CTU is given by individual consents granted by data subjects.

10. Period of storage of personal data

The data is stored only for a period of time that is strictly necessary in relation to the particular activity of processing personal data and the data is then destroyed or archived in accordance with the applicable File and Shredding Rules. The personal data that we process with your consent is stored only for the duration of the purpose for which the consent was granted.

11. Assertion of rights of data subjects

Data subjects are entitled to assert their rights under the GDPR as of 25 May 2018. Data subjects must assert their rights against the Data Controller either by sending a request to the CTU data box p83j9ee, or by sending an e-mail to the Data Protection Officer dpo@cvut.cz, or by submitting the request in person or electronically to the Data Protection Officer through CTU’s registry. Before processing the application, CTU has the right and obligation to verify the applicant’s identity.

12. The right to lodge a complaint with a supervisory authority

Data subjects have the right to lodge a complaint concerning personal data processing to a supervisory authority, namely the Office of Personal Data Protection.

Contact:
Úřad pro ochranu osobních údajů
Address: Pplk. Sochora 27, 170 00 Praha 7
phone: 234 665 111
website: www.uoou.cz

Content owner: Josef Svoboda