Protection and processing of personal data (SR 5/2018)

valid version, version: 1

Annotation

This directive with the whole-university scope lays down the principles and rules for the processing of personal data within the Prague University of Economics and Business (hereinafter referred to as the “VŠE“ defines the responsibilities of persons ensuring the protection of personal data at the University of Economics, defines the rights and obligations of employees, students, or other natural and legal persons involved in activities related to the processing of such data.

Processor:      Approved by:
Name: Ing. Milan Nidl, MBA prof. Ing. Hana Machkova, CSc.
Department / function Director of the Informatics Center Rector
Date: 7.11.2018 7.11.2018
Signed by: Ing. Milan Nidl, MBA prof. Ing. Hana Machkova, CSc.
Valid from: May 25, 2018
Efficiency: appeal
1st changes since: 8 November 2018

Part One

Basic provisions
Article 1
Subject matter
  1. This Directive lays down the principles and rules applicable to the processing of personal data at the Prague University of Economics and Business (hereinafter referred to as the “VŠE”), lays down the responsibilities of persons ensuring the protection of personal data at the University of Economics, persons involved in activities related to the processing of such data.
  2. The subject matter of this Directive is the processing of personal data carried out by VŠE employees and students in the performance of their work or study duties, or by other natural and legal persons processing personal data on the basis of a contract with VŠE.
  3. This Directive is based on Regulation (EU) No 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation) (hereinafter referred to as the “Regulation”) and Act No. 101/2000 Coll., on the Protection of Personal Data and on Amendments to Certain Acts, as amended (hereinafter referred to as the “Personal Data Protection Act”), supplementing and elaborating some of their provisions for the regulation of relations within the University of Economics, and sets out organizational solutions within the University of Economics to ensure their implementation.
Article 2

Interpretation of selected related terms

  1. “Personal data” means all information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”); an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to a particular identifier, such as name, identification number, location information, network identifier or one or more specific physical, physiological, genetic, psychological, economic, cultural or the social identity of this natural person.
  2. “Personal Data Processing” means any operation or set of operations involving personal data or files of personal data carried out with or without the use of automated procedures such as collecting, recording, arranging, structuring, storing, adapting or altering, retrieving, consulting, use, disclosure by transmission, dissemination or any other disclosure, sorting or combination, restriction, erasure or destruction.
  3. ‘Controller’ means a natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, that authorization may determine the controller concerned or the specific criteria for its designation.
  4. “Processor” means a natural or legal person, public authority, agency or other entity processing personal data for the controller.
  5. ‘Pseudonymisation’ means the processing of personal data such that they can no longer be assigned to a particular data subject without the use of additional information, provided that such additional information is kept separately and subject to technical and organizational measures to ensure that identified or identifiable a natural person;
  6. ‘Registration’ means any structured set of personal data accessible according to specific criteria, whether centralized, decentralized or broken down by functional or geographical aspect;
  7. ‘Recipient’ means a natural or legal person, public authority, agency or other body to whom personal data are supplied, whether a third party or not. Public authorities which may obtain personal data in the framework of a special inquiry in accordance with the law of a Member State shall not be considered as a recipient; the processing of such personal data by those public authorities shall comply with the applicable data protection rules for the purposes of processing.
  8. ‘Third party’ means a natural or legal person, public authority, agency or other entity which is not a data subject, controller, processor or person directly reporting to the controller or processor who is authorized to process personal data;
  9. „Consent” of the data subject shall mean any free, specific, informed and unambiguous expression of the will by which the data subject gives his or her consent to the processing of his personal data;
  10. “Personal Data Security Breach” means a security breach that results in the accidental or unlawful destruction, loss, alteration or unauthorized disclosure or disclosure of personal data transmitted, stored or otherwise processed;
  11. ‘Genetic data’ means personal data relating to an inherited or acquired genetic trait of a natural person providing unique information on his or her physiology or health and resulting, in particular, from an analysis of a biological sample of the natural person concerned;
  12. ‘Biometric data’ means personal data resulting from a specific technical processing concerning physical, physiological or behavioral characteristics of a natural person that allows or confirms a unique identification, such as facial image or dactyloscopic data;
  13. ‘health data’ means personal data relating to the physical or mental health of a natural person, including data on the provision of health services which are indicative of his or her health;
  14. Definitions of other terms used in the handling and protection of personal data are given in Article 4 of the Regulation, where appropriate in the text or annexes to this Directive.

Part Two

Responsibilities of persons ensuring the protection of personal data
Article 3
Position of VŠE

The VŠE is the entity responsible for processing personal data referred to in Article 1 (2). According to specific cases, the VŠE may act both as a controller and as a processor. In order to fulfill the protection of personal data as required by the Regulation and the Personal Data Protection Act, Part Two of this Directive specifies the persons involved in ensuring the above purpose.

Article 4
Central Level
  1. The position of the Rector is determined by law, the Statute of the Prague University of Economics and Business, the internal regulations of the University of Economics in accordance with Article 3 of the Statute of the Prague University of Economics and Business and other internal regulations of the University of Economics. The Rector acts as the statutory body of the University of Economics responsible for adhering to the principles, rules and procedures for processing personal data outside and inside the University of Economics, in cases implemented at the central level of the University of Economics and where there is no transfer of powers to other persons listed in this section.
  2. The Quaestor shall be responsible to the Rector of the Prague University of Economics and Business for adherence to the principles, rules and procedures for the processing of personal data carried out in the areas of his competence specified in Article 13 of the Statute of the Prague University of Economics and Business.
  3. The Vice-Rectors are responsible to the Rector of the Prague University of Economics and Business for adherence to the principles, rules and procedures for processing personal data carried out within the scope of their activities and competencies given by Article 8 paragraph 2 of the Statute of the Prague University of Economics and Business.
Article 5
Heads of individual sections
  1. Deans of individual faculties of the VŠE are responsible to the Rector for adherence to the principles, rules and procedures for processing personal data carried out by employees and students of the VŠE in fulfilling their work or study obligations, or other natural and legal persons processing personal data on on the basis of a contract with the faculty of the VŠE, Section 24 of the Act, Art. 15 Internal regulations of the VŠE, in accordance with Article 3 of the Statute of the Prague University of Economics and Business and other internal regulations of the VŠE.
  2. The directors of other VŠE sections are responsible to the Rector of VŠE for adherence to the principles, rules and procedures for processing personal data carried out by employees of other VŠE sections in fulfilling their work duties, or other natural and legal persons processing personal data on the basis of a contract with another part of the Prague University of Economics and Business, by Statute given to other sections of the VŠE, internal regulations of the University of Economics in accordance with Article 3 of the Statute of the Prague University of Economics and Business and other internal regulations of the Prague University of Economics and Business.
Article 6
Guarantor of personal data processing
  1. In order to ensure the protection of personal data and their processing in accordance with the Regulation and the Personal Data Protection Act, guarantors of personal data processing (hereinafter referred to as “Guarantor”) are appointed for individual cases or areas of processing.
  2. The Guarantor is the person responsible for adhering to the principles, rules and procedures (referred to in this Directive, the Regulation and other relevant generally binding legal regulations) in the processing of personal data carried out in his / her case / area / activity, including ensuring the settlement of data subjects’ rights. The Guarantor is responsible for the above mentioned activities from the date of his/her appointment until the termination of the activity, including ensuring secure data archiving.
  3. The Guarantor shall carry out in his case / area the impact assessment of the intended processing operations on the protection of personal data pursuant to Article 35 of the Regulation. To this end, it shall request the opinion of the Data Protection Officer.
  4. The case / area Guarantors shall be established by:
    1. the Rector for the processing of personal data affecting the whole VŠE;
    2. executives of sections according to the Organizational Structure of the University of Economics in accordance with Article 14 of the Statute of the Prague University of Economics and Business in the case of processing of personal data within the scope of the given section;
    3. Section manager designated by agreement where processing involves several specific parts. If the Guarantor would not be determined, the Guarantor will be appointed by the Rector.
  5. In the case of existing personal data processing systems, the Guarantor shall be appointed by the persons referred to in Articles 4 and 5 no later than 10 days after the Directive will enter into force. For new systems, the Guarantor will be determined before the processing of personal data.
  6. If the Guarantor is not specified in any case or area of data processing, for the fulfillment of the Guarantor’s tasks are responsible relevant persons referred to in Articles 4 and 5.
Article 7
Other authorized persons
  1. The following persons may come into contact with personal data:
    1. persons who, according to the characteristics of the relevant data processing pursuant to Article 13, are entrusted with the entry and destruction of personal data;
    2. persons who are superiors of the persons referred to in point a) on an organizational or methodological basis;
    3. persons responsible for organizational, functional and technical management of the relevant data processing (usually analysts, programmers, system administrators, network administrators, officers at individual departments, etc.);
    4. other persons who, according to the characteristics of the relevant data processing pursuant to Article 13, are authorized to use such personal data for the performance of their tasks.
  2. Other authorized persons are appointed as Guarantors of processing. The admission or reassignment of persons to the places of delegation referred to in paragraph 1 is subject to their prior proven acquaintance with this Directive, the Regulation and other relevant generally binding legal regulations.
  3. The persons referred to in paragraph 1 and paragraph 2 shall always process personal data only to the extent of the conditions of implementation / type solution of the relevant data processing pursuant to Article 6.
  4. The persons referred to in paragraphs 1 and 2 shall be required to maintain the confidentiality of personal data and security measures via the disclosure of which would compromise the security of personal data. The obligation of confidentiality continues even after termination of employment, study or performance of the relevant works.
Article 8
Final and other works

In cases where personal data would be processed for the final theses (bachelor, master, dissertation, habilitation or other), the supervisor is obliged to inform the author of the obligations under the Regulation and the Directive and to ensure possible further steps in accordance with the Directive. In general, this obligation also applies to other cases where a student processes a project or performs another activity in which personal data is processed within the scope of their duties. Further details can be set by the internal regulation of the University of Economics or the Faculty.

 

Part Three

Data Protection Officer
Article 9
Appointment of a Data Protection Officer

The Personal Data Protection Officer at the Prague University of Economics and Business (hereinafter referred to as the “Trustee”) is appointed by the Rector on the basis of his / her professional qualities, in particular his / her professional knowledge of law and practice in n the area of personal data protection and the ability to perform the tasks referred to in Article 11. The Rector may also revoke him/her.

Article 10
Status of a Trustee
  1. The Trustee is an employee of the University of Economics and is directly subordinate to the Rector.
  2. The Trustee is involved in all processes and matters related to the protection and processing of personal data at the VŠE.
  3. The Trustee shall be supported by the VŠE in maintaining its professional knowledge and shall be given access to personal data, processing operations and all resources necessary for the performance of the tasks referred to in Article 11.
  4. The Trustees are not given any specific instructions by VŠE regarding the fulfillment of their duties by the Trustee. However, the Rector may also be assigned other tasks and duties. However, none of these tasks or responsibilities shall give rise to a conflict of interest with the performance of the function of a Trustee.
  5. The Trustee shall be bound by confidentiality in relation to the performance of his / her tasks. The duty of confidentiality continues even after the termination of employment with VŠE.
  6. Information about the Trustee including contact details can be found in the public section of the University of Economics website.
Article 11
Tasks of the Trustee
  1. The Trustee shall in particular carry out the following tasks:
    1. provides information and advices to VŠE students and staff processing personal data on their obligations under this Directive, the Regulation and other generally binding legal regulations in the field of personal data protection;
    2. monitors compliance with this Directive, the Regulation, other generally binding legislation on personal data protection and the VŠE’s personal data protection concepts, including the allocation of responsibilities, awareness-raising and training of staff involved in processing operations and related audits;
    3. supervises the implementation and protection of personal data,
    4. provides advices and expert assistance on request regarding the impact assessment on personal data protection and monitors its application in accordance with Article 35 of the Regulation;
    5. after prior consultation of the persons referred to in Articles 4 and 5, reports the personal data breach to the supervisory authority (Article 33 of the Regulation) and reports the personal data breach to the data subject (Article 34 of the Regulation).
    6. cooperates and communicates with the supervisory authority;
    7. acts as a contact point for the supervisory authority in matters concerning the processing of personal data, including prior consultation under Article 36 of the Regulation, and, where appropriate, consults on any other matter;
    8. accepts proposals from the Guarantors pursuant to Article 6 (1), and persons pursuant to Article 6 (4), for the initiation of a new resp. changes the existing processing of personal data and takes an opinion on such draft proposals;
    9. communicates with data subjects who may contact him on any matter relating to the processing of their personal data and the exercise of their rights under this Directive and Regulation;
    10. performs other tasks arising for his / her position from a regulation, law or other generally binding legal regulations, or arising from this Directive and other regulations of the VŠE.
  2. The Trustee shall supervise the operation of the personal data processing registers of the VŠE referred to in Article 13.
  3. In carrying out his tasks, the trustee shall take due account of the risk associated with the processing activities, taking into account the nature, scale, context and purposes of the processing.
Article 12
Authorizing officer’s powers at the VŠE
  1. If the Trustee learns that there is a risk of breach of the rules on the protection of personal data resulting from the regulation, law or this directive or if the breach is found, he is obliged to notify the guarantor and recommend in writing to remedy the defective or risky condition. The Guarantor is obliged to discuss the situation with the Trustee within a reasonable period of time and to refrain from further defective or risky behavior if he / she identified the Trustee’s findings. The Guarantor is also obliged to take all measures to prevent the situation from recurring. If the guarantor disagrees with the recommendation of the trustee, the trustee shall justify the alleged conduct in writing and give reasons why he / she believes that the rules mentioned in the first sentence have not occurred or are not in danger. In such a case, the trustee shall notify the relevant persons referred to in Articles 4 and 5 of this fact and shall transmit the entire documentation to them.
  2. If there is a risk of a breach of the rules on the protection of personal data arising from a regulation, a law or this directive, or if the breach is found and a guarantor has not been established for the given case / area / activity, the Trustee is obliged to notify the relevant persons referred to in Articles 4 and 5 in writing.
  3. The Trustee shall be obliged to initiate the adoption of general or individual measures in the field of personal data protection for the persons referred to in Articles 4 and 5 whenever:
    1. He/she identifies the threat of a breach or breach of the rules based on its findings under paragraph 1;
    2. this will be appropriate following the generalization of personal data protection practices.
  4. The provisions of paragraphs 1 to 3 shall be without prejudice to the obligation of the trustee, after prior consultation with the persons referred to in Articles 4 and 5 report a breach of the security of personal data to the supervisory authority and the data subject pursuant to Article 11 par. 1 e).

Part Four

Register of VŠE personal data processing
Article 13
Registration and evidence of personal data processing
  1. In order to gain an overview of the processing of personal data at the VŠE, a register of personal data processing activities at the University of Economics (hereinafter referred to as the “Register”) is hereby established. This register is entrusted to the Center of Informatics of the Prague University of Economics and Business (hereinafter referred to as “CI”). The CI Director is responsible for the operation of the Registry. The headquarters and functions of the persons responsible for the operation of the system shall be determined by the CI Director.
  2. The processing Sections of the University of Economics, wish to process personal data protected by this Directive, resp. if they wish to change the way they have processed their personal data to date, they shall notify the agent through the register.
  3. The notification referred to in paragraph 2 shall contain the full characteristics of the relevant processing of personal data in the format specified by the registry operator.
  4. The Guarantor will always ask the agent for a previous opinion on the procedure of implementation and setting of the standard solution for the protection of personal data processed here.
  5. The guarantor will always ask the Trustee for a prior opinion on the progress of implementation and setting of the standard solution of personal data protection processed here.

Part Five

Principles of personal data processing
Article 14
Principles of personal data processing
  1. The principles governing the processing of personal data are set out in Chapter 2 of the Regulation. Accordingly, personal data must be:
    1. processed legally, fairly and transparently in relation to the data subject;
    2. collected for certain, explicit and legitimate purposes and may not be further processed in a way incompatible with those purposes;
    3. adequate, relevant and limited to the extent necessary in relation to the purpose for which they are processed;
    4. accurate and, if necessary, updated; all reasonable measures must be taken to ensure that personal data which are inaccurate with regard to the purposes for which they are processed are deleted or corrected without delay;
    5. stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed;
    6. processed in a manner that ensures adequate security of personal data, including their protection, by means of technical and organizational measures adopted by the VŠE, against unauthorized or unlawful processing and accidental loss, destruction or damage.
  2. The persons referred to in Part Two of this Directive shall be responsible for and shall also be able to demonstrate compliance with the principles referred to in paragraph 1.
Article 15
Legality of processing
  1. In accordance with Article 6 of the Regulation, processing is lawful only if at least one of the following conditions is met and only to the extent that:
    1. processing is necessary, in accordance with the generally binding legal regulations in force, to fulfill the legal obligation applicable to the controller;
    2. processing is necessary, in accordance with the generally binding legal regulations in force, for the performance of a task carried out in the public interest or in the exercise of official authority entrusted to the controller;
    3. processing is necessary to protect the vital interests of the data subject or of another natural person;
    4. processing is necessary for the purposes of the legitimate interests of the controller or a third party, except where the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data take precedence over those interests, in particular where the data subject is a child;
    5. processing is necessary for the performance of a contract to which the data subject is a party, or for carrying out pre-contractual measures taken at the request of that data subject;
    6. the data subject has given his consent to the processing of his personal data for one or more specific purposes (the terms of consent are detailed in Articles 7 and 8 of the Regulation).
  2. Paragraph 1 f) does not concern the processing of personal data carried out by the VŠE in cases where the VŠE acts as a public authority in matters entrusted to it by law.
  3. Where processing for a purpose other than that for which the personal data has been collected is not based on the consent of the data subject or on the generally binding legislation in force, the guarantor shall take into account whether processing for other purposes is compatible with the purposes for which personal information originally collected, inter alia:
    1. if there is any link between the purposes for which the personal data were collected and the purposes of the intended further processing;
    2. the circumstances in which personal data were collected, in particular as regards the relationship between data subjects and the VŠE;
    3. the nature of personal data, in particular whether specific categories of personal data are processed under Article 9 of the Regulation or personal data relating to criminal convictions and offenses under Article 10 of the Regulation;
    4. the possible consequences for the data subjects of the intended further processing;
    5. the existence of appropriate safeguards, which may include encryption or pseudonymisation.
Article 16
Processing of special categories of personal data
  1. The processing of personal data relating to racial or ethnic origin, political opinions, religion or philosophical beliefs or trade union membership and the processing of genetic data, biometric data for the purpose of unique identification of a natural person and health or sexual data shall be prohibited including the inforamtion on the life or sexual orientation of a natural person in cases not covered by paragraphs 2 and 3.
  2. The exceptions to the prohibition on the processing of personal data under paragraph 1 are laid down in Article 9 of the Regulation.
  3. Exceptions to the prohibition in paragraph 1 shall also include information on:
    1. health status in personal records of employees and students, provided that these data were voluntarily transferred by the data subject to the said records and are kept for his / her benefit (e.g. affecting admission to study, provision of services to persons with specific needs, dorm accommodation) or its tax liability or other statutory benefits);
    2. membership of trade unions operating at the VŠE, listed in the personal and wage records of employees, provided that they have been voluntarily transferred by the data subject to the said register and are used to pay membership fees or other benefits, including accounting for such payments;
    3. biometric data that allows the data subject to be directly identified or authenticated;
    4. specific categories of personal data processed for project / research and publishing purposes.
  4. The processing of the data defined in paragraph 1 may only take place with the expressed consent of the data subject. Such consent shall be given in writing, signed by the data subject and shall make clear which data it relates to, for what purpose, for what period and who provides it. The data subject also confirms by his signature that he has been advised in advance of his rights. Authorized persons who, according to the characteristics of the relevant data processing pursuant to Article 6, are intended to enter and liquidate the mentioned data, shall be able to prove the existence of this consent for the entire period of their processing.
  5. In the case of further processing for scientific, historical research or statistical purposes, the consent of the data subjects referred to in point (4) shall not be required. In such a case, the processing is subject to appropriate safeguards for the rights and freedoms of the data subject by introducing technical and organizational measures adopted by VŠE. At the same time, the principle of data minimization must be ensured.
  6. The processing of data referred to in paragraph 3 c) may be used only if, in parallel, there is a possibility to achieve the purpose by using other means of identification or authentication that will not be dependent on biometric data, and the data subject will have the choice between them.
  7. The processing of personal data which does not require the identification of the data subject is governed by Article 11 of the Regulation.

Part Six

Data Subject
Article 17
Information provided to the data subject
  1. VŠE, in the role of controller, shall provide the data subject with all the information referred to in Articles 13 and 14 of the Regulation in a concise, transparent, understandable and easily accessible manner, using clear and simple language means, and make all communications pursuant to Article 15 to 22 and 34 of the Processing Regulation. Information is provided in electronic form on the website of the VŠE and in the information systems of the VŠE.
  2. Data subjects may refer to the data controller all matters relating to the processing of their personal data and the exercise of their rights under this Directive and the Regulation.
Article 18
Rights of the data subject

Rights of the data subject:

  1. access to personal data is governed by Article 15 of the Regulation;
  2. the correction is governed by Articles 16 and 19 of the Regulation;
  3. the deletion is governed by Articles 17 and 19 of the Regulation;
  4. processing restrictions are governed by Articles 18 and 19 of the Regulation;
  5. Article 20 of the Regulation governs the portability of data;
  6. objections and automated individual decision making are governed by Articles 21 and 22 of the Regulation.

Part Seven

Security and disclosure of personal data to third parties
Article 19
Publication of personal data
  1. The publication of personal data shall mean making it available to specifically unspecified persons or groups of persons, in particular by the mass media, other public communications or as part of a public list (eg in the public part of the Prague University of Economics and Business).
  2. Personal data protected under this Directive may be published to the following maximum extent:
    1. name;
    2. surname;
    3. titles;
    4. photos;
    5. job classification at the VŠE;
    6. inclusion in the organizational structure of the VŠE;
    7. held positions at the VŠE;
    8. contact information in connection with VŠE (workplace addresses, telephone and fax numbers, e-mail addresses);
    9. Necessary identification and specifications in the information system modules (personal number, employment number, type of employment relationship, UE network username, main employment relationship flag, off-status flag, master order);
    10. information on publishing and research activities;
    11. the course of academic qualifications;
    12. participation in individual forms of creative activities of the VŠE;
    13. information on issued publications;
    14. teaching at VŠE;
    15. academic personal www-pages (ie WWW-pages of VŠE employees and students related to their academic or study activities at VŠE),
    16. other data published by the entity itself. The data subject has the right to choose the specific scope of the published data mentioned under d), i), and n), or not to disclose such data at all.
  3. The data referred to in paragraph 2 may only be published for data subjects who:
    1. are employees of the VŠE, or were employees of the VŠE at the time of the creation of the data, which has persistent relevance
    2. are employees or students of the VŠE and are currently active in the self-governing academic or advisory bodies of the VŠE;
  4. In the case of academic officials and directors of VŠE, the publication of personal data will be regulated individually.
  5. In the case of academic officials and persons currently working in the self-governing academic or advisory bodies of the VŠE, who are not employed by the VŠE, the publication of personal data will be regulated individually.
Article 20
Providing personal information to third parties
  1. The provision of personal data to third parties outside VŠE shall be governed by this Directive, the Regulation and the generally binding legal regulations in force.
  2. The Guarantor pursuant to Article 6 (1) or a person pursuant to 6 (4) must inform the Trustee in writing or electronically in advance and to disclose the scope of the data provided, the purpose of the provision and the identification of the third party
  3. The Guarantor established for the given case / area of processing is responsible for adhering to the correct procedure for providing personal data to third parties outside the VŠE in accordance with this Directive, the Regulation and the generally binding legal regulations in force. Unless a Guarantor is established for a given case / area of processing, the relevant persons referred to in Articles 4 and 5 are responsible for observing the correct procedure for providing personal data to third parties outside the VŠE.
Article 21
Security of personal data
  1. Documents and mobile / external / portable technical data carriers held by the VŠE and containing personal data protected under this Directive shall be kept only in lockers at workplaces of the VŠE, or in other safe places determined by the characteristics of the relevant data processing pursuant to Art. 11, or secured by encryption.
  2. If personal data are processed that are directly related to activities carried out at the VŠE (e.g. attendance sheets, answer sheets, tests, notebooks, attendance lists), their securing shall be done in the usual way to prevent the risk of personal data misuse. The other obligations set out in this Article shall apply to the processing of such personal data only to the extent that this is appropriate to their nature and the circumstances of their normal processing.
  3. Computers and other technical means on which data containing personal data protected under this Directive are stored shall be protected from unauthorized access, usually by passwords, encryption or locking.
  4. Copies of personal data protected pursuant to this Directive shall be made on technical data carriers according to the operational rules laid down for individual data processing and kept in lockers at VŠE workplaces where appropriate, at other secure locations identified by the characteristics of the relevant data processing pursuant to Article 11, or secured by encryption.
  5. f the guarantor or authorized person discovers or suspects that personal data security (incident) may have occurred or has been breached, he / she is obliged to notify the Helpdesk of the Computer Center immediately. Other persons may also report incidents to the Helpdesk if they detect or suspect an incident involving the processing of personal data referred to in Article 1 (2). The Helpdesk will register and, in cooperation with the notifier, describe the incident and forward it immediately to the Security and Data Protection Department of the Computer Center. Notification of an incident to the Helpdesk pursuant to this Regulation does not replace the obligation to notify events pursuant to other regulations, eg the obligation to report security incidents of a part of the VŠE information system according to PR 07/2018 to the administrator.
  6. The Security and Data Protection Department of the Information Center will complete the description and categorization of the incident as soon as possible with a proposal of measures to ensure the resolution of the incident, including measures to mitigate possible adverse impacts. The categorization is performed according to the following scale:
    A low-risk incident (I.) that does not affect the rights and freedom of the data subject, a medium-risk incident (II.) affecting the data subject’s rights or freedoms, and a very high-risk incident (III.) with a major impact on the data subject’s freedoms and rights.
    The division into categories is monitored by the Trustee. The Trustee may prepare methodologies for categorizing individual types of incidents. All incidents are permanently documented and archived by the department.
    The Department shall immediately transmit the completed information on incidents of II. and III. cathegory to the Administrator (VŠE management).
  7. In case of incident II. of category, Administrator (management of the VŠE), after discussing, reports the incident within 72 hours to the Office for Personal Data Protection. In case of incident of III. category, the  Administrator reports the  incident to Office for Personal Data Protection and to the data subjects concerned. The announcement shall be made by the Trustee or another authorized person of the VŠE management. The notification shall contain at least the particular details defined in Article 33 (3) of the Regulation.

Part Eight

Final Provisions
Article 22
Transitional and final provisions
  1. Sections of the VŠE processing personal data protected by this Directive shall notify without undue delay this fact in writing, including in electronic form, to the authorized person through the register referred to in Article 13, indicating for each activity at least the following data:
    1. the name of the activity, the name of its components;
    2. workplace, name and contact details of the guarantor;
    3. a description of the categories of data subjects;
    4. a description of the categories of personal data;
    5. processing purposes;
    6. the categories of recipients to whom personal data have been or will be disclosed, including recipients in third countries or international organizations;
    7. information on any transfer of personal data to a third country or international organization, including the identification of that third country or international organization and, in the case of the transfer referred to in the second subparagraph of Article 49 (1), proof of appropriate safeguards;
    8. if possible, the planned deadlines for deleting individual categories of data;
    9. where possible, a general description of the technical and organizational security measures referred to in Article 32 (1) of the Regulation;
    10. if the processing is carried out by an external person (processor), identification of the processor and also the contract on the basis of which the processing takes place;
    11. the legal title on which the processing takes place;
    12. source of personal data;
    13. the recommendation of the guarantor whether an assessment of the impact of processing operations on the protection of personal data under Article 35 of the Regulation is necessary.
  2. This Directive cancels the Rector’s Order No. 4/2001 – Application of Act No. 101/200 Coll., as amended, “on the protection of personal data and amending certain laws” (PR 04/2001).
  3. Compliance with this Directive shall be checked by an authorized representative.

Responsible person: Ing. Milan Nidl, MBA Last updated: 8. 11. 2018