Data protection

Processing and Protection of Personal Data

1.The purpose of this information
In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)—hereinafter GDPR—Palacký University Olomouc hereby informs data subjects on the conditions under which their personal data are processed.

2. Personal Data Controller
This information deals with cases where the Personal Data Controller  is Palacký University Olomouc in Olomouc, Křížkovského 511/8, 771 47 Olomouc, Czech Republic (hereinafter also UP). UP is a Personal Data Controller when determines the purpose and means of processing personal data; UP carries out the collection, processing and preservation of the data and is legally responsible for this activity.

UP is a public university as defined in Act No. 111/1998 Coll., on Higher Education Institutions. UP's mission is to freely and independently provide education and the associated scientific, research, developmental, innovative, artistic, and other types of creative activity, as well as any activity related to the above.

3. Data Protection Officer
UP Data Protection Officer is PhDr. Rostislav Hladký, MBA which can be contacted in writing at the Palacký University Olomouc address above, or by an e-mail: dpo@upol.cz.  You can contact the Data Protection Officer if you have any questions or concerns related to the processing and protection of your personal data.

4. Principles for Personal Data Processing at UP
UP considers personal data protection a key issue and devotes much attention to it. Your personal data are processed only within the scope necessary for the university's operations, or in relation with UP services you use. We protect personal data to the maximum extent possible and in accordance with the applicable legal regulations. Principles and rules governing the processing of personal data at UP are defined in directive Ochrana osobních údajů na Univerzitě Palackého v Olomouci. The Directive applies the rules and principles following from GDPR as follows:

a) Lawfulness: we are required to always process your personal data in accordance with legal regulations and based upon at least one legal title.

b) Fairness and transparency: we are required to process your personal data openly and transparently, and provide you with information on the processing method and on who will have access to your personal data. This includes our obligation to inform you of any instance of severe security breach or personal data leakage.

c) Purpose limitations: we are allowed to collect your personal data only for a clearly defined purpose.

d) Data minimization: we are required to process only personal data that are adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

e) Accuracy: we are required to take every reasonable step to ensure regular updates or correction of your personal data.

f) Storage limitations: we are required to store your personal data no longer than it is necessary for the purposes for which the personal data are processed. Therefore, when the period necessary for the purpose for which the personal data are processed terminates, we are going to delete or anonymize your personal data so that they may not be traced back to you (apart from such personal data that needs to be archived for a specified period according to the relevant legal regulations).

g) Integrity and confidentiality, non-repudiation, and availability: we are required to secure your personal data and protect them from unauthorized or illegal processing, loss, or damage. For this reason, we have taken many technical and organizational measures to protect your personal data. Simultaneously, we ensure that only UP's authorized employees may access your personal data.

h) Accountability: we are required to be able to demonstrate our compliance with all the conditions indicated above.

5. Purposes for which we process personal data
To fulfil its mission, UP processes personal data for the following purposes:

a. Education

i.      Admission procedure
ii.     Study programmes
iii.      Tuition
iv.      Exchange study
v.      Lifelong learning and internationally recognized courses
vi.      Library services

b.      Research & Development, and Creative work

i.      Project investigation
ii.      Expert conference organization
iii.      Publishing and editorial services
iv.      Habilitation and professorships procedures

c.       Administration and Operations

i.      HR and wages (including competitive selection procedures)
ii.      Financial management and accounting
iii.      Asset administration
iv.      Operating agendas
v.      E-infrastructure (IT and storage systems, computer network, e-mail, voice network)
vi.      UP identity cards

d.       Safeguarding Assets and Security

i.      Camera Systems
ii.      Access to secured areas
iii.      Security monitoring of computer network operation
iv.      Handling security incidents

e.       Commerce

i.      Shopping Centre
ii.      UP e-shops
iii.      Catering and accommodation
iv.      Services provided by Academic Sport Center (including the operation of a travel agency)
v.      Language education
vi.      Contractual business

f.        Information Provision and Promotion

i.      Websites
ii.      Marketing and promotion
iii.      Magazines and newsletter publishing
iv.      Alumni
v.      Children's University
vi.      Information and counselling (e.g. in the field of study and career, psychological counselling, legal counselling and others)
vii.      Information activities provided by UPoint Information Center and Shop
viii.      Fort Science
ix.      Botanic Garden

g.       Healthcare

i.      Healthcare facility operation

6. Categories of persons whose personal data we process
UP processes personal data of the following categories of persons (data subjects):

a) Employees (persons employed by UP) and job applicants,
b) Students, participants in lifelong learning and participants of internationally recognized courses, exchange students
c) Applicants (persons taking part in admission procedures to study at UP),
d) Alumni (persons who studied at UP in the past),
e) Applicants in habilitation procedure or procedure of appointment of professor
f) Third parties (persons not employed by UP who take part in educational, research, contractual, and other UP activities),
g) Members of the bodies and committees established by UP (Scientific Board, Board of Directors, etc.)
h) Survey participants (persons who take part in research and projects as research subjects),
i) Contract and project partners, other customers (customers using or purchasing services and products of the Palacký University Olomouc), visitors to events organized by UP,
j) Persons whose personal data are recorded by surveillance cameras operated by UP.

7. Categories of personal data processed
UP processes personal data provided directly by individual natural persons—whether based upon their consent or other legal reasons, respectively the personal data provided or obtained in accordance with legal regulations from other entities or from other sources (e.g. public registers)—as well as other personal data created as part of processing activities and those necessary for its operation. Chief among them are:

a) Address and identification data (name, surname, date and place of birth, marital status, birth ID No., title, nationality, postal and email addresses, telephone number, ID card/passport number, digital identifier, signature, etc.).

b) Descriptive data (education, knowledge of foreign languages, professional qualifications, knowledge and skills, number of children, portrait photography, video / audio records of persons, military service, previous employment, health insurance, membership in interest organizations, etc.).

c) Student data (records on study programs and study activities, academic results, academic awards).

d) Financial management data (bank connection, wages, bonuses, fees, liabilities and receivables, orders, purchasing, taxes, etc.).

e) Job-related data (records on jobs and work-related activities, employer, unit, job descriptions and positions, work evaluation, awards, etc.).

f) Data concerning operations and locations (usually data from electronic systems concerning a specific data subject, e.g., data on the use of information systems, data operation and electronic communication, telephone use, access to various areas, CCTV records, etc.).

g) Subject activity data (publications, expert activities, participation in conferences, taking part in projects, data on business trips or student academic trips, etc.).

h) Data concerning another person (address and identification data of a family member, husband/wife, child, partner, etc.) - always strictly in line with the principle of data minimization and strictly in compliance with the law requirements.

i) Special personal data category and personal data relating to criminal convictions and offences (sensitive personal data on health condition, membership in unions, etc.) - always strictly in line with the principle of data minimization and strictly in compliance with the law requirements.

8. Legal reasons for personal data processing
Personal data processing that takes place as part of the activities indicated above is carried out based upon the legal reasons. These reasons are different for each type of activity that Palacký University Olomouc performs. Generally, however, these legitimate reasons for processing your personal data are:

a) Fulfilment of legal obligations concerning the Controller:
We need to process your personal data to fulfil our legal obligations as a Controlling entity. These obligations are dictated by: Act No.  111/1998 Coll., on Higher Education Institutions; Act No. 130/2002 Coll., on the Support of Research and Development from Public Funds; Act No. 262/2006 Coll., Labour Code; Act No.  563/1991 Coll., on Accounting; Act No. 127/2005 Coll., on Electronic Communications; Act No. 480/2004 Coll., on certain Information Society Services; Act No. 181/2014 Coll. on Cyber Security; and others.

b) Processing is necessary to carry out a task carried out in the public interest or in the exercise of public authority (for cases where the Palacký University Olomouc acts as a public authority, i.e. the body empowered to decide on the rights and duties of persons) -especially processing according to Act No. 111/1998 Coll., on Higher Education Institutions.

c) Contract performance or processing at the request of the data subject prior to entering into contract:
Here we need your personal data to be able to conclude a contractual relationship and for the purposes of the subsequent contractual performance; the data may be necessary to provide before the conclusion of the contract.

d) Data Subject Consent:
This is your consent to process your personal data for a single purpose or several purposes.

e) Controller's legitimate interest consist, among other things, in:

-    protection of assets,
-    ensuring security of computer network and information.

f) The necessity of processing to protect the vital interests of the data subject or other natural person (at UP, however, this reason for processing will be unique or exceptional).

9. Personal data transfer
To fulfil its legal obligations, UP may transfer selected data to specified entities (e.g., public administration authorities). Similarly, this applies on cases when the authorization to transfer personal data outside UP is given by individual instances of consent expressed by data subjects.

10. Personal data storage period
Data are stored only for the period of time necessary with respect to the processing activity in question; in accordance with an applicable shredding plan they are subsequently liquidated or archived. Personal data processed with your consent are stored only as long as the purpose for which your consent was given lasts.

11. Exercise of Data Subjects' rights
Data Subjects shall be entitled to exercise their rights under GDPR. Every employee of Palacký University Olomouc is obliged to accept your request concerning your rights under Article 15-22 of the GDPR. You are also entitled to submit your request concerning your rights under Article 15-22 of the GDPR to the UP Data Protection Officer. Before processing such a request, UP has the right and obligation to verify the petitioner’s identity. Your request will be processed without undue delay, no later than within the deadlines set by the GDPR.

12. The right to lodge a complaint with the competent supervisory authority
Data subjects shall be entitled to lodge a complaint concerning personal data processing to the competent supervisory authority, specifically The Office for Personal Data Protection, particularly in the EU member state of their habitual residence, place of work or place of the alleged infringement if data subject considers that the processing of personal data relating to them infringes the GDPR.

Contact:
The Office for Personal Data Protection
address: Pplk. Sochora 27, 170 00 Prague 7
tel.: 234 665 111
website: www.uoou.cz

This information is available in Czech and English versions. If there is a discrepancy between the Czech and English versions, the Czech version takes precedence.