Protection of personal data

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)—hereinafter GDPR—Masaryk University hereby informs data subjects on the conditions under which their personal data area processed.

Personal Data Controller

The Personal Data Controller is Masaryk University, Žerotínovo nám. 617/9, 601 77 Brno, ID No.: 00216224, VAT ID No.: CZ00216224, data box ID: 9tmj9e4.

Masaryk University (hereinafter also MU) is a public university as defined in Act No. 111/1998 Coll., on Higher Education Institutions. MU's mission is to freely and independently provide education and the associated scientific, research, developmental, innovative, artistic, and other types of creative activity, as well as any activity related to the above.

Data Protection Officer

MU Data Protection Officer is Mgr. Iva Zlatušková, poverenec@muni.cz, telephone +420 549 49 1030.

Principles for Personal Data Processing at MU

Masaryk University considers personal data protection a key issue and devotes much attention to it. Your personal data are processed only within the scope necessary for the university's operations, or in relation with MU services you use. We protect personal data to the maximum extent possible and in accordance with the applicable legal regulations. Principles and rules governing the processing of personal data at MU are defined in MU Directive No. 1/2018 "Personal Data Processing and Protection“. The Directive applies the rules and principles following from GDPR as follows:

1. Lawfulness: we are required to always process your personal data in accordance with legal regulations and based upon at least one legal title.
2. Fairness and transparency: we are required to process your personal data openly and transparently, and provide you with information on the processing method and on who will have access to your personal data. This includes our obligation to inform you of any instance of severe security breach or personal data leakage.
3. Purpose limitations: we are allowed to collect your personal data only for a clearly defined purpose.
4. Data minimisation: we are required to process only personal data that are adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
5. Accuracy: we are required to take every reasonable step to ensure regular updates or correction of your personal data.
6. Storage limitations: we are required to store your personal data no longer than it is necessary for the purposes for which the personal data are processed. Therefore, when the period necessary for the purpose for which the personal data are processed terminates, we are going to delete or anonymize your personal data so that they may not be traced back to you.
7. Integrity and confidentiality, non-repudiation, and availability: we are required to secure your personal data and protect them from unauthorised or illegal processing, loss, or damage. For this reason, we have taken many technical and organizational measures to protect your personal data. Simultaneously, we ensure that only authorized employees may access your personal data.
8. Accountability: we are required to be able to demonstrate our compliance with all the conditions indicated above.

Purposes for which we process personal data

To fulfil the mission of MEFANET activities, Masaryk University processes personal data for the following purposes:

1. Education
   • Study
   • Instruction
   • Lifelong learning
2. Research, development and creative work
   • Implementation of research, development and creative work
   • Project investigation
   • Expert conference organization
   • Publishing and editorial services
3. Administration and operations
   • HR and wages
   • Financial management and accounting
   • Public procurement
   • Asset administration
   • Operating agendas
   • E-infrastructure (IT and storage systems, computer network, e-mail, voice network)
   • Provision of information according to Act No. 106/1999 Coll., on free access to information
   • Health and safety at work, fire protection, crisis management and protection of the population
   • Internal training
4. Safeguarding assets and security
   • Camera systems
   • Access to secured areas
   • Security monitoring of computer network operation
   • Handling security incidents
   • Object security
5. Information provision and promotion
   • Websites
   • Marketing and promotion

Categories of persons whose personal data we process

Masaryk University processes personal data of the following categories of persons (data subjects) within the MEFANET network:

1. employees (persons employed by MU),
2. students (persons taking part in any of MU educational programme),
3. alumni (persons who studied at MU in the past),
4. third parties (persons not employed by MU who take part in educational, research, contractual, and other MU activities),
5. survey participants (persons who take part in research and projects as research subjects),
6. visitors or participants of events organised by MU.

Categories of personal data processed

Masaryk University processes personal data provided directly by individuals and personal data generated as part of processing activities and necessary for their provision.

1. Identification data: name, surname, date and place of birth, marital status, birth ID No., title, nationality, ID card/passport number, digital identifier, signature, etc.
2. Contact details: postal and email addresses, mailbox ID, telephone number, etc.
3. Descriptive data: education, knowledge of foreign languages, professional qualifications, knowledge and skills, portrait photography, video / audio records of the person, etc.
4. Student data: records on study programs and study activities, academic results, academic awards etc.
5. Job-related data: records on jobs and work-related activities, employer, unit, job descriptions and positions, work evaluation, awards, etc.
6. Data concerning operations and locations: data from electronic systems concerning a specific data subject – for example, data on the use of information systems, data operation and electronic communication, etc.
7. Subject activity data: publications, expert activities, participation in conferences, taking part in projects, data on business trips or student academic trips, etc.

Legal reasons for personal data processing

Personal data processing that takes place as part of the activities indicated above is carried out based upon the following legal reasons:

1. Fulfilment of legal obligations concerning the Controller: we need to process your personal data to fulfil our legal obligations as a Controlling entity. These obligations are dictated by: Act No. 111/1998 Coll., on Higher Education Institutions; Act No. 130/2002 Coll., on the Support of Research and Development from Public Funds; Act No. 262/2006 Coll., Labour Code; Act No. 563/1991 Coll., on Accounting; Act No. 127/2005 Coll., on Electronic Communications; Act No. 480/2004 Coll., on certain Information Society Services; Act No. 181/2014 Coll. on Cyber Security; and others.
2. Contract performance: here we need your personal data to be able to conclude a contractual relationship and for the purposes of the subsequent contractual performance; the data may be necessary to provide before the conclusion of the contract.
3. Data subject consent: this is your consent to process your personal data for a single purpose or several purposes.
4. Protection of the interests of the data subject: processing is necessary to protect the vital interests of the data subject or another natural person.
5. Public interest: processing is necessary for the performance of MU tasks carried out in the public interest or in the exercise of official authority.
6. Controller's legitimate interest consist, among other things, in:
   • providing support activities for the fulfilment of MU’s mission,
   • protection of assets and preventing fraud,
   • transfer of personal data within a university unit for internal administrative and operational purposes,
   • ensuring security of computer network and information.

Personal data transfer

The transfer of personal data to another controller is only possible on the basis of a specific legal regulation that provides for such a possibility or obligation or on the basis of the data subject's consent. The recipients of personal data for the purpose of fulfilling MU's legal obligations are generally public authorities.

In justified cases, personal data stored in MU's information systems may be processed by processors – external service providers – solely on the basis of a contract for the processing of personal data. These are mainly:

1. information systems and software operators,
2. providers of occupational health services,
3. providers of shredding services,
4. external experts in individual agendas and external consultancy providers.

The transfer of personal data to countries outside the European Union is possible exclusively on the basis of a legal regulation or an international treaty to which the Czech Republic is bound. The free movement of personal data within the European Union is neither restricted nor prohibited for the protection of natural persons in relation to the processing of personal data.

Personal data storage period

Personal data are stored only for the period of time strictly necessary in relation to the personal data processing activity and in accordance with generally binding legal regulations and MU Directive No. 2/2016, File Regulations. After the expiry of the shredding period, both paper-based and digital documents containing personal data pursuant to Section 8 of the Act No. 499/2004 Coll., on archiving and filing services, are subject to shredding.

Personal data processed by MU on the basis of the data subject's consent are stored only for the period for which the consent was given and for the duration of the purpose for which the consent was given.

Rights of the data subject in the processing of personal data

Under Articles 15-22 of the general regulation, the data subject has the right to:

1. have access to personal data,
2. rectification of personal data,
3. erasure of personal data,
4. restrict the processing of personal data,
5. portability of personal data,
6. withdraw consent to the processing of personal data,
7. object to the processing of personal data; and
8. the right not to be the subject of a decision based solely on automated processing of personal data concerning him or her.

Exercise of the data subject's rights

The data subject shall be entitled to exercise his or her rights against the controller under the general regulation, namely:

1. by a written request with an officially certified signature, or on the basis of an officially certified power of attorney, sent to Masaryk University, Data Protection Officer, Žerotínovo nám. 9, 601 77 Brno, or
2. by sending the request to the Masaryk University data box, MU data box ID: 9tmj9e4, or
3. by sending the application in the form of an e-mail message bearing at least a recognised electronic signature of the applicant to the following address: poverenec@muni.cz, or
4. by sending the application in the form of an e-mail message from the MU institutional e-mail address to: poverenec@muni.cz.

The procedure and requirements for the request are set out in more detail in the document Information for data subjects on the exercise of their rights.

Right to lodge a complaint with the supervisory authority

The data subject has the right to submit a request, complaint or suggestion regarding the processing of personal data to the supervisory authority.

Office for Personal Data Protection (ÚOOÚ), Pplk. Sochor 27, 170 00 Praha 7, Czech Republic,
Data box ID of the ÚOOÚ: qkbaa2n,
telephone number: +420 234 665 111, website: www.uoou.cz, electronic address: posta@uoou.cz

Access to personal data online

A data subject who uses or has used MU information systems has access to his or her processed personal data online after logging in and authenticating in the relevant University information systems (GDPR MU Directory).

Reporting suspected personal data breaches

Form for reporting a suspected personal data breach

1. for MU data subjects (in Czech language only)
2. for external data subjects – persons outside MU (docx file)

Code of Conduct

Masaryk University prides itself on being an open and inclusive institution. We believe that every student, regardless of their background, race, religion, sexual orientation or other characteristics, has the right to a quality education.

Our Code of Conduct defines the core values on which our university is built. They are:

• Respect for human dignity: all students are equal and have the right to respect and dignity.
• Non-discrimination: discrimination on any grounds is prohibited at Masaryk University.
• Tolerance and mutual understanding. We promote dialogue and mutual understanding between students from different cultures and backgrounds.
• Collaboration. We believe that together we can achieve greater things.

All members of the Masaryk University academic community are required to abide by this Code of Conduct.

---

This information is available in Czech and English versions. If there is a conflict between these versions, the Czech version takes precedence.