1. Preamble

In accordance with the Regulation 2016/679 of the European Parliament and the Council (EU) of 27 April 2016 on the protection of physical persons with regard to the processing of personal data and on the free movement of such data and on repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as the GDPR – the Silesian University in Opava informs the data subjects about the conditions under which personal data are processed.

2. Personal data administrator

The administrator of personal data is the Silesian University in Opava, Company Registration No.: 47813059, with its registered office at Na Rybníčku 626/1, 746 01 Opava (hereinafter referred to as the "SU"). The SU is a public university according to Act No. 111/1998 Coll., The Higher Education Act. As part of its mission, the SU freely and independently carries out educational and, in connection with it, scientific and research, development and innovation, artistic or other creative activities and related activities.

3. Commissioner for Personal Data Protection

The commissioner for the protection of personal data of the SU is Mgr. Sabina Březinová, whose contact information is:

Mgr. Sabina Březinova, sabina.brezinova@slu.cz
Tel: 553 684 652
Address: Na Rybníčku 626/1, 746 01 Opava

You can contact the commissioner in case you have any questions or requirements regarding the processing and protection of your personal data.

4. Rules for personal data processing at the SU

The SU considers the protection of personal data important and pays great attention to it. We process your personal data only to the extent that is necessary for the activities of the University, or is related to the service that you use at the SU. We protect personal data to the maximum extent possible and in accordance with applicable legislation.

5. Purposes of personal data processing

In fulfilling its mission, the SU processes personal data for the following purposes:

  • Educational activities
    • Study
    • Teaching
    • Admission procedure
    • Exchange stays
    • Lifelong learning
    • Library services
  • Science and research activities, development and creative activities
    • Project implementation
    • Organizing professional conferences
    • Publishing activities
    • Habilitation and professorship procedures
  • Administration and operation of the organization
    • Human resources and wages
    • Economy and accounting
    • Asset management
    • Operational agendas
    • E-infrastructure (computer and storage systems, computer network, electronic mail, voice network)
  • Property protection and security
    • Camera systems
    • Access to secure areas
    • Security monitoring of computer network operation
    • Security incident processing
  • Commercial activities
    • E-shop
    • Catering and accommodation services
    • Contracted commercial activities
  • Information and promotional activities
    • Websites
    • Promotion
    • Graduates

6. Categories of persons whose personal data is processed

The SU processes personal data of the following categories of persons (data subjects):

  • Employees (persons in an employment relationship with the SU)
  • Students (persons participating in all forms of education at the SU)
  • Study applicants (persons participating in the admission procedure to study at the SU)
  • Graduates (persons who studied at the SU in the past)
  • External collaborators (persons without an employment relationship at the SU involved in educational, research and other SU activities)
  • Research participants (persons involved in the role of research subjects in research activities and projects)
  • Customers (persons using or purchasing SU services and products)
  • Contractual partners (persons without an employment relationship cooperating with the SU on the basis of concluded contracts, agreements, orders, etc.)

7. Categories of personal data processed

The SU processes both personal data provided directly by individual natural persons (whether on the basis of consent or other legal reasons) and other personal data created within the processing activities and the activities necessary for their securing. This may include the following categories of personal data:

  • Address and identification data (name, surname, date and place of birth, marital status, personal identification number, degree, nationality, address (including the electronic address), phone number, identity card number, digital identifier, signature, etc.)
  • Descriptive data (education, knowledge of foreign languages, professional qualification, knowledge and skills, number of children, portrait photography, video/audio record of the person, military service, previous employment, health insurance company, membership in interest organizations, criminal irreproachability, etc.)
  • Study data (records of study and study activities, study results, study awards)
  • Economic data (bank account number, wages, rewards, fees, liabilities and receivables, orders, purchases, taxes, etc.)
  • Work data (records of work and work activities, employer, workplace, job classification and position, work evaluation, work awards, etc.)
  • Operational and location data (typically the data from electronic systems related to a specific data subject – e.g. the data on the use of information systems, on data traffic and electronic communication, on the use of a telephone, on access to various premises, recordings from camera systems etc.)
  • Data about the activities of the subject (publishing activities, data on professional activities, participation in conferences, participation in projects, data on business or study trips, etc.)
  • Data about another person (address and identification data of a family member, husband/wife, child, partner, etc.)
  • Special categories of personal data (sensitive personal data regarding information about health status, trade union membership, etc.)

8. Legal reasons for processing personal data

The processing of personal data in the framework of the above-mentioned activities takes place on the basis of appropriate legal reasons, which are:

  • Fulfilment of the legal obligation applicable to the administrator:
    We need your personal data here so that we can process it in order to fulfil our legislative obligations as an administrator. These are, in particular, Act No. 111/1998 Coll., the Higher Education Act; Act No. 130/2002 Coll., on the Support of Research and Development from Public Funds; Act No. 262/2006 Coll., the Labour Code; Act No. 563/1991 Coll., on Accounting; Act No. 127/2005 Coll., on Electronic Communications and on Amendment of Certain Related Acts; Act No. 480/2004 Coll., on Certain Information Society Services; Act No. 181/2014, on Cyber ​​Security; Act No. 586/1992 Coll., on Income Taxes; Act No. 133/2000 Coll., The Personal Data Processing Act (on Population Registration and Personal Identification Numbers) and on the Amendment of Certain Acts; Act No. 48/1997 Coll., on Public Health Insurance; Act No. 589/1992 Coll., on Premiums for Social Security; Act No. 582/1991 Coll., on Organization and Implementation of Social Security; Act No. 499/2004 Coll., on Archiving and Records Management, etc.
  • Performance of the contract:
    We need your personal data here for the purposes of concluding a contractual relationship and a subsequent performance thereof, or also before concluding a contract.
  • Consent of the data subject:
    The consent you have given us to process your personal data for one or more specific purposes.
  • The legitimate interest of the administrator, which consists mainly in:
    • the protection of property and prevention of fraud,
    • the transfer of personal data within the University constituent for internal administrative and operational purposes,
    • ensuring the security of the computer network and information.
  • A public interest
    We need your personal data here for its further processing in a public interest (e.g. for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes).

9. Transfer of personal data

In order to fulfil its legal obligations, the SU may pass selected data to designated entities (for example, public authorities). This similarly applies to the cases in which the authorization to transfer personal data outside the SU is given by the individual consents of the data subjects.

10. Retention period of personal data

The data is stored only for the time strictly necessary in relation to the personal data processing activity and is then destroyed or archived in accordance with the applicable disposal plan. We only store personal data that we process with your consent for the duration of the purpose for which the consent was granted.

11. Exercising the rights of the data subject

The data subject is entitled to exercise his/her rights arising from the GDPR, starting on 25 May 2018. The data subject must exercise his/her rights against the personal data administrator by sending a request to the SU data box qw6j9hq, via e-mail in the form of an electronically signed personal certificate to the commissioner, that is gdpr-dpo@slu.cz, or by means of a written application provided with an officially verified signature, delivered to the registry office address. Prior to processing the application, the SU has the right and obligation to verify the applicant's identity.

More information about the scope of your rights is given here.

Rights of the data subject

As a data subject, in addition to the general right to information on processing, you have the following rights, the exercise of which the personal data administrator fully respects:

  • The right to correct or supplement inaccurate or incomplete personal data that concerns you.
  • The right to erasure of processed personal data, or the "right to be forgotten". This right constitutes the administrator's obligation to destroy your personal data if at least one of the following conditions is met:
    • the personal data is no longer needed for the purposes for which they were for or otherwise processed,
    • the data subject withdraws the consent and there is no other legal reason for the processing,
    • the data subject objects to the processing and there are no prevailing legitimate reasons for the processing,
    • the personal data has been processed illegally,
    • the personal data must be erased in order to fulfil a legal obligation,
    • personal data was collected in connection with an offer of services of an information society (on the Internet) on the basis of a child's consent.
    However, the right to erasure of one's personal data is not an absolute right and the GDPR Regulation regulates a number of circumstances in which the erasure does not take place, despite the above.
    The right to erasure of one's personal data shall not be exercised in cases where the processing is necessary for the purposes specified in paragraph 8, Information on the processing and protection of personal data at the Silesian University in Opava.
    In the case of an erasure request, you shall always be informed whether the erasure has taken place and, if not, for what reason.
  • The right to access to personal data; the access right means the data subject's authorization to obtain, upon a request addressed to the administrator (the SU), information on whether or not his/her personal data are processed and, if it is processed, the data subject has the right to obtain such personal data and at the same time the right to obtain the following information:
    • the processing purposes,
    • the categories of personal data concerned,
    • the recipient or categories of recipients to whom personal data has been or will be made accessible,
    • the planned period of time for which personal data will be stored,
    • the existence of the right to request the correction or erasure of personal data from the administrator, as well as the right to restrict the processing of personal data and the right to object to the processing of personal data,
    • the right to lodge a complaint with a supervisory authority,
    • all available information on the source of personal data, if not obtained from the data subject,
    • the fact that there is automated decision-making, including profiling.
  • The right to transferability of personal data; the essence of this right is the possibility, under certain conditions, to obtain personal data concerning you and which you have provided to the administrator in a structured, commonly used and machine-readable format, and the right to request the transfer of such data to another dministrator. The conditions for exercising this right are as follows:
    • it must be a processing based on your consent or for the purpose of performing a contract, and
    • the processing is done automatically.
  • The right to object to the processing of personal data by the personal data administrator on the grounds relating to a specific situation of the data subject; you can object to the processing of personal data which takes place for the following legal reasons:
    • the processing is necessary for the performance of a task carried out in the public interest or in the exercise of public power entrusted to the administrator,
    • the processing is necessary for the purposes of the legitimate interests of the relevant administrator or a third party.
    The administrator shall not further process personal data in the event of an objection, unless serious legitimate reasons for the processing which outweigh the interests or rights and freedoms of the data subject, or for the determination, exercise or defence of legal claims are demonstrated.
  • The right to request restrictions on the processing of personal data; processing restrictions represent a situation where your stored personal data is marked in order to limit its processing in the future; the administrator may process the data for which the processing has been restricted, except for its storage, only with your consent or for the purpose of determining, enforcing or defending legal claims, for the protection of the rights of another natural or legal person or for the reasons of overriding public interest of the European Union or a Member State. You have the right to restrict processing in the following cases:
    • if you deny the accuracy of personal data, for the time necessary for the administrator to verify the accuracy of the personal data,
    • you have objected to the processing until it is verified that the administrator's legitimate reasons outweigh your legitimate reasons,
    • the processing is illegal and you refuse the erasure of personal data and ask instead to restrict its use,
    • the administrator no longer needs personal data for processing purposes, but for the determination, enforcement or defense of legal claims.
  • The right to withdraw the consent at any time if your personal data is processed on the basis of your consent.
  • The right to be informed on a personal data breach in cases where a security breach has occurred and it is likely that such personal data breach will result in a high risk to the rights and freedoms of individuals.
  • The right to lodge a complaint, in the event of a breach of legal obligations concerning the protection of personal data, you have the right to lodge a complaint with the Office for Personal Data Protection with its registered office on Pplk. Sochora 27, 170 00 Praha 7 (+420 234 665 111, www.uoou.cz).
  • The right not to be the subject of any decision based solely on automated decision-making; this right ensures that, as a data subject, you shall not be the subject of a decision based solely on automated processing, including profiling, which would have legal effects or similarly affect you, with the exceptions set out in Article 22 (2) of the GDPR.

In the event of a request for the exercise of your rights, you shall be provided with information on the measures taken without undue delay, in any case within 30 days of the receipt of the request. However, this period of time may be extended by further 30 days if necessary and given the complexity and number of applications. You shall be informed about the extension of the deadline and the reasons for such an extension within 30 days of the receipt of the request by the SU. If the administrator does not take the action you request, you shall be notified immediately and at the latest within 30 days of the receipt of the request, including the reasons for not taking the action. In this case, you have the opportunity to lodge a complaint with the supervisory authority and apply for judicial protection.

The requests to exercise the rights of a data subject shall be processed free of charge.