Mendel University in Brno, company identification No.: 62156489, with its registered office at Zemědělská 1665/1, 613 00 Brno, Czech Republic (hereinafter referred to as the “Controller” or “MENDELU”), hereby fulfils the duty to inform data subjects in accordance with Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as “GDPR”, as the personal data controller. 

Contact details of controller:

Registered office of university:Zemědělská 1, Brno
Name of university:Mendel University in Brno
MENDELU Rectorate:Building A
Mailing address:Zemědělská 1665/1, 613 00 Brno, Czech Republic
Telephone:+420 545 131 111
E-mail:info@mendelu.cz
Web:www.mendelu.cz
Company identification No.:62156489
Tax ID No.:CZ62156489
Data box ID:85ij9bs

Contact details of data protection officer:

Mgr. Martin Pernica, Ph.D.

Mendel University in Brno, Zemědělská 1665/1, 613 00 Brno

Contact e-mail: dpo@mendelu.cz

Definitions

Controller – MENDELU as a legal person and public authority in the extent of competency and power of a public higher education institution, which determines the purposes and means of personal data processing. MENDELU is a public higher education institution, established in accordance with Act No. 111/1998 Coll., on Higher Education Institutions and on amendments and modifications to other acts (Higher Education Act). MENDELU freely and independently engages in scholarly, scientific, research, development, innovation, artistic and other creative activities.

Personal data recipient – a natural or legal person, public authority, agency or another entity to which personal data are provided, whether a third party or not. 

Personal data subject – a natural person to whom the personal data pertain. A legal person is not a personal data subject.

Personal data – any and all information on an identified or identifiable natural person. An identifiable natural person is a person that may be directly or indirectly identified, mainly through reference to a certain identifier. 

Personal data processing – any operation or set of operations with personal data or sets of personal data that is carried out with or without automated procedures such as collecting, recording, arranging, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission; dissemination or any other disclosure, sorting or combining, restricting, erasing or destroying. 

Consent to personal data processing – an expression of data subject’s will whereby he/she voluntarily gives permission (through a statement or confirmation) to the processing of his/her personal data for a specific purpose.

Principles of personal data processing at MENDELU

MENDELU processes your personal data in the extent necessary for the university’s operations or in connection with the services you use at MENDELU. MENDELU protects your personal data in accordance with the applicable legal regulations.

MENDELU applies the principles ensuing from the GDPR in the processing of personal data:

Lawfulness, which requires us to process your personal data in accordance with legal regulations and based on at least one legal ground.

Fairness and transparency, which requires us to process your personal data in an open and transparent way and to provide you the information about the manner of their processing.

Purpose limitation, which enables us processing your personal data only for a clearly defined purpose.

Data minimization, which requires us to process only the personal data that are necessary, relevant and adequate to the purpose of their processing.

Accuracy, which requires us to take every reasonable step to ensure regular update or rectification of your personal data.

Storage limitation, which requires us to store your personal data only for no longer than is necessary for the purposes for which the personal data are processed. As soon as the period or purpose of the personal data processing expires, we shall erase or render your personal data anonymous in such manner that the data subject is not identifiable. This shall not apply to the personal data that have to be archived for a period stipulated by the relevant legal regulations.

Integrity and confidentiality, indisputability and availability, which requires us to secure and protect your personal data from unauthorized or unlawful processing, loss or destruction. For this reason, we adopt a number of technical and organizational measures for the personal data protection.

Responsibility and liability, which requires us to be able to prove the compliance with all the above principles.

Purpose of personal data processing

As part of implementing its mission, MENDELU processes your personal data mainly for the following purposes:

  1. Educational activities (admissions, study, lifelong learning, internationally recognized courses, library services)
  2. Research, development and other creative activities (implementing projects, organizing conferences, publications and publishing, habilitation and professor appointment procedures)
  3. Administration and operation of MENDELU (HR and wages, finance and accounting, property management, operational matters, e-infrastructure, OHS, public procurement)
  4. Protection of property and safety (safety in buildings, camera systems, access to buildings with security, computer network monitoring, processing security incidents)
  5. Commercial activities (catering and accommodation), MENDELU e-shop, contractual commercial activities)
  6. Information and promotion (website, marketing and promotion, alumni club)

Categories of persons whose personal data we process

MENDELU processes personal data of the following categories of persons (data subjects):

  1. Employees (persons performing dependent work in the basic employment relationship based on an employment or similar contract)
  2. Applicants for jobs at MENDELU
  3. MENDELU external collaborators (persons who do not have an employment relationship with MENDELU and engage in educational, research and other activities at MENDELU)
  4. Applicants for study at MENDELU
  5. Students, trainees and participants in programmes of international traineeships, participants in lifelong learning and internationally recognized courses, educational, leisure, contractual and other MENDELU activities)
  6. Members of bodies and committees established by MENDELU (scientific board, board of trustees etc.)
  7. Research participants (persons involved in research activities and projects in the role of research subjects)
  8. Contractual and project partners, other customers (persons using or purchasing MENDELU services and products)
  9. Visitors and participants in events organized by MENDELU
  10. Visitors to MENDELU website
  11. Persons whose personal data are recorded by camera systems operated by MENDELU

Categories of processed personal data

MENDELU processes personal data provided directly by data subjects (natural persons) based on compliance with a legal obligation to which the Controller is subject or on other legal grounds, or data provided or obtained under legal regulations from other entities or from other sources (e.g. public registers)

This may involve the following categories of personal data:

  1. Identification data (name, surname, birth name, date and place of birth, marital status, birth certificate number, name, nationality, personal ID number, digital identifier, signature, etc.)
  2. Contact details (permanent address, factual address, contact telephone number, contact e-mail address etc.)
  3. Descriptive information (completed education, knowledge of foreign languages, professional qualification, information about military service, knowledge and skills, number of children, portrait photograph, video/audio recording concerning the person, previous employment, health insurer, membership in associations, good repute etc.)
  4. Details concerning study (records on study and associated activities, study results, awards)
  5. Financial information (bank details, wages, bonuses, fees, liabilities and receivables, orders, purchases, taxes, social and health insurance payments etc.)
  6. Work information (records of employment and associated activities, employer, workplace, job and post, professional evaluation, awards etc.)
  7. Operational and location details (typically data from electronic systems relating to a concrete data subject, e.g. data on the use of information systems, data traffic and electronic communication, use of a phone, information on access to various premises, camera system recordings etc.)
  8. Information about data subject’s activities (publication activity, information about professional activities, business or study trips etc.)
  9. Information about other persons (address and identification details of a family member, spouse, child, partner), always in strict compliance with the principle of data minimization and requirements of the law.
  10. Special personal data categories (information on convictions, health condition and its changes, membership in the trade union etc.), always in strict compliance with the principle of data minimization and requirements of the law.

Legal grounds for personal data processing

The processing of personal data within the framework of the above activities shall be based on the relevant legal grounds, namely:

  1. Processing is necessary for the fulfilment of a legal obligation applicable to MENDELU as the Controller:
    Your personal data are processed for the purpose of fulfilment of legal obligations imposed on MENDELU by special acts, as amended by subsequent regulations, in particular:
    • Act No. 111/1998 Coll., on Higher Education Institutions and on amendments and modifications to other acts (Higher Education Act)
    • Act No. 130/2002 Coll., on the Support of Research and Development from Public Funds and on amendment of certain related acts (Act on RD Support)
    • Act No. 262/2006 Coll., Labour Code
    • Act No. 563/1991 Coll., on Accounting
    • Act No. 127/2005 Coll., on Electronic Communication
    • Act No. 480/2004 Coll., on Certain Services of Information Society
    • Act No. 181/2014 Coll. on Electronic Communication
    • Act No. 326/1999 Coll., on the Residence of Foreign Nationals in the Territory of the Czech Republic and on amendment of certain acts
    • Act No. 565/1990 Coll., on Local Fees
  2. Processing is necessary for the fulfilment of a task in the public interest or in the exercise of public authority, entrusted to the Controller (this applies in cases where MENDELU is in the position of a public authority, i.e. it has the right to decide on rights and obligations of persons or otherwise intervene in their domain).
  3. Processing is necessary for the performance of a contract or for adopting measures prior to the contract conclusion upon you proposal:
    We need your personal data for the purposes of conclusion of a contractual relation and subsequent fulfilment, or as the case may be, prior to the contract conclusion (inter alia for the preparation of a contract).
  4. Processing is made because the data subject granted a consent thereto:
    Consent you granted to the processing of your personal data for one or more concrete purposes.
  5. Processing is necessary for the purposes of justified interests of the Controller, which in particular consist in:
    • the protection of assets
    • the security of computer networks, ICT systems and data
  6. Processing is necessary for the protection of vital interests of the data subject of another natural person (at MENDELU this ground for the personal data processing will be exceptional).

Personal data transfer

In order to fulfil its legal obligations, MENDELU transfers selected personal data to designated entities, e.g. the Ministry of Education, Youth and Sports, Police of the Czech Republic, Public Prosecutor’s Office, courts, financial administration authorities, social security administration, Municipal Authority of the City of Brno, etc. The personal data may also be transferred by MENDELU to other entities contingent on meeting the conditions under the provision of Section 88(5) Act No. 111/1998 Coll., Higher Education Act: “The higher education institution will provide the relevant records contained in the register of students to those who can demonstrate a legal interest.”

The transfer of personal data by the Controller for the purpose of compliance with legal obligations is deemed processing necessary for compliance with a legal obligation that applies to the higher educational institution in the position of a Controller under Article 6(1)(c) GDPR. This is not personal data processing based on the legal ground of a “consent” granted under Article 6(1)(a) GDPR.

It is not a standard practice of MENDELU to transfer personal data outside the European Union. In very exceptional reasons (e.g. in connection with international projects and their implementation), personal data may be transferred outside the European Union (to third countries or to international organizations). In such cases, personal data are transferred to a third country or international organization on the basis of an adequacy decision and upon compliance with the conditions of such decision (Article 45 GDPR) or is based on appropriate safeguards under Article 46 GDPR or on the consent of the data subject.

Period of personal data retention

Personal data are only retained for the necessary period in relation to the given activity of data processing and in accordance with the valid Filing and Retention Schedule issued under Act No. 499/2004 Coll. on Archiving and Records Service. The data are then destroyed or archived.

Overview of your rights concerning personal data protection

As a data subject, you have the following rights provided you prove your identity:

  • right to access your personal data under the conditions stated in Article 15 GDPR; you are entitled to find out which of your personal data are processed and retained by MENDELU, the purpose, legal grounds, manner and period of processing and recipients to whom the personal data are made accessible;
  • right to rectification of inaccurate or incomplete data under the conditions stated in Article 16 GDPR. As a data subject, you are also obliged to notify MENDELU of changes in your personal data and to prove that such changes have occurred, and provide MENDELU with the necessary cooperation in case we find inaccuracies in the data we process about you;
  • right to erasure under the conditions stated in Article 17 GDPR. This right shall be exercised only if MENDELU fails to demonstrate justified reasons for the processing of your personal data;
  • right to restriction of processing under the conditions stated in Article 18 GDPR. This right shall be exercised only if you deny the accuracy of the personal data, the reasons for and expediency of their processing or if you object to their processing;
  • right to notification of rectification or erasure of personal data or restriction of processing under the terms stated in Article 19 GDPR, made by MENDELU as the Controller with the exception of cases where this proves impossible or involves disproportionate effort;
  • right to portability of your personal data which you provided on the basis of a consent or contract and which are processed by MENDELU through automated means under the terms stated in Article 20 GDPR. Right to obtain such data in a structured, commonly used, machine-readable and interoperable format and right to request that MENDELU transmit the data to another controller determined by you, if technically feasible. However, the Controller does not process the obtained personal data by automated means;
  • right to raise an objection to the processing of personal data concerning you, which applies only to processing carried out in the public interest or for a legitimate interest of the Controller under the terms stated in Article 21 GDPR;
  • right not to be subject to a decision based solely on automated processing, including profiling, under the terms stated in Article 22 GDPR. However, the Controller does not take any fully automated decision-making or processing without the influence of human judgement, that would have legal effects or other significant impacts on the data subject;
  • right to lodge a complaint with a supervisory authority, in the Czech Republic the Office for Personal Data Protection, under Article 77 GDPR.

How to exercise your rights

You may exercise your rights in the following ways:

  • in the paper form through a letter with the verified signature of the data subject, delivered to the Controller via a postal service provider;
  • electronically through a data message delivered to the Controller’s data box ID 85ij9bs;
  • electronically via e-mail with a qualified or secured electronic signature of the data subject, sent to the electronic mail room of the Controller;
  • by personal handover of a written petition to the Controller’s mail room, contingent on the data subject’s identification against an ID card or passport verified by an authorized employee of the Controller.