Privacy Policy

1.  Controller of Personal Data

The data controller, Brno University of Technology, Antonínská 548/1, 602 00 Brno, ID No.: 00216305, VAT No.: CZ00216305, is a public university established by law. In the course of its activities, Brno University of Technology (hereinafter referred to as the “University”) processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and in accordance with other legal regulations. In connection with the entry into force of the aforementioned Regulation (hereinafter also “GDPR”), the Brno University of Technology (hereinafter also “BUT”) has appointed a Data Protection Officer, Ms. Lucie Schimmelová, M.A. The Data Protection Officer can be contacted at: Brno University of Technology, Gorkého 62/13, 602 00 Brno, email: poverenec@vut.cz


2.  Who Are the Typical Data Subjects

The university processes personal data relating in particular to the following categories of individuals:

  • applicants for studies,
  • students,
  • graduates,
  • participants in lifelong learning programmes,
  • employees,
  • job applicants,
  • external collaborators, members of bodies and committees,
  • participants in conferences, courses, professional and public engagement events,
  • suppliers, contractual partners and their contact persons,
  • visitors to university premises and users of university services,
  • persons involved in the university’s scientific, research, development, innovation, artistic and other creative activities.

3.  Main Purposes of Personal Data Processing

The university processes personal data in particular for the following purposes:

  • provision of accredited study programmes and lifelong learning programmes,
  • administration of admission procedures, study agenda, student register and related records,
  • issuance of study documents and graduation documents,
  • organisation of teaching, examinations, state examinations, rigorous proceedings, habilitation proceedings and other academic processes,
  • provision of scholarships, accommodation, catering and other student services,
  • human resources, payroll, tax, insurance and employment-related agenda,
  • accounting, asset management, contractual and operational agenda,
  • ensuring the security of persons, property, information systems and university operations,
  • fulfilment of obligations towards public authorities and other authorised entities,
  • carrying out scientific, research, development, innovation, artistic and other creative activities,
  • organisation of conferences, professional, educational, social and public engagement events,
  • communication with the public, information and promotional activities, where there is an appropriate legal basis,
  • records management, archiving and protection of the rights and legitimate interests of both the university and the individuals concerned.

4.  Typical Categories of Personal Data Processed

Depending on the specific agenda, the university may process in particular the following categories of personal data:

  • identification data, such as first name, surname, title, date of birth, personal identification number, if assigned,
  • contact data, such as address, email address, telephone number, data box details,
  • data relating to studies, education, qualifications and professional competence,
  • data relating to employment, work position and work performance,
  • economic and payment data,
  • operational and location data related to the use of university systems and services,
  • identifiers issued or used by the university, such as personal number, card number or user identifier,
  • image or audio data, where their processing is necessary for a specific purpose,
  • data related to scientific, research, development, innovation, artistic or other creative activities,
  • in specifically justified cases, also special categories of personal data, such as data concerning health or trade union membership, where there is an appropriate legal basis for such processing.

5.  Legal Bases for Processing Personal Data

The university processes personal data mainly on the following legal bases:

  • Article 6(1)(c) GDPR – compliance with a legal obligation,
  • Article 6(1)(e) GDPR – performance of a task carried out in the public interest or in the exercise of official authority,
  • Article 6(1)(b) GDPR – performance of a contract or steps taken prior to entering into a contract,
  • Article 6(1)(a) GDPR – consent of the data subject, where required or chosen as the legal basis,
  • Article 6(1)(f) GDPR – the legitimate interests of the university, where this legal basis is applicable and the processing is not carried out by the university in the exercise of its public authority or public task.

In the case of special categories of personal data, the university proceeds in accordance with Article 9 GDPR and related legal regulations.


6.  Recipients and Processors of Personal Data

Depending on the nature of the specific agenda, personal data may be disclosed or transferred in particular to:

  • employees and bodies of the university who need them for the performance of their work or official duties,
  • ministries, administrative authorities and other public authorities, where required by law,
  • contractual processors providing technical, organisational, administrative or other support services for the university,
  • providers of information systems, cloud, communication, accounting, archiving, security or similar services,
  • other recipients, where required by law, by contract or by the data subject’s consent.

7.  Transfers of Personal Data to Third Countries

Personal data are not normally transferred to third countries or international organisations, unless such transfer results from a specific service, contractual relationship, international cooperation or another specific agenda. In such a case, the university will provide the individual concerned with appropriate information in accordance with the GDPR.


8.  Retention Period of Personal Data

The university processes personal data only for the period necessary to fulfil the relevant purpose of processing.

The retention period depends in particular on:

  • applicable legal regulations,
  • the university’s internal records retention and disposal rules and records retention plan,
  • archiving obligations,
  • accounting, tax, employment and other retention obligations,
  • the need to protect the legal claims of the university or the individuals concerned.

After the expiry of the relevant period, personal data are erased, destroyed, anonymised or transferred to archival status, where required by law.


9.  Rights of Data Subjects

Under the conditions laid down by the GDPR, the data subject has the right to:

  • request access to their personal data,
  • request rectification of inaccurate personal data,
  • request completion of incomplete personal data,
  • request erasure of personal data,
  • request restriction of processing,
  • object to processing,
  • request data portability,
  • withdraw consent to processing, where processing is based on consent,
  • lodge a complaint with the supervisory authority.

The right to erasure is not absolute and does not apply to the extent that processing is necessary for compliance with a legal obligation of the controller or for the performance of a task carried out in the public interest or in the exercise of official authority.

The right to data portability does not apply to the extent that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. Limitations of these rights arise directly from the GDPR, in particular Articles 17 and 20(3).

Requests to exercise the rights of the data subject may be submitted using the contact details of the controller or the Data Protection Officer listed above.


10.  Right to Lodge a Complaint

The data subject has the right to lodge a complaint with the supervisory authority, which is:

Office for Personal Data Protection Pplk. Sochora 27 170 00 Prague 7


11.  Automated Decision-Making

In the ordinary course of its activities, the university does not generally make decisions based solely on automated individual decision-making, including profiling, unless it provides otherwise in a specific agenda and informs the individual concerned accordingly.


12.  Specific Information for Individual Agendas

The university publishes or provides more detailed information on the processing of personal data separately for individual agendas, in particular for the following areas:

  • applicants for studies,
  • students,
  • graduates,
  • employees and job applicants,
  • participants in events and conferences,
  • contractual partners and suppliers,
  • CCTV systems,
  • websites, cookies and electronic communications,
  • alumni portal and newsletters,
  • other specific agendas depending on the nature of the processing.

Applicants for Study Students Alumni

Responsibility: Mgr. Lucie Schimmelová