Privacy Policy - Information on the Processing of Students’ Personal Data

1.  Controller of Personal Data

The data controller, Brno University of Technology, Antonínská 548/1, 602 00 Brno, ID No.: 00216305, VAT No.: CZ00216305, is a public university established by law. In the course of its activities, Brno University of Technology processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the repeal of Directive 95/46/EC (General Data Protection Regulation) and in accordance with other legal regulations. In connection with the entry into force of the aforementioned Regulation (hereinafter also “GDPR”), Brno University of Technology (hereinafter also “BUT”) has appointed a Data Protection Officer, Ms. Lucie Schimmelová, M.A. The Data Protection Officer can be contacted at: Brno University of Technology, Gorkého 62/13, 602 00 Brno, email: poverenec@vut.cz.

2.  Purposes of Personal Data Processing

The university processes students’ personal data for the following purposes:

• administration of study-related matters and fulfilment of obligations arising from the student status,
• maintenance of the student register,
• issuance of documents relating to studies and graduation,
• ensuring student identification in the course of fulfilling study obligations and in study administration,
• organisation of teaching, examinations and other study-related procedures,
• provision of scholarships and other benefits to students,
• ensuring contact with students in justified cases related to studies, the administration of study matters, or the protection of life, health and safety in crisis situations,
• fulfilment of registration, notification, statistical and other legal obligations of the university,
• fulfilment of obligations towards public authorities and other authorised recipients,
• records management, archiving, and protection of the rights of both the university and the students.

A student’s telephone contact is maintained in the university information system after enrolment in studies; the student may manage it in their account, and the data may be used in particular for crisis notifications and other justified emergency situations.

3.  Legal Basis for Processing

Students’ personal data are processed mainly on the following legal bases:

• Article 6(1)(c) GDPR – compliance with a legal obligation to which the controller is subject,
• Article 6(1)(e) GDPR – performance of a task carried out in the public interest or in the exercise of official authority,
• where applicable in specific justified cases, also Article 6(1)(b) GDPR – performance of a contract or implementation of measures taken at the request of the data subject prior to entering into a contract.

The legal basis for processing is, in particular, Act No. 111/1998 Coll., on Higher Education Institutions, as amended, and other related legal regulations governing the activities of the university. The university processes telephone contact data used for crisis notifications and emergency situations primarily pursuant to Article 6(1)(e) GDPR.

4.  Scope of Personal Data Processed

The university processes in particular the following personal data of students:

a) Identification and Contact Data

First name, additional first names where applicable, surname, birth surname, academic titles, personal identification number, if assigned, date of birth, place of birth, permanent residence address in the Czech Republic, residential address outside the Czech Republic, where applicable a correspondence address, private email address if provided by the student, telephone contact, the student’s electronic address within the university information system, university personal number, and, in the case of foreign nationals, also sex, residence in the Czech Republic and citizenship.

The telephone contact may be transferred into the student information system from the data provided when applying for studies; after enrolment in studies, it is further maintained as the student’s contact data. The student may subsequently modify this data in their account depending on the functional settings of the relevant system.

b) Data on Studies and Academic Progress

Data on enrolment in studies, previous education, study programme and mode of study, enrolment in a higher year or another study block, interruption of studies, termination of studies, examinations and state examinations taken, academic degree awarded, the number of the higher education diploma and diploma supplement, if issued, and other data related to the fulfilment of study obligations and the administration of studies.

c) Data on Documents and Identifiers

Data necessary for issuing a student card, study record book, certificate of study, certificate of examinations taken, higher education diploma and diploma supplement, student card number, and other internal identifiers used by the university.

d) Student Photograph

A student’s photograph is processed for the purpose of issuing a student card and further for the purpose of identifying the student in the fulfilment of study obligations, in study administration, in communication with the study department, in identification during examinations or other study-related procedures, and for managing access rights and authorisations within the university information systems and related services, where such processing is used in the specific environment of the university.

e) Economic and Payment Data

Bank account number, if provided by the student for the payment of a scholarship or another benefit, and other data necessary for related accounting and payment administration.

5.  Source of Personal Data

Personal data are obtained primarily directly from the student, in particular when submitting an application, upon enrolment in studies, during the course of studies, from documents submitted by the student, and from data arising in connection with the fulfilment of study obligations.

Contact data, including telephone contact, are obtained directly from the student when submitting an application, upon enrolment in studies, during the course of studies, or through their later update in the university information systems.

Additional data may arise from the official activities of the university or may be obtained from other authorised entities where required by law.

6.  Recipients of Personal Data

Students’ personal data may be disclosed or transferred in particular to:

• employees and bodies of the university who need them for the performance of their work or official duties,
• the Ministry of Education, Youth and Sports to the extent stipulated by legal regulations,
• processors providing technical and organisational services for the university,
• other public authorities or other entities, where required by law or by a binding decision of the competent authority,
• the administrator of the central register of insured persons and other entities of the public health insurance system, where necessary for the fulfilment of statutory reporting and registration obligations of the university.

Only authorised persons who need the student’s telephone contact for the performance of their work duties within the university’s study, administrative, technical or security agenda have access to this data. Where the telephone contact is used for crisis notifications, this is done only to the extent corresponding to that purpose.

Where a student applies for the issuance of an ISIC card or another similar service provided by a third party, the necessary personal data may be transferred to that third party to the extent required for issuing and administering such card or service.

7.  Transfers of Personal Data to Third Countries

As part of ordinary study administration, students’ personal data are not transferred to third countries or international organisations, unless such transfer results from a specific service used by the student or from specific international cooperation. In such a case, the student will be informed separately in accordance with applicable legal regulations.

8.  Retention Period of Personal Data

Data maintained in the student register and documents relating to relevant events are retained in accordance with the legal regulations governing the activities of the university, archiving and records management. Other personal data that are not part of the student register or archival records are retained only for the period necessary to fulfil the relevant purpose and subsequently for the period stipulated by the university’s records retention and disposal plan, accounting and tax regulations, or other relevant legal obligations.

A student’s photograph is retained for the duration of the student status and further for the period necessary for handling related administrative and control procedures, but no longer than under the university’s internal records retention and disposal regime, unless the photograph forms part of another document subject to a different retention regime.

Data relating to a student’s bank account number are retained for the period necessary to carry out payments and subsequently for the period required by the relevant accounting and tax regulations.

A student’s telephone contact is retained for the period necessary to fulfil the purpose for which it is maintained and subsequently in accordance with the relevant internal retention regime of the university.

9.  Rights of the Data Subject

Under the conditions laid down by the GDPR, the student has the right to:

• request access to their personal data,
• request rectification of inaccurate personal data,
• request completion of incomplete personal data,
• request restriction of processing,
• object to processing where the processing is based on Article 6(1)(e) GDPR,
• lodge a complaint with the supervisory authority.

The right to erasure is not absolute and does not apply to the extent that processing is necessary for compliance with a legal obligation of the controller or for the performance of a task carried out in the public interest or in the exercise of official authority. The right to data portability does not apply to the extent that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. These limitations follow directly from the GDPR, in particular Articles 17 and 20(3).

Requests to exercise the rights of the data subject may be submitted using the contact details of the controller or the Data Protection Officer listed above.

10.  Right to Lodge a Complaint

The student has the right to lodge a complaint with the supervisory authority, which is:

Office for Personal Data Protection Pplk. Sochora 27 170 00 Prague 7

11. Automated Decision-Making

In the course of ordinary study administration, no decisions are made based solely on automated individual decision-making, including profiling, unless the university explicitly provides otherwise in a specific agenda and informs the data subject accordingly.