Privacy Policy - Information on the Processing of Personal Data of Prospective Students

1.  Controller of Personal Data

The data controller, Brno University of Technology, Antonínská 548/1, 602 00 Brno, ID No.: 00216305, VAT No.: CZ00216305, is a public university established by law. In the course of its activities, Brno University of Technology processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the repeal of Directive 95/46/EC (General Data Protection Regulation) and in accordance with other legal regulations. In connection with the entry into force of the aforementioned Regulation (hereinafter also “GDPR”), Brno University of Technology (hereinafter also “BUT”) has appointed a Data Protection Officer, Ms. Lucie Schimmelová, M.A. The Data Protection Officer can be contacted at: Brno University of Technology, Gorkého 62/13, 602 00 Brno, email: poverenec@vut.cz.

2.  Purposes of Personal Data Processing

The public higher education institution processes applicants’ personal data for the following purposes:

• receipt and registration of the application for studies,
• administration of the admission procedure and verification of compliance with the admission requirements,
• organisation and evaluation of the admission examination, where it forms part of the admission procedure,
• issuance and delivery of the decision on admission or non-admission to studies, including related procedural acts,
• enabling the applicant to exercise their rights in the admission procedure, in particular the right to inspect the file and the handling of remedies,
• fulfilment of registration, notification, statistical and other legal obligations of the public higher education institution towards authorised entities,
• records management, archiving, and protection of the rights of both the public higher education institution and the applicants,
• possible transfer of relevant data into the study administration agenda, if the applicant is admitted and enrols in studies.

The admission procedure, admission requirements, application requirements and the transfer of data to the Ministry are governed in particular by Act No. 111/1998 Coll., on Higher Education Institutions, especially Sections 49, 50 and 87(1)(i).

3. Legal Basis for Processing

Applicants’ personal data are processed mainly on the following legal bases:

• Article 6(1)(c) GDPR – compliance with a legal obligation to which the controller is subject,
• Article 6(1)(e) GDPR – performance of a task carried out in the public interest or in the exercise of official authority.

The legal basis is, in particular, Act No. 111/1998 Coll., on Higher Education Institutions, as amended, and other related legal regulations governing the activities of the public higher education institution, the conduct of the admission procedure, decision-making on admission to studies, delivery of documents, records management, archiving, and the fulfilment of obligations towards public authorities. The GDPR also lays down the legal bases under Article 6(1)(c) and (e).

Where special categories of personal data are processed in a particular case, especially data concerning health, this is done only where necessary and where there is a corresponding legal basis under the GDPR and related legal regulations.

4.  Scope of Personal Data Processed

The public higher education institution processes, in particular, the following personal data of applicants for studies:

a) Identification and Contact Data

First name, additional first names where applicable, surname, academic titles, personal identification number, if assigned, permanent residence address in the Czech Republic, residential address outside the Czech Republic, and where applicable a correspondence address if provided by the applicant; in the case of foreign nationals also date of birth, sex, residence in the Czech Republic and citizenship, or the state in which they have permanent residence; email address and telephone number, where these are used for communication with the applicant in the admission procedure. The mandatory particulars of the application are governed by Section 50 of the Higher Education Act.

b) Data on Previous Education

Data on completed secondary, higher professional or higher education, data on previous studies, data on the field of education or completed educational programme, the year of passing the school-leaving examination or final examination, data on foreign education, documents proving compliance with the basic admission requirements, and other data necessary to assess whether the admission requirements have been met.

c) Data Related to the Admission Procedure

Data on the study programme, specialisation, mode and type of study for which the applicant is applying, data on the course of the admission procedure, data on the results of the admission examination or other verification of compliance with the admission requirements, data on the applicant’s ranking, on the decision issued, and on other procedural acts in matters relating to admission to studies. Admission requirements and decision-making in the admission procedure are governed by Sections 49 and 50 of the Higher Education Act.

d) Other Data

Data on compliance with additional admission requirements relating to certain knowledge, abilities, aptitude or academic performance, and in justified cases also data on medical fitness or health status and the applicant’s specific needs, where such requirement or need is laid down by law, by the admission requirements, or is necessary to ensure an appropriate course of the admission procedure.

5.  Source of Personal Data

Personal data are obtained primarily directly from the applicant, in particular through the application for studies and documents submitted in the admission procedure.

In justified cases, additional data may be obtained from other authorised entities or from public registers, where required by law or where necessary to verify compliance with the admission requirements.

6.  Recipients of Personal Data

Applicants’ personal data may be disclosed or transferred in particular to:

• employees and bodies of the public higher education institution who need them for the performance of their work or official duties,
• the Ministry of Education, Youth and Sports to the extent stipulated by legal regulations,
• processors providing technical and organisational services for the public higher education institution,
• other public authorities or other entities, where required by law or by a binding decision of the competent authority.

Under the law, the Ministry is authorised to collect and use information on applicants for studies, and higher education institutions are obliged to transfer such data in the prescribed structure and form.

Where an external provider of testing or results verification is used in a specific admission procedure, the necessary personal data may be transferred to that entity to the extent required for the provision of the service and in accordance with the relevant legal and contractual arrangements.

7.  Transfers of Personal Data to Third Countries

As part of the ordinary admission procedure, applicants’ personal data are not transferred to third countries or international organisations, unless such transfer results from a specific service or international cooperation. In such a case, the applicant will be provided with separate information in accordance with applicable legal regulations.

8.  Retention Period of Personal Data

Applicants’ personal data are retained for the period necessary to fulfil the above purposes, in particular for the duration of the admission procedure, further for the duration of remedies, control and review mechanisms, and subsequently for the period stipulated by the records retention and disposal plan of the public higher education institution and by legal regulations governing records management and archiving.

If the applicant is admitted and enrols in studies, the relevant personal data become part of the study administration agenda and are further processed under the regime applicable to students’ personal data.

9.  Rights of the Data Subject

Under the conditions laid down by the GDPR, the applicant for studies has the right to:

• request access to their personal data,
• request rectification of inaccurate personal data,
• request completion of incomplete personal data,
• request restriction of processing,
• object to processing where the processing is based on Article 6(1)(e) GDPR,
• lodge a complaint with the supervisory authority.

The right to erasure is not absolute and does not apply to the extent that processing is necessary for compliance with a legal obligation of the controller or for the performance of a task carried out in the public interest or in the exercise of official authority. The right to data portability does not apply to the extent that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. These limitations follow directly from the GDPR, in particular Articles 17 and 20(3).

Requests to exercise the rights of the data subject may be submitted using the contact details of the controller or the Data Protection Officer listed above.

10.  Right to Lodge a Complaint

The applicant for studies has the right to lodge a complaint with the supervisory authority, which is:

Office for Personal Data Protection Pplk. Sochora 27 170 00 Prague 7

11.  Automated Decision-Making

In the course of the ordinary admission procedure, no decisions are made based solely on automated individual decision-making, including profiling, unless the public higher education institution explicitly provides otherwise in a specific agenda and informs the applicant accordingly.