Privacy policy
Privacy policy
Dear members of academic community and students
This privacy policy is aimed to provide you with detailed and comprehensive information in light of Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as “GDPR”). This Privacy Policy relates to all data subjects that we process personal data about including students, employees, suppliers, contractual partners and persons located in our premises.
Who is the controller and how can you contact us?
The controller processing your personal data is Univerzita Komenského v Bratislave (Comenius University in Bratislava), with its seat at Šafárikovo námestie č. 6, 814 99 Bratislava 1, Slovak Republic, ID No. (IČO): 00 397 865 (hereinafter referred to as “CU” or “we” or “us”) that is in position of the controller also in cases where faculties of CU or an individual economic units of CU (e.g. libraries, colleges (accommodation facilities), facilities with specific purposes etc.) process your personal data. The controller is in the position of public university pursuant to act n. 131/2002 Coll. on Higher Education as amended and amending of certain acts (hereinafter referred to as “Act on Higher Education”).
In order to strengthen the safeguards and legal guarantees of the rights and freedoms of data subjects in the processing of your personal data, we have appointed a responsible person to oversee the lawfulness and security of the processing of personal data. The responsible person is also your point of contact for any questions or requests regarding the protection of personal data.
Contact information of data protection officer of CU:
e-mail: dpouniba.sk
address of correspondence: Data Protection Officer (DPO), Univerzita Komenského v Bratislave, Centrum informačných technológií UK, Šafárikovo námestie 6, P.O. BOX 440, 814 99, Bratislava I, Slovak Republic.
In the case of some joint projects and collaborations, we may process your personal data jointly with other controllers with whom we have entered into so-called joint controller agreements in accordance with Article 26 of the GDPR, namely the following UK partners:
Identification of joint controllers | Reason for concluding the joint controlling agreement users | Link to more information |
---|---|---|
Slovak Information Agency Service, based at Vajnorská 39, 810 00 Bratislava 1, ID: 00826847 Slovak University of Technology in Bratislava, Vazovova 5, 812 43 Bratislava 1, ID: 00397687 National Safely state office based at Budatínska 30, 851 06 Bratislava, ID: 36061701 Ministry of Defence of Slovak republic, Military Newsletter State based Square General Located at 2,832 47 Bratislava, ID: 30845572
| Providing education and in the Joint Academy of Security Studies. | https://comeniuskurzy.flaw.uniba.sk/akademia-bezpecnostnych-studii/ Table of purposes |
Slovak Academy Sciences, based at Štefánikova 49, 814 38 Bratislava, ID: 00037869
| Scientific research SASPRO2 | https://saspro2.sav.sk/index.html |
Slovak Technical University in Bratislava, based at Vazovova 5, 812 43 Bratislava 1,ID: 00397687 National Institute Education and youth, based at Ševčenkova 11, 85005 Bratislava - Petržalka Municipal District, ID No: 00164348 | Provided by no services Related to preparation at study and provided by supplementary lifelong education within the UNICEF project "Support for pre- school care and inclusive education at relationship to the children of foreigners" | https://nivam.sk/ |
Zentralinstitut für Seelische Gesundheit, Based in J5, 68159 Mannheim German Federal Republic of Germany | IMMERSE research project focused on mental health | https://www.zi-mannheim.de/forschung/abteilungen-ags-institute/public-mental-health/public-mental-health-aktuelle-studien.html#IMMER Investigating Centre Contract (available on request) |
Masaryk University ID: 44992785 Based in Žerotínovo náměstí 9, 601 77 Brno, Czech Republic | Cooperation in the IMPACT project in ERASMUS programme plus to improve the competences of teaching staff | https://www.crz.gov.sk/data/att/3109067.pdf |
Meta Platforms, Inc. | Usage services "Page insights" regarding the usage statistics of our official Facebook profile | https://www.facebook.com/legal/terms/page_controller_addendum?paipv=0&eav=AfY3iouGzpbN2Hs2csvIObhFmSbdR-e6OmD4OHT7laNt8xKm8JfvYct1PJuq_i7Ehf4&_rdr |
LinkedIn Corporation | Usage services "Page insights" relating to the usage statistics of our official LinkedIn profile | https://legal.linkedin.com/pages-joint-controller-addendum |
It is always clear from the main parts of these agreements that the UK will also inform you about the related processing of personal data through this Privacy Policy or the Purposes Table, which is part of the Privacy Policy, and that the UK DPO (dpo@uniba.sk) will always be the common point of contact for any queries relating to the processing of personal data, including the exercise of the data subject's rights.
Why we process personal data?
We need to process personal data in order to be able to carry out our duties and tasks as a public university:
- from generally binding legislation;
- for legitimate or public interests pursued by us;
- from contractual purposes.
For what purposes are we processing your personal data?
| Purpose of processing | Legal basis |
---|---|---|
1. | Study purposes | Performance of a legal obligation (Article 6(1)(c) GDPR). Performance of an important task carried out in the public interest (Article 6(1)(e) GDPR), Consent of the data subject (Article 6(1)(a) GDPR). |
2. | Academic, artistic and literary purposes | Performance of a legal obligation (Article 6(1)(c) GDPR). The performance of an important task carried out in the public interest (Article 6(1)(e) GDPR), Legitimate interest (Article 6(1)(f) GDPR) |
3. | Alumni purposes | Consent (Article 6(1)(a) GDPR) Legitimate interest (Article 6(1)(a) GDPR) |
4. | Arranging catering and accommodation | Performance of a legal obligation (Article 6(1)(c) GDPR) Performance of a contract (Article 6(1)(b) GDPR) Performance of an important task carried out in the public interest (Article 6(1)(e) GDPR) |
5. | Provision of services related to the preparation for study and the provision of complementary lifelong education | Consent of the data subject (Article 6(1)(a) GDPR) Contract (Article 6(1)(b) GDPR) |
6. | Voluntary disclosure of personal data | Consent of the data subject (Article 6(1)(a) GDPR) |
7. | Fulfillment duties and tasks of a public university schools | Performance of a legal obligation (Article 6(1)(c) GDPR) Public interest (Article 6(1)(e) GDPR) |
8. | Provision of pharmacy and medical care | Compliance with legal obligations (Article 6(1)(c) GDPR) |
9. | Compliance with other statutory duty | Compliance with legal obligations (Article 6(1)(c) GDPR) |
10. | Legal and contractual purposes | Performance of a legal obligation (Article 6(1)(c) GDPR) Performance of a contract (Article 6(1)(b) GDPR) Legitimate interest (Article 6(1)(f) GDPR) |
11. | Protection of property, order and security | Legitimate interest (Article 6(1)(f) GDPR) |
12. | Security personal data and IT systems | Fulfillment of legal obligations (Article 6(1)(c) GDPR) Legitimate interest (Article 6(1)(f) GDPR) |
13. | Personnel and payroll purposes | Compliance with legal obligations (Article 6(1)(c) GDPR) Legitimate interest (Article 6(1)(f) GDPR) |
14. | Marketing and PR purposes | Consent of the data subject (Article 6(1)(a) GDPR) Legitimate interest (Article 6(1)(f) GDPR) |
15. | Statistical purposes | Legal bases for the above compatible purposes of processing personal data (Recital 50 GDPR in conjunction with Article 89 GDPR) |
16. | Archival purposes | The legal bases for the above-mentioned compatible purposes of processing personal data (Recital 50 GDPR in conjunction with Article 89 GDPR), in particular the fulfilment of legal obligations (Article 6(1)(c)) GDPR) and legitimate interest (Article 6(1)(f) GDPR) |
17. | Contributing to the protection of life and limb in the search for missing members of the academic community | Legal basis protection of vital interests (Article 6(1)(d) GDPR (Recital 46 GDPR) |
|
A more detailed explanation of the purposes, public interests and legitimate interests we pursue when processing personal data is available in the Description of the main processing operations, legitimate interests and public interests of Comenius University in Bratislava. Table of purpose
The underlined text represents a public interest or legitimate interest to which you have the right to object.
Who do we provide your personal data to?
We take the confidentiality of your personal data very seriously and have put in place rules to ensure that your data is only shared with authorised recipients who are bound by confidentiality and instructions from our staff, PhD students, members of academic bodies or other internal collaborators who may have access to your personal data on a need-to-know basis, which is usually limited by the function, role, level of access rights assigned to the IT systems of the specific recipient. We also use a variety of service providers and partners to help us provide various activities necessary for the proper functioning of a public university. These recipients of personal data may process your personal data for us as processors, but they may also be in the capacity of independent controllers. The categories of recipients of your personal data, depending on the purpose of the processing, are as follows:
• Rectorate of Comenius University, faculties of Comenius University and other parts of Comenius University;
• Payroll and accounting processors;
• Meal ticket providers;
• Shipping, courier and postal companies;
• Notaries and the Notary Chamber of the Slovak Republic in keeping notarial central registers and auxiliary notarial registers;
• Executors and the Chamber of Executors of the Slovak Republic in maintaining the Register of Executions of the Slovak Republic;
• Lawyers or law firms;
• The opposing party, or a party to the proceedings other than the UK, and their legal representatives;
• Translators, interpreters, experts;
• Professional advisors and financial auditors;
• Marketing, advertising, media and PR agencies;
• Pension management company;
• Retirement supplementary savings companies;
• Health insurance companies;
• Insurance companies;
• Banks;
• Social Insurance Office;
• Occupational Health Service;
• Providers of OSH, fire protection and civil protection services;
• Social network operators and YouTube;
• Ministry of Education, Research Development and Youth of the Slovak Republic and organisations under its jurisdiction such as the Centre for Scientific and Technical Information (CVTI), Scientific Grant Agency of the Ministry of Education, Research Development and Youth of the Slovak Republic (VEGA);
• Non-governmental non-profit organisations and civil associations (e.g. Slovak Academic Information Agency, National Agency for Lifelong Learning);
• Scientific institutions and centres of excellence (e.g. the Slovak Academy of Sciences);
• Commercial companies and other legal entities participating in the scientific research activities of the Comenius University or participating in scientific research projects in incubators, science parks and centres of excellence established by the Comenius University;
• Other universities and colleges, especially in providing student or teaching mobility and international or scientific-research or organisational cooperation with the UK;
• Institutions participating in the Erasmus+ student mobility programme, in particular the European Commission, the European Commission's Education and Culture Executive Agency and the Slovak Academic Association for International Cooperation (SAAIC);
• Organisations funding some other specific international student mobility programmes (e.g. Nippon Foudation);
• International organisations and international networks of collaborating universities of which the UK is a member (e.g. Utrecht Network, UNICA, EUA, DRCI, EFOS, etc.);
• Carriers in road transport, public transport, rail transport accepting ISIC / ITIC cards;
• Standard software providers (e.g. Microsoft);
• Cloud service providers;
• Providers of data integration services for the use of ISIC / ITIC cards (TransData, s.r.o.);
• ISIC / ITIC licence provider (CKM 2000 Travel s.r.o.);
• Providers of software license compliance checking services;
• Providers of thesis originality checking services;
• Service providers for AIS2 development, testing, enhancement and support;
• Providers of reprographic services for students;
• Private security service providers;
• VOIP telephony service providers;
• Providers of national comparative examination services that supplement or replace entrance examinations;
• Service providers in the field of support for the organisation of various academic events;
• Internet service providers;
• National Agency for Network and Electronic Services in connection with the provision of electronic mailbox services and other "e-government" services in electronic communication with public authorities;
• University physical education units, sports clubs, academic arts ensembles and university pastoral centres, student organisations and societies operating within the UK, where necessary for their support.
• Authorities entitled to control the use of investments, subsidies and non-repayable financial contributions from public finances and EU sources (e.g. the Office of the Government of the Slovak Republic as the coordinating and implementing body for the recovery plan, the Supreme Audit Office of the Slovak Republic)
If we use processors to process your personal data, we verify that they meet the organisational and technical requirements for ensuring the security of the processing of your personal data under the GDPR before we appoint them. If we are asked by a public authority to disclose your personal data, we examine the conditions set out in the legislation for disclosure and do not disclose your personal data without verifying that the conditions are met.
Is there a cross-border transfer of personal data to third countries?
As a standard practice, we seek to limit any cross-border transfers of personal data to third countries outside the European Economic Area (i.e. outside EU Member States, Iceland, Norway and Liechtenstein) unless it is unavoidable. This is because these third countries may not provide an adequate level of protection for personal data under European Commission decisions. However, in some cases such transfers do occur. Your personal data may be transferred to a third country in particular, where you are applying to the UK for cross-border mobility under available student or staff mobility schemes that allow study and/or work placements at foreign universities and/or where you require the UK to send confirmation of satisfactory completion of a programme of study at the UK in relation to a foreign employer or institution.
Transfers of personal data may take place without restriction within the European Economic Area and the following countries which currently provide an adequate level of protection for personal data under EU Commission decisions: the Principality of Andorra, Argentina, the Faroe Islands, Guernsey, Israel, Jersey, New Zealand, Canada (commercial organisations), the Isle of Man, Switzerland, the Eastern Republic of Uruguay, Japan, the United Kingdom of Great Britain and the Republic of Korea (so-called South Korea).
A transfer to any other third country constitutes a cross-border transfer of personal data to a third country that does not guarantee an adequate level of protection. Where such a transfer is necessary, we seek to achieve adequate safeguards under Article 46 of the GDPR that bind the recipient of the personal data in the third country to an equivalent data protection regime as applies in the EU. This most often involves the conclusion of so-called standard contractual clauses approved by the EU Commission, if objectively possible. If this is not possible, we have to follow the exceptions for specific situations under Article 49 GDPR. This most often involves your consent to the transfer or performance of a contractual relationship. In such cases, you are informed individually and specifically about the third country or the data importer from the third country.
As a result of using the services of certain recipients of personal data, the UK carries out cross-border transfers of personal data to the United States of America (USA). The US as a whole does not have adequate third country status, but under a recent Commission decision, US companies can again apply for adequacy status through certification. Certain UK partners have been granted adequacy status, with transfers therefore taking place directly on the basis of the relevant Commission Decision. In case of a possible future invalidation of that decision, we also provide information on the adequate safeguards we have historically used, under Article 46 and Article 47 of the GDPR, in the run-up to the Commission's decision on the Data Privacy Framework:
In the table below, you can find a link to adequate or appropriate safeguards and means of exercising your rights under the GDPR :
Supplier | Privacy policy adopted by importers of personal data | Decision adequacy in the sense of Article 45 GDPR | Appropriate specific legal safeguards within the meaning of Article 46 GDPR and Article 47 GDPR |
---|---|---|---|
Meta, Inc. Facebook | https://www.facebook.com /policy.php | Yes, acceding to the guarantees "Data Privacy Framework" can be verified here: https://www.datapri vacyframework.gov /list | Standard contractual clauses approved by decision of European Commiss ion (2010/87/EC of 5 F e b r u a r y 2010) and the new standard contractual clauses (Module 3) inserted in Facebook's European Data Transfer Supplement as well as additional measure s explained here:
|
Google, LLC. /Google Analytics | https://policies.google.co m/privacy?hl=en-US | Yes, you can verify your adherence to the "Data Privacy Framework" guarantees here: | The new type of standard contractual clauses approved by the European Commission Decision (Module 1 and Module 2) and appropriate additional measures, together with an explanation of the appropriate settings for Google Analytics. |
Google, LLC. /YouTube | https://policies.google.com/pr ivacy?hl=en-US | Yes, you can verify your adherence to the "Data Privacy Framework" guarantees here: | New type of standard contractual clauses (Module 2) incorporated into the DPA contract for cloud services (and additional measures taken to secure cloud services. |
Kit United/ Hiverbite | https://hivebrite.com/priva cy-policy | N/A | New type of standard contractual clauses (Module 3) incorporated into the DPA contract for the Hiverbite platform and additional measures taken by authorised sub- processors. |
Microsoft, Inc. | https://privacy.microsoft.c om/en- us/privacystatement | Yes, you can verify your adherence to the "Data Privacy Framework" guarantees here: | New type of standard contractual clauses (Module 2 and 3) incorporated into the DPA contract for cloud services for cloud services integrated into Office 365 and additional contractual warranties and other appropriate additional measures taken to secure cloud services. |
Is there automated processing of personal data with legal effect and/or other substantial impact on you?
Automated individual decision-making within the meaning of Article 22 GDPR may occur in the following cases:
Assessment of eligibility for boarding accommodation | |
---|---|
The procedure used | The E-Accommodation system automatically evaluates the success of accommodation applications based on a points system and the evaluation criteria defined in the relevant internal regulations of Comenius University. |
Meaning of | Efficient and fair processing of a large number of requests for Allocation of limited dormitory accommodations in fulfillment of the legal obligations of a public university. |
Anticipated consequences | Accommodation allocation decision (positive/negative). Negative: no allocation of accommodation. |
Originality check of the thesis | |
---|---|
The procedure used | Anti-plagiarism software, which has built its own crowdware corpus that scans publicly available sources and thus retrieves a huge amount of data from other papers and scientific publications from abroad into the repository, while the software evaluates the degree of agreement of the final work with other works in the register. |
Meaning of | Correct determination of the percentage of compliance of the thesis under review with other thesis and academic work in fulfillment of the legal obligations of a public university. |
Anticipated consequences | Correct determination of the percentage of agreement of the thesis under review with other thesis and academic work in fulfillment of the statutory duties of a public university. |
Decision-making on admission to study | |
---|---|
The procedure used | There are different ways of conducting entrance examinations at the UK. Some faculties (e.g. LF UK, JLF UK, PRiFUK, FMFI UK) use software to evaluate the results of the tests that are part of the admission procedure. This data is then processed automatically in the AIS2, where a decision is made on the basis of the data whether or not the admission requirements have been successfully met. Such decision-making concerns only applicants to the above-mentioned faculties, as other faculties use other methods, e.g. (i) without an admission procedure, (ii) on the basis of the results of external examinations, (iii) on the basis of a subjective assessment commissions and talent tests. |
Meaning of | Meaning Comparison of admission results with other applicants. An objective decision on whether to meet or failure to meet the admission criteria. |
Anticipated consequences | Acceptance or non-acceptance to study at defined faculties of Comenius University. |
Under Section 89 of the Higher Education Act, we are obliged to provide accommodation and under Section 63(7) of the Higher Education Act, we are obliged to verify the degree of originality of the final theses. According to Section 6(1)(b) we are entitled to decide on the conditions and number of students admitted. Pursuant to § 56 to § 58 of the Act on Higher Education, the admission procedure is provided by the higher education institution, and the decision on whether or not to admit a candidate to study is made by the dean of the faculty of the UK or the rector of the UK. In the case of the above-mentioned purposes, we rely on the legal basis that is permitted by law. We therefore act in accordance with Article 22(2)(b) of the GDPR, which means, in accordance with Article 22(3) of the GDPR, that the right to: human intervention on the part of the controller; the right to express an opinion; or the right to challenge the decision does not apply. Nevertheless, if we receive relevant requests from data subjects who have legitimate doubts about the correctness of the processing of their personal data when carrying out automated individual decision-making, we will examine these requests in order to verify the objectivity of our decision.
How long do we store your personal data?
We retain personal data for no longer than is necessary for the purposes for which the personal data is processed. In general, the retention period is based on legal regulations. If it does not follow from the legislation, the retention period of your personal data is always determined by us in relation to specific purposes through our internal policies and/or our retention schedule. If we process your personal data on the basis of consent, we are obliged not to further process the personal data for that purpose once consent has been withdrawn. However, this does not preclude that we may continue to process your personal data on another legal basis, in particular to comply with a legal obligation.
The general retention periods of personal data for the purposes of processing personal data as defined by us are as follows:
Purpose of the processing of personal data | General maximum retention period for personal data or criteria for determining it |
---|---|
Study purposes | 50 years from the end of the person's studies in the student register (Section 73(8) of the Higher Education Act). Unnecessary data shall be deleted on an ongoing basis, including after the completion of the study or after a successful objection to the public interest pursued, if the public interest is the legal basis, or after withdrawal of consent, if it is the legal basis for the related processing. |
Academic, artistic and literary purposes | 5 to 10 years, see registry plan. Where the legal basis is a public or legitimate interest, personal data may be erased earlier if an objection is raised where the rights and freedoms of the data subject outweigh the public or legitimate interest pursued by the UK. |
Alumni purposes | Pending objection to a legitimate interest or withdrawal of consent, or after 5 years from the data subject's complete inaction, whichever is the earlier. |
Arranging catering and accommodation | In the case of data for the assessment of entitlement to accommodation processed on the basis of public interest, retention will occur for the duration of the student's entitlement to accommodation and boarding until 3 years have elapsed since the end of the second cycle (if there has been no continuation of the third cycle) or until a legitimate objection to the public interest of the data subject has been dealt with, whichever is the sooner. Data for the performance of the contract and the provision of additional services will only be processed for the duration of the contract. Data collected for accounting and tax purposes will be retained for the statutory period (10 years). Where the legal basis is the public interest, personal data may also be erased earlier, in the event of an objection being met where the rights and freedoms of the data subject outweigh the public interest pursued by UK parties. |
Provision of services related to the preparation for studies and the provision of complementary lifelong learning | Until the consent is withdrawn, if consent is the legal basis, or until the contractual relationship concluded with the data s u b j e c t is properly terminated, including the settlement of all mutual obligations |
Voluntary disclosure of personal data | At most until the consent of the data subject is withdrawn. |
Fulfilling the duties and tasks of a public university | 5 to 10 years, see registry plan. Where the legal basis is a public or legitimate interest, personal data may be erased earlier if an objection is raised where the rights and freedoms of the data subject outweigh the public or legitimate interest pursued by the UK. |
Providing pharmacy and health care | At most until the relevant statutory obligation is fulfilled or the statutory period has expired the time limit, if any, or until the end of the validity of the authorization to practice pharmacy, unless a time limit is set - e.g.: 10 years from the last entry in the narcotic drugs book (OPL book) for prescriptions with a prescription for narcotic drugs and psychotropic substances, 1 year from the dispensing of the medicine to the patient for prescriptions fully reimbursed by the patient, 5 years when keeping records of holders of authorisations for the wholesale distribution of medicinal products for human use and holders of marketing authorisations for medicinal products for human use. If we keep medical records directly, we keep personal data for a maximum of 20 years from the last time healthcare was provided to the person concerned. Part of the personal data recorded in the national health information system "eHealth" is stored as part of the electronic health record for 20 years after the dispensing of the medicine or medical device. This processing of personal data is not the responsibility of the UK, but of the NCZI as an independent controller. |
Fulfilling other legal obligations | For the duration of the legal obligation or until the expiry of the statutory retention period, see the register plan. Generally 5 to 10 years. |
Legal and contractual purposes | Generally 5 to 10 years, see the registry plan. Where the legal basis is a public or legitimate interest, personal data may be erased earlier if an objection is met and the rights prevail. and liberty of the data subject overrides any public or legitimate interest pursued by the UK. |
Protection of property, order and security | In the case of CCTV systems, generally a maximum of 72 hours to 15 days if this is necessary in view of the nature of the processing. |
Security of personal data and IT systems | Maximum 1 year from the creation or recording of the data. Unnecessary data may also be deleted earlier, in the event of an objection which overrides the rights and freedoms of the data subject and the legitimate interest of the data subject interests pursued by the UK |
Personnel and payroll purposes | For the duration of the employment relationship or for the duration of the doctoral student's third cycle of higher education, whereby we may retain selected personal data subsequently and longer until the expiry of the relevant statutory time limits for documents and data included in the employee's personnel file, ranging typically from 10 years from the termination of the employment relationship up to 70 years from the employee's birth. Where the legal basis is a legitimate interest, personal data may be processed until an objection to the processing has been met, if the rights and freedoms in the particular case prevail the person concerned during the duration of his or her employment or doctoral student status. |
Marketing and PR purposes | At most until the consent is withdrawn if the legal basis is consent or until the objection to direct marketing is settled if the legal basis is legitimate interest. |
Statistical purposes | For the duration of other processing purposes. Unnecessary personal data shall be anonymised or deleted after the statistical outputs have been produced. |
Archival purposes | After the expiry of the retention periods laid down in the UK's registry plan and the implementation of the decommissioning procedure. Documents of permanent documentary value shall not be deleted, but are further preserved in state archives. |
Contributing to the protection of life and limb in the search for missing members of the academic community | For as long as there is a reasonable need and urgency to protect the life and health of the person concerned. |
Further information on the periods for which we retain personal data can be found in our retention schedule. If you need to specify the exact retention period for personal data for a particular data subject in the context of the nature and purpose of the processing of his or her personal data, please contact the UK Data Protection Officer.
How we collect your personal data?
If the legal basis for the processing of your personal data is consent to the processing of your personal data pursuant to Article 6(1)(a) GDPR, you are never obliged to provide your personal data. The provision of your personal data is based on your free discretion and voluntary action. You have the right to withdraw your consent at any time. Failure to provide personal data should not have any negative and substantial consequences for you, but it may reduce the convenience of using certain services and your information about news. If the legal basis for the processing of your personal data is the conclusion or performance of a contractual relationship pursuant to Article 6(1)(b) GDPR, the provision of personal data is a requirement that is necessary for the conclusion of the contract. Failure to provide personal data may result in the contractual relationship not being concluded. If the legal basis for the processing of your personal data is the performance of our legal obligation pursuant to Article 6(1)(c) GDPR or the performance of a task carried out in the public interest pursuant to Article 6(1)(c) GDPR, we will not process your personal data in accordance with Article 6(1)(c) GDPR.
e) GDPR disclosure of your personal data is a legal requirement. Failure to provide your personal data may result in a task provided within the remit of the academic governing bodies not being able to be carried out, or a decision you ask us to make not being able to be made, or otherwise frustrate the performance of an important task that the UK as a public university carries out in the public interest or is required to carry out as part of its statutory duties. In the case of processing of personal data for the purposes of fulfilling obligations under Act No. 307/2014 Coll. on certain measures related to the reporting of anti-social activities and on amending and supplementing certain acts, the failure to provide the personal data of the whistleblower does not result in the failure to investigate the anonymous complaint. The consequence of submitting an anonymous complaint is that we will not inform you of the outcome of the investigation. If the legal basis for the processing of your personal data is a legitimate interest and we use the legal basis pursuant to Article 6(1)(a)(i) of Directive 95/46/EC for the processing of your personal data, we will not process your personal data in accordance with Article 6(1)(a)(ii) of Directive 95/46/EC.
f) GDPR, you are obliged to accept this processing, but you have the right to object to it. You can find out more about this right in the specially highlighted section below. We may also obtain personal data from other public authorities or from publicly available registers.
What are your rights when processing personal data?
"If we process personal data about you on the basis of your consent to the processing of your personal data, you have the right to withdraw your consent at any time. You have the right to object effectively at any time to the processing of personal data for direct marketing purposes, including profiling."
"You also have the right to object to the processing of your personal data on the basis of legitimate or public interests pursuant to Article 6(1)(e) and (f) of the GDPR, as explained above."
We care about the protection of your personal data and therefore strive to secure it through individual, modern technical and organizational measures, as well as through the possibility to exercise your data subject rights under the GDPR at any time by means of a request or through the internally developed GDPR Online application, which will be launched in September 2018.
Requests to exercise the right of the data subject may be sent to us electronically or in writing to the contact details of the person responsible as set out above. This procedure is without prejudice to your right to withdraw your consent to the processing of your personal data, which you can always withdraw as easily as you gave it to us (e.g. if you gave consent electronically, you can always withdraw it by email or app without the need to send a written request to the UK head office address), or your right to object by automated means using technical specifications, where available. We recommend that for each request you explain in as much detail as possible what right you are exercising under the GDPR, what your identifying information is (to verify your identity) and/or what purposes and data the request relates to. We must ask for clarification for requests that are too general.
The GDPR lays down general conditions for the exercise of your individual rights. However, their existence does not automatically imply that they will be complied with by us when exercising individual rights, as exceptions may also apply in a particular case, or some rights are linked to specific conditions that may not be met in every case. We will always deal with your request regarding a specific right and examine it in the light of the legislation and our internal policy for dealing with complaints from data subjects. In particular, as a data subject you have:
- The right to request access to personal data under Article 15 of the GDPR that we process about you. This right includes the right to confirm whether we are processing personal data about you, the right to obtain access to that data and the right to obtain a copy of the personal data we are processing about you, where technically feasible;
- The right to rectification and completion of personal data pursuant to Article 16 GDPR if we process incorrect or incomplete personal data about you;
- The right to erasure of your personal data pursuant to Article 17 of the GDPR;
- The right to restriction of processing of personal data pursuant to Article 18 GDPR;
- The right to data portability under Article 20;
- The right to object to legitimate or public interests pursued by us under Article 21 GDPR.
As a data subject, you also have the right to lodge a complaint at any time with the supervisory authority, which is the Office for Personal Data Protection of the Slovak Republic pursuant to Section 100 of the Personal Data Protection Act. More information can be found at www.dataprotection.gov.sk.
Please note that when processing your request to exercise the data subject's right under the GDPR, we may ask you to verify your identity in a trustworthy manner, especially in cases where there are doubts about your identity. It is our responsibility to prevent the disclosure of personal data about you to an unauthorised person. The process of dealing with your request related to the exercise of your right as a data subject under the GDPR is free of charge. If your request is manifestly unfounded or unreasonable, in particular because it is repetitive, we are entitled to charge a reasonable fee that takes into account the administrative costs.
How do we protect your personal data?
It is our duty to protect your personal data in an appropriate manner and for this reason we pay due attention to its protection. We have implemented generally accepted technical and organisational standards for this purpose in order to maintain the security of the personal data we process, in particular against loss, misuse, unauthorised alteration, destruction or other impact on the rights and freedoms of data subjects. In situations where sensitive data is transmitted, we use encryption technologies vid e.g. communication with a payment gateway.
Social networks
We encourage you to read the privacy policies of the providers of the social media platforms through which we communicate. Our privacy policy explains only the basic issues related to the management of our profiles. We only have typical administrator permissions when processing your personal data through our profiles. We assume that by using social networking sites you understand that your personal data is primarily processed by the providers of the social networking platforms and that we have no control over and are not responsible for this processing, the onward disclosure of your personal data to third parties and the cross-border transfer to third countries by these providers of the social networking platforms.
We have joint controller status with Facebook in relation to the processing of statistical data on the use of our Facebook profile, and basic information on the joint controller agreement pursuant to Article 26(1) and (2) can be found here: https://www.facebook.com/legal/terms/page_controller_addendum.
Our social plugins are integrated on our website. You can recognize them by the Facebook logo on the website. When you visit our website, Facebook collects the information that you have visited our website with your IP address. If you click on the Facebook icon available on our website when you are logged in and/or registered on your Facebook account, the content of the website is redirected to your Facebook profile. Facebook can then associate your visit to the website with your user account.
We would also like to inform you that we may use services provided by Meta Platforms Ireland Limited, which are referred to as "tailored audience dataset" - audience management for advertising campaigns and may combine the data we process with personal data processed by Facebook and "measurement and analytics", where Facebook processes personal data on our behalf to measure the performance and reach of our advertising campaigns and provide us with reports on users who have seen and responded to our advertising content. Such processing of your personal data may therefore occur if you interact with our advertising content or our website when using your Facebook user profile. In such cases, we use Facebook as an sub-processor to process your personal data we use the following legal safeguards: https://www.facebook.com/legal/terms/businesstools, https://www.facebook.com/legal/terms/dataprocessing.
If you are uncomfortable with the processing of your personal data described above, you can object to it or you can also use the available self-regulatory tools developed for online marketing, which are available here: www.aboutads.info/choices or www.youronlinechoices.eu. These online tools allow you to automatically identify and delete third-party digital identifiers (including those used by Facebook) in your browser, thereby preventing the processing of your personal data.
Our ads will not be targeted to your Facebook or Instagram profiles without your consent. We will also not currently use any services provided by Meta Platforms Irelend Limited that would allow us to serve behavioural advertising based on tracking and evaluating your behaviour on Facebook or Instagram.
Changing the privacy policy
Data protection is not a one-off issue for us. The information we are required to provide you with in respect of our processing of your personal data may change or cease to be up to date. For this reason, we reserve the right to modify and change these terms and conditions to any extent at any time. In the event that we change these terms in a material way, we will bring this change to your attention, for example, by a general notice on this website or a separate notice by email.