Privacy policy

Privacy policy

Dear members of academic community and students

This privacy policy is aimed to provide you with detailed and comprehensive information in light of Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as “GDPR”). This Privacy Policy relates to all data subjects that we process personal data about including students, employees, suppliers, contractual partners and persons located in our premises.

Who is the controller and how can you contact us?

The controller processing your personal data is Univerzita Komenského v Bratislave (Comenius University in Bratislava), with its seat at Šafárikovo námestie č. 6, 814 99 Bratislava 1, Slovak Republic, ID No. (IČO): 00 397 865 (hereinafter referred to as “CU” or “we” or “us”) that is in position of the controller also in cases where faculties of CU or an individual economic units of CU (e.g. libraries, colleges (accommodation facilities), facilities with specific purposes etc.) process your personal data. The controller is in the position of public university pursuant to act n. 131/2002 Coll. on Higher Education as amended and amending of certain acts (hereinafter referred to as “Act on Higher Education”). 

With purpose of strengthening legal guarantees of your rights during processing of your personal data we have appointed a data protection officer that is monitoring legality and security of personal data processing. Data protection officer is your contact point in case of any requests or questions. Contact information of data protection officer of CU:

e-mail: dpouniba.sk

address of correspondence: Zodpovedná osoba (DPO), Univerzita Komenského v Bratislave, Centrum informačných technológií UK, Šafárikovo námestie 6, P.O. BOX 440, 814 99, Bratislava I, Slovak Republic.

Why we process personal data?

Generally, as a university we need to process personal data in order to fulfil our tasks prescribed to us by:

  • generally binding legal regulations;
  • legitimate or public interests that we pursue;
  • our contractual relationships.

For what purposes are we processing your personal data?

Your personal data are processed for the following purposes:

 

Purpose

Primary legal ground

1.

Personnel & Payroll

Legal obligation pursuant to Article 6 (1) c) GDPR

2.

Employee monitoring mechanisms

Legitimate interest pursuant to Article 6 (1) f) GDPR: monitoring of compliance with employment discipline

3.

Accounting & Tax

Legal obligation pursuant to Article 6 (1) c) GDPR

4.

Academic self-government

Legal obligation pursuant to Article 6 (1) c) GDPR and tasks in public interest pursuant to Article 6 (1) e) GDPR

5.

Fulfilling obligations and tasks of a public university

Legal obligation pursuant to Article 6 (1) c) GDPR and tasks in public interest pursuant to Article 6 (1) e) GDPR

6.

Management and provision of education (educational purposes)

Legal obligation pursuant to Article 6 (1) c) GDPR and tasks in public interest pursuant to Article 6 (1) e) GDPR

7.

Provision of student identity cards

Legal obligation pursuant to Article 6 (1) c) GDPR and tasks in public interest pursuant to Article 6 (1) e) GDPR

8.

Compliance with legal obligations

Legal obligation pursuant to Article 6 (1) c) GDPR

9.

Alumni purposes

Legitimate interest pursuant to Article 6 (1) f) GDPR: retaining contact with alumni’s

10.

Voluntary publication of personal data

Consent pursuant to Article 6 (1) a) GDPR

11.

Protection of property, order and security

Legitimate interest pursuant to Article 6 (1) f) GDPR: protection of property, order and security

12.

Establishment, exercise or defense of legal claims (legal agenda)

Legitimate interest pursuant to Article 6 (1) f) GDPR: establishment, exercise and defense of legal claims

13.

Management of IT Security

Legal obligation pursuant to Article 6 (1) c) GDPR

14.

Management of rations and accommodation

Legal obligation pursuant to Article 6 (1) c) GDPR and tasks in public interest pursuant to Article 6 (1) e) GDPR

15.

Library and informational purposes (academic library)

Legal obligation pursuant to Article 6 (1) c) GDPR and tasks in public interest pursuant to Article 6 (1) e) GDPR

16.

Scientific research

Article 89 GDPR

17.

Academic, artistic and literary purpose

Sec. 78 (1) of Data Protection Act

18.

Journalistic purposes

Sec. 78 (2) of Data Protection Act

19.

Raising awareness about university (marketing purposes)

Legitimate interest pursuant to Article 6 (1) f) GDPR: raising awareness about an university

20.

Sending marketing communication (newsletter)

Consent pursuant to Article 6 (1) a) GDPR

21.

Contractual relationships

Contract pursuant to Article 6 (1) b) GDPR.

22.

Management of complaints

Legal obligation pursuant to Article 6 (1) c) GDPR

23.

Statistical purposes

Article 89 GDPR

24.

Archiving purposes

Article 89 GDPR in connection with Act on archives and registrars.

Legitimate interests for processing of personal data that we pursue are:

  • monitoring of compliance with employment discipline;
  • retaining contact with alumni;
  • protection of property, order and security;
  • establishment, exercise and defense of legal claims; and
  • raising awareness about the university.

Who are recipients of your personal data?

 

When processing your personal data, we also use the services of verified and contractually bound external business partners and service providers that help us process and protect your personal data. These are so-called processors who for our needs  process your personal data usually when delivering services that we have ordered to efficient operations and tasks of CU. If you have questions about the accuracy and completeness of the list of our processors, please contact the data protection officer of CU. Recipients of personal data  are also different categories of subjects to whom we provide your personal data most often in the course of our legal obligations and / or our own staff with whom you come into contact. Detailed information concerning recipients to whom we may provide your personal data are provisioned in the table of recipients (.pdf,81 kB).

 

 

What countries do we transfer your personal data to?

By default, we seek not to transfer your personal data outside the EU and/or European Economic Area where not necessary. The reason is that these third countries do not ensure an adequate level of protection of personal data according the decisions of EU Commission. However, in some cases, such transfers occur. Your personal data may be transferred to a third country, in particular in cases where you request the CU for cross-border mobility within the available student or employee mobility programs that allow study and / or work visits to foreign universities and / or when you request from the CU to send confirmation of your study (result) related to the CU study program to a foreign employer or institution. Without limitations, personal data may be transferred within the European Economic Area space and the following countries that currently provide an adequate level of protection for personal data as decided by the EU Commission: Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework).

Transfer to any other third countries (or companies not complying with specific sectoral requirements for Canada and the United States) is a cross-border transfer of personal data to a third country that does not guarantee an adequate level of protection. If this is the case and transfer is necessary, we strive to rely on appropriate safeguard under Art. 46 GDPR where the recipient of personal data in a third country is bound by the equivalent data protection regime as in the EU. Most often we use standard contractual clauses approved by the EU Commission, if this is objectively possible. If using of standard contractual clauses is not possible, we have to follow the exceptions for the specific situations under Art. 49 GDPR. Most often, your consent to the transfer or performance of a contractual relationship is used.

The CU also uses secure cloud services of a verified provider with servers located in EU jurisdictions. However, cross-border data transfer to the US may occur on the side of the cloud service provider being our processor. This processor is Microsoft Inc., that is certified by a legal guarantee system known as Privacy Shield (URL: https://www.privacyshield.gov/welcome). More information on specific legal safeguards for these cross-border data transfers including processing of your personal data is available in Microsoft's privacy statement (URL: https://privacy.microsoft.com/en-us/privacystatement), and also in the FAQ to the specific legal safeguards used for cross-border transfers of personal data (URL: https://products.office.com/en-us/business/office-365-trust-center-eu-model-clauses-faq).

Do we process your personal data via automated means which produces legal effects concerning you?

Processing operations that would lead to the decision which produces legal effects or similarly significantly affects data subjects in light of Article 22 GDPR is conducted in cases:

 

Procedure

Meaning

Expected consequences

Evaluation of a request for college accommodation

E-ubytovanie system automatically evaluates requests for accommodation based on point-system as prescribed by internal policies of CU.

Efficient and fair processing of huge number of requests for allocation of limited capacity of college accommodations within fulfilling legal obligations of a public university.

Decision on allocation of accommodation (positive / negative). Negative: non-allocation of accommodation.

Control of originality of the final thesis

Anti-plagiarism software with own crowd-ware corpus that scans publicly available sources and gains vast amount of data from other theses and foreign publications and evaluates degree of match with other theses in the registry.

Correct evaluation of a percental rate of match of final thesis with other theses in light of legal obligations of public university.

Decision about a percental rate of match (positive / negative). Negative: defense of final thesis is not allowed due to plagiarism.

In light of sec. 89 of Act on Higher Education we are obliged to provide possibility of accommodation and pursuant to sec. 63 (7) of Act on Higher Education we are obliged check degree of originality of final theses. In case of aforementioned purposes, we rely on legal ground that is authorized by national legal order. Therefore, our procedure is in line with Article 22 (2) b) GDPR and in connection with Article 22 (3) GDPR it means that you do not have a right to: obtain human intervention on the part of the controller, express his or her point of view and to contest the decision. Nevertheless, if we accept relevant requests of data subjects that have legitimate doubts with regard to accuracy of processing of their personal data in the context of automated individual decisions making, we will examine the request.

How long do we store your personal data?

We must not and we do not want to store your personal data for longer than necessary for the given purpose of processing. Retention periods are either provisioned in respective laws or are set out by us in our internal policies. When processing of your personal data is based on consent and you decide to withdraw your consent, we do further not process your personal data for the specific purpose. However, it does not exclude the possibility that we process your personal data on different legal grounds especially due to our legal obligations.

General retention periods for our purposes are as follows:

Purpose

Retention period

Personnel & Payroll

During the employment contract and in compliance with statutory period for retention (usually 5-10 year, in some cases 70 years from the birth of employee)

Employment monitoring mechanisms

4 years

Accounting & Tax

10 years

Academic self-government

5 to 10 years (see registrature plan)

Fulfilling obligations and tasks of a public university

5 to 10 years (see registrature plan)

Management and provision of education (educational purposes)

50 years from end of study of data subject within registry of students (sec. 73 (8) act on Higher Education)

Provision of student identity cards

5 to 10 years (see registrature plan)

Compliance with legal obligations

During the existence of legal obligation. 5 to 10 years (see registrature plan)

Alumni purposes

Until objection or after 5 years of inactivity.

Voluntary publication of personal data

Until the consent is withdrawn.

Protection of property, order and security

5 years.

Establishment, exercise or defense of legal claims (legal agenda)

Usually 4 – 10 years (see registrature plan)

Management of IT Security

During the existence of other purposes of processing where personal data are processed in IT systems

Management of rations and accommodation

During the contractual relationship with data subject whom accommodation or ration is provided

Library and informational purposes (academic library)

5 to 10 years (see registrature plan)

Scientific research

5 to 10 years (see registrature plan)

Academic, artistic and literary purpose

5 to 10 years (see registrature plan)

Journalistic purposes

See registrature plan

Raising awareness about university (marketing purposes)

Until the objection, usually 5 years.

Sending marketing communication (newsletter)

Until the consent is withdrawn.

Contractual relationships

5 to 10 years (see registrature plan)

Management of complaints

10 years from execution of a complaint

Statistical purposes

During the existence of other purposes of processing

Archiving purposes

During the retention periods of retention or archiving

How we collect your personal data?

If the legal basis for the processing of your personal data is consent under Article 6 (1) a) GDPR you are never obliged to provide us with your personal data. The provision of your personal data is based on your own discretion and on voluntary basis. You have the right to withdraw your consent at any time. Non-disclosure of personal data should not have negative significant consequences, but you the convenience of using certain services and your news updates may be reduced. If we use the legal basis for the processing of your personal data to conclude or perform a contractual relationship under Article 6 (1) b) GDPR the provision of personal data is a requirement that is needed to conclude a contract. Failure to provide personal data may result in non-conclusion of a contractual relationship. If the legal basis for the processing of your personal data is the fulfillment of our legal obligation pursuant to Article 6 (1) c) GDPR or fulfillment of the public interest task under Article 6 (1) e) GDPR provision of your personal data is a legal requirement. Failure to provide personal data may result in not fulfilling the task in public interest in competence of bodies of academic self-governance, or inability to make the decision that we are asked to make or it may otherwise diminish to fulfill the important role that the CU as a public university performs in the public interest or to fulfill its legal obligations. In the case of the processing of personal data for the purposes of fulfilling the obligations under Act no. 307/2014 Coll on certain measures related to the notification of anti-social activity and on the amendment of some laws, the non-granting of personal data of the notifier does not result in an ignorance of an anonymous complaint. The consequence of submitting an anonymous notice is that you we will not report the outcome of this investigation to you. If the legal basis for the processing of your personal data is legitimate interest and we will use the legal basis for the processing of your personal data under Article 6 (1) f) GDPR you are required to abide but you have a right to object to this processing. You will learn more about this right in a particularly highlighted section below. We may also obtain your personal data from other public authorities or from publicly available registers.

What rights do you have?

„You have the right to withdraw your consent at any time.

You also have a right to object to any direct marketing processing of your personal data including profiling.

You have right to object to any processing that is based on legitimate interest or public interest pursuant to Article 6 (1) e) and f) GDPR as described above.

It is our obligation to protect your personal data and therefore we strive to provide the protection with individual, modern, technical and organizational measures, as well as through the possibility to exercise your rights of the data subject at any time under the GDPR via a request or through an internally developed GDPR Online application that will run from September 2018.

You may send us requests for the exercise of the right of the data subject electronically or in writing to the above contact details of data protection officer. This procedure is without prejudice to your right to withdraw consent to the processing of personal data, which you can always withdraw in manner as it has been granted (for example, if you have given your consent electronically, you can always withdraw it by e-mail or application without sending a written request to the address of CU) or your right to object by automated means using the technical specifications if they are available. We advise to explain each request as much as possible especially in terms of what GDPR right you wish to exercise, what are your identification data (for authentication) and what purpose and personal data the request relates to. If a request is too general, we will ask for clarification.

The GDPR lays down general conditions for the exercise of your individual rights. However, their existence does not automatically mean that they will be accepted by us because in a particular case exception may apply. Some rights are linked to specific conditions that do not have to be met in every case. Your request for an enforcing specific right will always be dealt with and examined in terms of legal regulations and applicable exemptions.

Among others, you have:

  • Right to request access to your personal data according to Article 15 of the GDPR. This right includes the right to confirm whether we process personal data about you, the right to access to personal data and the right to obtain a copy of the personal data we process about you if it is technically feasible.
  • Right to rectification according to Article 16 of the GDPR, if we process incomplete or inaccurate personal data about you.
  • Right to erasure of personal data according to Article of the 17 GDPR;
  • Right to restriction of processing according to Article 18 GDPR;
  • Right to data portability according to Article 20 GDPR;
  • Right to object against processing based on legitimate interests or public interest pursuant to Article 21 GDPR.

You have a right to lodge a complaint related to personal data to the Office for Protection of Personal Data of the Slovak Republic pursuant to sec. 100 of Data Protection Act. More information is available on www.dataprotection.gov.sk.

We would like to bring to your attention that during management of your request to exercise the right of the data subject under GDPR, we may ask you to be verify your identity, especially in cases where there are doubts about your identity. It is our duty to prevent the provision personal data about you to an unauthorized person. The procedure of handling your request for the right of the data subject under the GDPR is free. However, if your claim is manifestly unreasonable or inappropriate, in particular because it is repeated, we are entitled to charge a reasonable fee that takes into account the administrative costs of the procedure.

How we protect your personal data

It is our obligation to protect your personal data in an appropriate manner and for this reason we focus on the questions related to protection of personal data. We have implemented generally accepted technical and organizational standards to preserve the security of the processed personal data, especially taking into account the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. In situations where special categories of data are processed we use encryption technologies e.g. during communication with the payment gateway.

Cookies

Cookies are small text files that improve website usage e.g. by allowing us to recognize previous visitors when logging in to a user environment, remembering a user's choice when opening a new window, measuring website traffic, or how evaluation of usage of the website for the improvement. Our website uses cookies in particular to measure its traffic and ensure functioning of the website. You can always stop storing these files on your device by setting up your web browser. Setting up your browser is within the meaning of Section 55 (5) of the Act on Electronic Communications considered as your consent to the use of cookies on our site. However, blocking cookies may restrict functionality of certain websites (especially when sign-in is required).

More about cookies on university webpages

Social networks

Please read relevant privacy policies to better understand processing of your personal data by providers of social media platforms we use. This Privacy Policy only briefly explains basic questions related to management of our profiles on social media platforms. We only have a typical admin control over the personal data processed by us via our own company profile. We assume that by using these social media platforms (e.g. Facebook or YouTube), you understand that your personal data might be processed for other purposes and that your personal data might by transferred to other third countries and third parties by providers of social media platforms. We are not responsible for conduct of social networks providers.

Changes to this privacy policy

Privacy is not a one-time issue for us. The information we give you with regard processing of personal data may change or cease to be up to date. From these reasons we may change this privacy policy from time to time in any extent. In case we change this privacy policy substantially, we may bring such changes to your attention by explicit notice, on our websites or by email.