1. Purpose of Information
In compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”, the University of South Bohemia in České Budějovice informs those whose personal data is being processed (hereinafter “Data Subjects”) on the conditions under which personal data is processed.
2. Personal Data Controller
This information concerns cases when the University of South Bohemia in České Budějovice, with its registered seat at Branišovská 1645/31a, 370 05 České Budějovice, the Czech Republic (hereinafter the “USB”) is the data controller of your personal data. The USB is a personal data controller in cases where it determines the purpose and means of personal data processing, when it collects, processes and stores such data for the specified purpose, making it legally liable for this activity.
The USB is a public university established pursuant to Act No. 111/1998 Coll., on Higher Education (hereinafter the “Higher Education Act”), and as such it freely and autonomously conducts educational and related scientific, research, developmental and innovative, artistic and other creative activities, as well as other related activities.
3. Data Protection Officer
4. Principles of personal data processing
The USB regards personal data protection as important and pays significant attention to it. Your personal data shall only be processed to the extent necessary for the activities of the university, or, as the case may be, in connection with the services you use at the USB. We protect personal data to the maximum extent possible and in compliance with applicable legal regulations. Principles and procedures for data processing at USB are governed by the measure of the rector laying down rules for the protection and processing of personal data. Among other things, the USB’s internal standards lay down the obligation of all employees as far as personal data processing is concerned and their obligation to respect the principles which follow from the GDPR Regulation, specifically:
- The Legality Principle imposes the obligation to process your personal data in compliance with legal regulations and based on at least one legal title.
- The Principle of Fairness and Transparency imposes the obligation to process your personal data openly and transparently and to provide information on the manner of its processing together with informing you about who your personal data shall be disclosed to. This also includes our obligation to inform you about cases of serious data security breaches or privacy compromises.
- The Principle of Purpose Limitation which requires that we only collect your personal data for a clearly defined purpose.
- The Principle of Data Minimisation which imposes the obligation to process only personal data which is necessary, relevant and reasonable as far as the purpose of their processing is concerned.
- The Principle of Accuracy which imposes the obligation to adopt all reasonable measures making it possible to ensure regular updating or correction of your personal data.
- The Principle of Limitation of Storage which imposes the obligation to keep your personal data only for the period necessary for the specific purpose of its processing. Therefore, as soon as the period for processing elapses or the purpose for processing ceases, we shall erase or anonymise your personal data, which means we shall modify the data so that it is not possible to trace it back to you personally.
- The Principle of Integrity and Confidentiality, Non-repudiation and Availability which imposes the obligation for us to safeguard and protect your personal data from any unauthorised or unlawful processing, loss or destruction. For these reasons, we have adopted numerous technical and organisational measures to protect your personal data. We also make sure that only authorised employees have access to your personal data.
- The Principle of Accountability which imposes the obligation for us to be able to prove that the conditions listed above have been met.
5. For what purposes do we process personal data?
In fulfilling its mission, the USB processes personal data for the following purposes:
- Educational activities
- Admission procedures
- Student exchange visits
- Life-long learning and internationally recognised courses
- Library services
- Scientific and research activities, development activities and creative activities
- The implementation of projects
- Organising expert conferences
- Publications and publishing activities
- Habilitation and professorial procedures
- Administration and operation of the organisation
- Human resources and payroll
- Economics and Accountancy
- Public contracts
- Asset management
- Operational agenda
- E-infrastructure (computer and data storage systems, computer networks, electronic mail, voice networks)
- USB identification cards
- Protection of property and safety
- CCTV systems
- Access to secured areas
- Security surveillance of the operation of the computer network
- Processing of security incidents
- Commercial Activities
- Shopping centre
- USB e-shops
- Catering and accommodation services
- Language education
- Other contractual commercial activities
- Outreach and promotional activities
- Marketing and promotion
- Graduates (graduate club, etc.)
- Children’s university
- Information and consultancy activities (e.g. in the field of studies and career choice, psychological counselling, etc.)
6. Categories of persons whose personal data we process
- Employees (persons in a labour-law relationship with the USB and job applicants)
- Students, participants in the Lifelong Learning programme, in internationally recognised courses and participants in exchange study stays
- Candidates (persons participating in the admission procedure for studying at the USB)
- Participants under the habilitation procedure and the procedure for being appointed full professorship
- External staff (persons without a labour-law relationship with the USB involved in educational, research, contractual and other activities at the USB)
- Members of bodies and committees established by the USB (Scientific Board, Board of Trustees etc.)
- Persons participating in research (persons involved as study subjects in research activities and projects)
- Contractual and project partners, customers, visitors at events organised by the USB
- Persons whose personal data is recorded by CCTV systems operated by the USB
7. Categories of personal data processed
The USB processes both personal data provided directly by individuals (based on their consent or on other legal grounds), or, as the case may be, data provided or acquired in compliance with legal regulations from other entities or from other sources (e.g. public registers), and other personal data created as part of processing activities and necessary for securing it. This might entail the following categories of personal data:
- Addresses and identification data (name, surname, date and place of birth, marital status, birth identification number, title, citizenship, address (including e-mail address), phone number, personal identification card number, digital identifier, signature etc.)
- Descriptive data (education, knowledge of foreign languages, professional qualifications, knowledge and skills, number of children, portrait photograph, video/audio recording of a particular person, military service, previous employment, health insurance company, membership in interest organisations, information on criminal record, etc.)
- Data related to studies (study records and records on study activities, academic results, academic awards)
- Economic data (bank details, salary, bonuses, fees, liabilities and receivables, orders, purchases, taxes, etc.)
- Employment data (records on work and work activities, employer, workplace, job classification and job title, work assessment, work awards etc.)
- Operational and localisation data (typically, this is data obtained from electronic systems relating to a specific data subject – such as data on the usage of information systems, on data traffic and electronic communications, on telephone usage, on access to various areas, CCTV footage, etc.)
- Data on the activities of the Subject (publishing activities, data on professional activities, participation at conferences, participation in projects, data on business and study trips, etc.)
- Data on another person (address and identification details of a family member (husband/wife), child, partner, etc.)
- Special categories of personal data (sensitive personal data containing information about medical condition, labour union membership, etc.). These are at all times collected in compliance with the principle of data minimization and strictly under the requirements laid down by law.
8. Legal grounds for personal data processing
Processing of personal data in the course of the activities stated above takes place based on adequate legal grounds. There are different legal grounds for the individual types of activities carried out by the USB. In general, these include:
- Discharge of a legal obligation of the controller: In this case, we need your personal data in order to process it for purposes of discharging our obligations as laid down by law. In particular, this concerns processing pursuant to the Law on Higher Education, Act No. 130/2002 Sb., on Support of Research and Development from Public Funds; Act No. 262/2006 Sb., the Labour Code; Act No. 563/1991 Sb., on Accounting, Act No. 127/2005 Sb., the Law on Electronic Communications, as amended; Act No. 480/2004 Sb., on Certain information Society Services; Act No. 181/2014, on Cyber Security and Other Legal Regulations.
- Data processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authorities vested in the controller. This concerns cases when the USB is acting as a public authority, i.e. an authority entitled to make decisions on the rights and obligatios of persons, or one entitled to otherwise interfere in their sphere. Above all, this concerns processing pursuant to the Law on Higher Education.
- Performance of a contract, adopting measures before the execution of a contract upon your suggestion: In this case, we need your personal data in order to enter into a contractual relationship and ensuring the performance ensuing from it, or, as the case may be, even before the contract is concluded.
- Consent of the data subject: The consent you have granted to us to process your personal data for one or more specific purposes;
- A legitimate interest of the controller, consisting particularly in the following:
- the protection of property and the prevention of fraud,
- the transfer of personal data between different parts of the university for administrative and operational purposes,
- ensuring computer network security and information security.
- The necessity of processing to protect the vital interests of a data subject or a natural person (However, this reason for processing would be rare or exceptional).
9. Transfers of personal data
In order to meet its statutory obligations, the USB may transfer selected data to specified subjects (such as public authorities). Similar considerations apply in cases when authorisation to transfer personal data outside the USB is given by individual consent of data subjects.
10. Period of personal data retention
Personal data is kept only as long as it is strictly necessary as far as a particular data processing activity is concerned and it is disposed of or archived in compliance with applicable data shredding plan. Any personal data which is processed with your consent shall be kept only for the duration of the purpose for which the consent was granted.
11. The exercise of rights by Data Subjects
The Data Subject is entitled to exercise their rights under GDPR through the Data Protection Officer of the USB as follows:
- in written form to the following address: Jihočeská univerzita v Českých Budějovicích, Pověřenec pro ochranu osobních údajů (Data Protection Officer), Branišovská 1645/31a, 370 05 České Budějovice, Czech Republic
- by means of the data box of the USB (data box ID: vu8j9dv)
Before processing any request, the USB has the right and obligation to verify the identity of the applicant. Your request will usually be dealt with without undue delay, no later than within the periods laid down by the GDPR.
The document entitled “The Procedure for Processing Requests” covers the procedure and its elements in greater detail.
12. The right to lodge a complaint with the supervisory authority
The Data Subject is entitled to lodge a complaint regarding the processing of their personal data to the supervisory authority, which is Úřad pro ochranu osobních údajů (“The Office for Personal Data Protection”). Contact:
Úřad pro ochranu osobních údajů (The Office for Personal Data Protection)
Address: Pplk. Sochora 27, 170 00 Praha 7
Tel.: 234 665 111
13. Reporting suspected personal data security breaches
Download the form for reporting suspected personal data security breaches
This information is available in Czech and English versions. If there is a discrepancy between the Czech and English versions, the Czech version takes precedence.