Intranet Webmail Helpdesk
Institute of Molecular Genetics of the Czech Academy of Sciences
Institute of Molecular Genetics of the Czech Academy of Sciences

Official Noticeboard

Information provided to data subjects according to the general data protection regulation

Preamble

According to the provisions of Article 12 (1) in conjunction with the provisions of Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter the “Regulation”), any party that processes personal data is obligated to provide the subject of these personal data (i.e. those who are identified or identifiable on the basis of these personal data) with the following information.

I. Data Controller

The data controller is a public research institution called Institute of Molecular Genetics of the Czech Academy of Sciences (in Czech: Ústav molekulární genetiky AV ČR, v. v. i.), Company ID No. 68378050, with its registered office at Vídeňská 1083, Prague 4 – Krč, Post Code 142 20, (hereinafter the “IMG”).

II. Contact details of IMG

As regards the issues concerning personal data processing, it is possible to contact IMG as a data controller, by using the following details:

  • Tel.: +420 241 063 215
  • Fax: + 420 224 310 955
  • E-mail: office@img.cas.cz
  • Data box: 5h4nxm4

The position of the data protection officer, who works for IMG, is held by:

III. Scope of Personal Data Processing

As part of its activities, IMG processes personal data not only of its employees, but also of other data subject, such as:

  • job candidates;
  • interns and students;
  • participants and lecturers of courses organized by the data controller;
  • presenters or participants in conferences and scientific meetings organised by the data controller;
  • people using the infrastructures and services of the data controller (e.g. using the data controller’s laboratory equipment, services related to the housing and breeding of laboratory animals, etc.);
  • visitors – long-term and short-term;
  • workers of companies providing equipment services, building maintenance and other similar services;
  • wport facility users;
  • IMG catering facility users

(hereinafter the “externs”)

The information processed include, in particular, personal data related to recruitment, organization of scientific conferences and courses, access of externalist to informational systems, which IMG uses, related to providing network services, operation of these services and service applications within infrastructure, information and communication technologies, even by remote access VPN – e.g. user names, passwords, identifiers of hardware devices, identifiers of access card  and access code versions, using reservation systems and other systems enabling provision of a possible service etc.

Thus, these data especially include the following:

  1. Identification data (name, surname, title, date of birth etc.)
  2. Contact information (e-mail address, address etc.)
  3. Information related to data subject’s activity (employer or seconding organization, position, scientific focus, specialisation, experiences etc.)
  4. Information related to infrastructure use or use of IMG services (information about used devices including time of use, information about projects and cooperation on projects by the data subjects etc.)
  5. Information related to movement in premises of IMG (videotapes from security cameras, tapes from lectures and conferences, data from access cards etc.)

These information about personal data processing are related to processing personal data of externalists.

IV. Legal Basis and Purpose of Personal Data Processing

IMG processes the above-mentioned data only in accordance with the Regulation (the provisions of Article 6 (1) and the provisions of Article 9 (2)), i.e., on the basis of:

  1. express consent of the person whom the personal data concern (i.e., the data subject);
  2. a contract for the performance of which the processing of personal data is necessary (e.g., contracts for the provision of services);
  3. pre-contract measures and procedures;
  4. fulfilment of obligations arising from the legislation of the Czech Republic or the EU (e.g. archiving documents, providing cooperation to public authorities, etc.);
  5. a legitimate interest of IMG (e.g., the protection of assets of IMG by monitoring reservation systems, by taking security camera recordings);

and for the following purposes:

  1. the use of services provided by IMG for external users, in particular within the framework of inter – institutional cooperation (allowing access to IMG sport’s facility, access to catering facility etc.);
  2. the use of IMG infrastructure by external entities, including the related use of network services, the operation of such systems and service applications within the informational and communicational technology infrastructure enabling both direct and remote access;
  3. new employees recruitment;
  4. organising scientific conferences and lectures, organising specialised courses;
  5. protection of IMG assets;
  6. ensuring the operation of IMG and securing related service and other services, deliveries and works.

Personal data are provided to IMG predominantly by data subjects or by the organisation under which the data subjects belong.

IMG places emphasis on the protection of the personal data it processes. Personal data processing is carried out both manually and via electronic systems by authorized persons who are trained and are bound by the confidentiality obligation. The storage of personal data takes place mainly in electronic form, in paper form, only marginally. The processing of data for the purpose of property protection consists mainly in the acquisition of security camera footage from the premises used by the data controller, as well as in the monitoring of access to IMG infrastructure and the monitoring of accesses and behaviour within the network. All subjects using the IMG information technologies are obliged to comply with technology management rules and behavioural rules within the IMG managed network.

As part of personal data processing, Institute of Molecular Genetics CAS, p.r.i. does not use automated decision-making (including profiling), i.e. predicting aspects in people behaviour by means of computer equipment.

Personal data are processed for the duration that is necessary to achieve the purpose of their processing. In regard for the need of a follow-up of the instructions given and the possible use of equipment and other infrastructure, personal data will be stored for the duration of the projects concerned, but generally not exceeding 5 years.

V. Personal Data Processing Based on the Protection of Legitimate Interests of IMG and the Data Subject’s Right to Object

According to the provisions of Article 6 (1) (f) of the Regulation, IMG has the right, even without prior consent of data subjects (i.e. those whom the personal data concern), to process their personal data for the purpose of protecting its legitimate interests. In this way, IMG processes data related to the monitoring of externalists’ access to the premises and individual rooms of the building, as well as monitoring use of infrastructure, to protect IMG’s tangible and intangible assets, as well as the monitoring of the use of proper conduct of research activities and the use of public funds.

In this respect, IMG may process personal data only on condition that the legitimate interest of IMG (e.g. integrity of ownership) is not overridden by the interests and/or fundamental rights and freedoms of persons whose personal data are to be processed (e.g. privacy protection).

Any person whose personal data are processed for the purpose of legitimate interests of IMG under this Article has the right to file an objection to this processing. In this case, IMG is obligated to perform an assessment of such a legitimate interest.

If an objection raised to personal data processing for the purpose of protecting a legitimate interest is clearly unfounded and/or unreasonable or if it is raised by an insufficiently identified data subject (anonymously), IMG may reject the objection no later than within one (1) month after receipt of the objection IMG shall notify the complainant in writing (where possible) of its decision on the objection and shall state reasons for this decision.

VI. Disclosure of Personal Data to Other Parties (Recipients)

IMG discloses personal data of data subjects as necessary to the following third parties:

  • to the management of the premises, the canteen provider at IMG headquarters, the sports facility operator and other entities providing IMG services to ensure operation;
  • to an external law office, external auditors or other external consultants for the purpose of using legal services, performing an audit or providing other advice;
  • to parties providing server, web, cloud or IT services or to the institute’s business partners;
  • to contractors for the purpose of proper performance of contracts, including cooperation on projects and on research, and to grant providers for the purpose of obtaining grant financing;
  • to government authorities, as well as to other entities, if IMG is obligated to transfer personal data under the statutory provisions;
  • to seconding organisation of the data subject, where the processing is carried out by agreement with the organisation or at their request;
  • to other entities for any other purpose after prior notification to the data subject or at the data subject’s request, to other institutions in case of employee recruitment;
  • to other entities, determined by law (e.g. supervisory authorities, etc.).
VII. Personal Data Retention Period

IMG processes personal data in accordance with the applicable statutory provisions, when the storage period varies for each individual personal data, depending on its specific nature, in particular regarding IMG’s legal obligations (archiving documents, etc.), and e.g. for the period necessary to ensure all rights and obligations arising from the concluded contract (processing of personal data for the purpose of fulfilling the contract), where applicable, from a contract with a third party, in particular a contract for the granting of a subsidy for the acquisition and further use of the infrastructure.

The period of personal data processing for individual specific purposes is governed by the discarding rules of IMG. Personal data are processed only for the period necessary.

The period of processing for a given purpose shall be notified to the data subject upon the start of the processing and shall be repeatedly notified to the data subject at the data subject’s request.

Personal data collected in connection with the recruitment of new employees is processed during the recruitment procedure for the given position. After the end of the recruitment procedure, they are processed only in agreement with the data subject in case of his interest in contacting when the next position is available.

VIII. Rights of Persons Whose Personal Data Are Processed

Any person whose personal data are processed IMG shall have the right, among other rights under the Regulation, to:

  1. withdraw the consent they have given to the processing of personal data;
  2. ask IMG, whether the institute processes personal data on them and ask that the institute provide specific information, as well as access to the personal data;
  3. ask for the correction and completion of personal data if the data are inaccurate or outdated, as well as object to the personal data processing;
  4. ask for the deletion of personal data (disposal of the data and discontinuation of the processing thereof) in the event that:
    • the personal data are no longer necessary for the purpose for which they were collected or processed;
    • the person withdraws their consent if data processing is based on the person’s consent and there is no other legal reason for data processing;
    • the person raises a justified objection to data processing due to legitimate interests of a data controller;
    • the personal data have been processed unlawfully;
    • no parental consent has been given to the processing of personal data of children;
    • it is required by a legal obligation ensuing from the legislation of the Czech Republic or of the EU;
  5. ask for the restriction of processing of their personal data if:
    • the person objects to the accuracy of the data;
    • the processing of these data is unlawful, but instead of their deletion only their restriction is required;
    • IMG no longer needs these data for the purposes of processing, but the person to whom the data processing applies requires these data for establishing, exercising or defending legal claims;
    • the person has objected to data processing and IMG has not yet made a decision on this objection;
  6. ask for the provision of personal data that are processed about the person by IMG in a structured, commonly used and machine-readable format for the purpose of providing these data to another controller, but only if the processing of personal data is based on consent or on a contract and, at the same time, the processing is carried out by automated means (“right to data portability”);
  7. file a complaint about personal data processing by IMG with the Office for Personal Data Protection, with its registered office at Pplk. Sochora 27, Prague 7, Post Code 170 00.
IX. The Procedure of IMG for Handling Requests Submitted by Data Subjects

In most cases, IMG is obliged to respond to requests pursuant to Article VIII made by persons whose personal data it processes within one (1) month from the date of receipt of the request (complaint or objection). In the event of a large number of applications or given their scope, IMG is entitled to extend this period by a further two (2) months. In such a case, however, IMG is obliged to inform the applicant (complainant) within one (1) month of the date of application that they are extending the period.  

Within the specified time limit, IMG shall inform the applicant (complainant) of the measures taken or of their declination. In the absence of a measure, IMG shall inform the applicant of the reasons for such a decision and of the possibility of filing a complaint with the Office for Personal Data Protection and of any other possible procedure.

If the objection raised against the processing of personal data for the purpose of protecting a legitimate interest is manifestly unjustified and/or disproportionate or is made by an insufficiently identified data subject (anonymously), IMG is entitled to refuse it no later than one (1) month from the date of its receipt. It shall inform the complainant in writing of the decision to process the objection by justifying its decision by the IMG. Where a specific application is submitted electronically and the applicant does not expressly request a written copy of the communication, IMG shall also provide a communication on the measures taken and a decision on objections electronically.

All communications at the request of the person whose personal data are processed and the decision on objections shall be provided free of charge by IMG. However, this does not apply if the applications (objections) submitted are manifestly unfounded and/or disproportionate (in particular, if they are repeated). In such a case, IMG may refuse to comply with the request or charge for the communication or action, taking into account the administrative costs associated with it.