KAMPUS HYBERNSKÁ, z. ú., ID No.: 09822453, (hereinafter referred to as "Kampus") is an institute within the meaning of Section 402 of Act No. 89/2012 Coll., the Civil Code, as amended (hereinafter referred to as "the Civil Code"). The main activity of Kampus is the creation of a unique community of science, education and the public in the historic centre of Prague, in particular the construction and operation of facilities for education (see Article III of the founding charter of Kampus).
In accordance with Regulation 2016/679 of the European Parliament and the EU Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and on repealing Directive 95/46/ES (hereinafter referred to as "GDPR" or "General Data Protection Regulation"), the following Privacy Policy has been adopted.
The purpose of this policy is to inform data subjects, i.e. visitors to Kampus as well as visitors to our website, about the processing of personal data by Kampus and to inform them about the rights that data subjects may exercise.
1. WHAT IS THE GDPR?
The General Data Protection Regulation, known as GDPR, is a comprehensive set of data protection rules in the European Union. The aim is to protect as much as possible the rights of EU citizens against unauthorised handling of their personal data; to give them more control over what happens with their data. The GDPR will affect anyone who collects or processes personal data of EU citizens. The GDPR became uniformly applicable across the EU on 25 May 2018. In the Czech Republic, it replaced the previous legislation in the form of Directive 95/46/ES and Act No. 101/2000 Coll., on the protection of personal data, as amended.
On 24 April 2019, Act No. 110/2019 Coll., on the processing of personal data, the so-called Adaptation Act, came into force, which implements the GDPR in the Czech Republic.
The GDPR is based on the principle of controller (Kampus) responsibility and a risk-based approach:
- the principle of accountability implies the Kampus' responsibility to comply with the processing principles set out in Article 5(1) GDPR, with Kampus being able to demonstrate this compliance (Article 5(2) GDPR);
- the risk-based approach means that Kampus must take into account the likely risks to the rights and freedoms of natural persons, in particular visitors to Kampus, and must adapt the security of personal data accordingly, i.e. put in place appropriate technical and organisational safeguards.
Important concepts
Processing of personal data is any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated processes, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other disclosure, alignment or combination, restriction, erasure or destruction.
Personal data is any information relating to an identified or identifiable natural person (for example, name, gender, age and date of birth, personal status, IP address, photograph, email address, telephone number, etc.). Sensitive data is a special category of personal data, which includes data on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health condition, sexual orientation and criminal offences or convictions.
A data subject is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, a network identifier or to one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2. WHO IS THE DATA CONTROLLER?
Contact details of the controller (Kampus):
The controller is the person who determines the purposes and decides how the personal data will be processed. In this case, it is KAMPUS HYBERNSKÁ, z. ú., ID No.: 09822453, with registered office at Hybernská 998/4, Nové Město, 110 00 Prague 1.
- KAMPUS HYBERNSKÁ, z. ú.
- z. ú.Hybernská 998/4110 00 PRAGUE 1
- E-mail: gdpr@kampushybernska.cz
- Data mailbox ID: 5vh5yde
3. WHO IS THE DATA PROTECTION OFFICER?
Kampus has not appointed a data protection officer.
4. FOR WHAT PURPOSE DO WE PROCESS YOUR PERSONAL DATA?
Each processing of personal data has a purpose. If we do not need the personal data, we do not process it.
In general, the purposes of processing personal data are distinguished into purposes for which the GDPR does not require your consent (this is in particular processing in the performance of legal or contractual obligations, or for processing which is necessary for the protection of rights and legally protected interests) and purposes for which the GDPR requires your consent (processing of personal data at your request, where we will stop processing personal data as soon as you withdraw your consent).
The following activities involve the processing of personal data that does not require your consent as the personal data is processed on the basis of Article 6(1)(b), (c) or (f) of GDPR:
- organising social, cultural and educational events - the main activities of Kampus consist of organising social, cultural and educational events, operating exhibition and music venues, in particular the music hall, movie hall, theatre hall and gallery, operating the lecture hall and study room; in connection with these activities, Kampus operates an Information centre to inform visitors about our activities; in connection with these activities, Kampus also carries out publishing activities;
- the operation of workshops, studios, rehearsal rooms, film editing, recording, television, radio and film studios - some Kampus activities are registered by participants (usually for capacity reasons or because they are entrusted with working resources); currently this is mainly the operation of the Circular workshop;
- the operation of the www.kampushybernska.cz website - currently our website uses cookies to ensure the functionality of the website and to gather statistics on website traffic; the website is also used for registration for some events (usually using third party web forms);
- operation of CCTV - the Campus currently operates a CCTV system to protect the property, life and health of visitors and Kampus staff.
We only require your consent if you are interested in receiving the Kampus newsletter to your email address.
Taking photographs of social, cultural and educational events
Reportage photographs and audiovisual recordings may be taken during these events. All photographs, videos, related articles, Facebook, Twitter or other social media posts and statuses will always report solely on the event, depict only polite behaviour in public and are of a reportorial nature; personal data is processed under a reporting licence without the consent of any particular person. In this case, the processing is based on legitimate interest. You therefore have the right to object to such processing pursuant to Article 21 of GDPR. For more information on this processing, please refer to the answer to Question 5.
We may use selected photographs and records for longer-term purposes in annual reports, yearbooks or chronicles, even without your consent. If we wish to use a photograph for long-term marketing purposes, or if we wish to publish it on the internet in the long term (for more than 6 months), then we will ask for your consent to use that photograph.
5. WHAT ARE OUR LEGITIMATE INTERESTS?
Processing that is necessary for the purposes of legitimate interests in accordance with Article 6(1)(f) of GDPR is a very common category of processing. Kampus' legitimate interests include the following interests and values:
- social, artistic and cultural life - the organisation of social, cultural and educational events entails the need to inform the public about these events, e.g. by publishing reportage photographs of events that have already taken place;
- enforcement and protection of Kampus' property and other rights - protection of Kampus' reputation and goodwill, protection of Kampus' property, enforcement of other rights and legal claims, recovery and sale of debts;
- security and protection of the life and health of visitors to Kampus - in order to protect the life and health of our visitors and employees from unlawful acts, as well as to prevent and clarify civil offences, misdemeanours or criminal offences, we may also process your personal data; we also operate a CCTV system for this purpose;
- environmental protection and sustainable development - sustainable development is a way of developing human society that reconciles economic and social progress with the full preservation of the environment; the main objectives of sustainable development include the preservation of the environment for future generations in the least altered form possible; personal data may also be processed for the purpose of environmental protection and sustainable development; personal data may be used to combat actions that harm the environment or, conversely, in activities that promote environmental protection;
- transparency, efficiency and internal needs of Kampus - we strive to be open, helpful and transparent with our visitors and may therefore provide information about our activities (beyond legal obligations); personal data is processed by our employees in secure information systems; personal data is also processed to improve the efficiency of Kampus and to facilitate communication.
In all these cases, the processing is based on legitimate interest under Article 6(1)(f) of GDPR. In all these cases, you have the right to object pursuant to Article 21 of GDPR.
LEGITIMATE INTEREST: RIGHT TO OBJECT UNDER ARTICLE 21 OF GDPR
Processing that is not a legal or contractual obligation but is carried out on the basis of a legitimate interest is generally considered to be the most risky processing and therefore the GDPR grants you the so-called right to object.
If you become aware or even believe that we are processing personal data in breach of the protection of your private and personal life or in breach of the law (provided that the personal data is processed by the controller on the basis of the aforementioned legitimate interests or is processed for direct marketing purposes, including profiling, or for statistical purposes or for purposes of scientific or historical interest), you can contact us and ask us to explain or remedy the defect. We will decide on your objection within one month.
6. WHAT PERSONAL DATA DO WE PROCESS?
Organisation of social, cultural and educational events
We process the following categories of personal data to ensure your satisfaction:
- application information - if registration is required for the event, then the application form contains basic identification and contact details;
- information from mutual communication - information from email or other communication (SMS, WhatsApp, social media);
- photographs from social, cultural and sporting events or events of vital importance to citizens - these are photographs taken with consent or on the basis of legitimate interest and used on our website or social media profiles, especially Facebook, and in print and electronic media.
Operation of workshops, studios, rehearsal rooms, film editing, recording, television, radio and film studios
We process the following categories of personal data to ensure your satisfaction:
- application information - basic identification and contact data, or data necessary to protect our rights (in case of entrustment of work resources);
- information from mutual communication - information from email or other communication (SMS, WhatsApp, social media);
- billing and transaction data - if the service is chargeable, we require personal data to the extent required by accounting and tax regulations; this also includes information about the agreed billing terms and received payments (e.g. account number, variable symbol).
Operation of the website www.kampushybernska.cz
We process the following categories of personal data to ensure your satisfaction:
- cookies - cookies are text files containing small amounts of information that are downloaded to the user's computer, mobile phone or other device when they visit a website; subsequently, each time they visit the website again, the cookies are sent back to the original website or to another website that recognises cookies; these cookies enable the identification of the device and the correct display of the website to the user, tailored to their individual preferences; we use cookies to optimise the use of the website; we also use them to obtain anonymous, aggregate statistical data to help analyse how the user uses the website; this information helps to improve the structure and content of the website; we do not use cookies for advertising or marketing purposes;
- information from web forms (event registration) - some applications for social, cultural and educational events, or registrations for workshops, studios, rehearsal rooms, film editing, recording, television, radio and film studios may be in electronic form; if it is a third party form, then personal data is also transferred to this third party (in particular to Google via Google Forms);
- sending the Kampus newsletter - if we obtain your email address in connection with an enquiry, application or registration for one of our events, we may use it to send you our newsletter on a regular basis; you may also give us your consent to receive this newsletter; in any case, you can unsubscribe from this service at any time by simply clicking on the unsubscribe request directly in the text of the email; the request will be immediately (automatically) complied with.
Operation of the camera system
The recordings from the cameras are processed for a period of 5 days only, solely for the purpose of protecting the life, health or property of visitors or Kampus employees. In the event of a security incident, the recordings are forwarded to the relevant public authorities (usually the Police of the Czech Republic) and possibly to insurance companies. A separate directive on the processing of personal data in the CCTV system has been adopted for the operation and security of the CCTV system.
7. HOW WAS THE PERSONAL DATA OBTAINED?
We obtain personal data from various sources
- directly from you from completed application forms or web forms - these are usually paper forms, but may also be electronic forms; we try to put a notice on all forms that personal data is being processed with reference to this Privacy Policy;
- directly from you from our mutual communication - if you contact us by post or email, we will only process the personal data you provide for the purpose for which you provided it and subsequently for archiving purposes in the public interest;
- directly from you from contracts entered into - where a contract has been entered into, we will retain the data for the duration of the contract and subsequently for the purpose of protecting rights under that contract for the duration of statutory limitation and prescription periods.
Information directly from you
If personal data has been obtained directly from you, then we are obliged to provide you with information in accordance with Article 13 of GDPR. This includes information on the identity and contact details of the controller, the contact details of the data protection officer, the purposes of the processing for which the personal data are intended and the legal basis for the processing, the legitimate interests of the controller or of a third party where the processing is based on Article 6(1)(f) of GDPR, the recipients or categories of recipients of the personal data, if any, and the controller's intention to transfer the personal data to a third country or an international organisation, and the existence or absence of a Commission decision on adequate protection or, in cases of transfers referred to in Articles 46 or 47 or the second subparagraph of Article 49(1) of GDPR, a reference to appropriate safeguards and means to obtain a copy of the data or information on where the data have been disclosed.
All of this information can be found in this Policy.
8. HOW LONG WILL WE KEEP THE PERSONAL DATA?
The duration of processing depends on the legal title:
- in the case of consent to the processing of personal data [processing based on Article 6(1)(a) of GDPR] - for as long as agreed in writing or for as long as the purpose for which consent was given continues; no longer than until the consent is withdrawn;
- in the case of the conclusion and subsequent performance of a contract with Kampus [processing based on Article 6(1)(b) of GDPR] - for the duration of the contract, or for the duration of the implementation of measures taken before the conclusion of the contract at your request;
- in the case of processing in the performance of legal obligations to which Kampus is subject [processing based on Article 6(1)(c) of GDPR] - for the duration of the relevant legal obligation; personal data will never be retained for longer than the statutory maximum;
- in the case of processing on the basis of legitimate interest [processing based on Article 6(1)(f) of GDPR], personal data that are relevant for the exercise of the legitimate interests of the municipality will be kept for as long as they can fulfill their purpose - this period is often based on statutory limitation or prescription periods; in the case of reportage photographs, this will generally be a period of six months.
In the case of processing based on consent, you have the option to withdraw your consent at any time. However, the withdrawal of consent does not affect the lawfulness of processing based on consent given before the withdrawal.
In the case of processing on the basis of legitimate interest, you have the possibility to object to the processing pursuant to Article 21 of GDPR. If the objection is granted, the documents containing personal data will be destroyed or, if required by law, transferred for archiving.
9. WILL WE PASS ON PERSONAL DATA TO ANYONE ELSE?
Personal data may be transferred to the following recipients or processors:
- businesses providing professional and consultancy services, in particular accountants, lawyers, bailiffs, tax advisors, forensic experts or public procurement administrators;
- companies providing printing, archiving, shredding and distribution of printed materials, e.g. in the case of printing of promotional materials, photographs, ensuring the destruction of documents (shredding) and printing of shredding and transfer reports;
- the public for the purpose of informing about social, cultural and sporting events in the municipality - this includes information on our website or social media profiles, especially Facebook, and in print and electronic media;
- the public for the purpose of openness and transparency, e.g. in the case of providing information under the Freedom of Information Act, disclosure of intentions to sell property - in these cases, personal data is generally anonymised to achieve the purpose under specific laws while protecting your personal data.
In no case do we trade or transfer personal data to third parties for direct or indirect marketing purposes.
10. WILL WE TRANSFER PERSONAL DATA TO A THIRD COUNTRY OR INTERNATIONAL ORGANISATION?
We do not transfer personal data to countries outside the European Union or the European Economic Area or to any international organisation.
In the event that a transfer to a third country or international organisation should occur, you will be informed of this in the specific case. In such a case, you will be referred to the existence or non-existence of an adequacy decision of the European Commission or, in the cases of transfers referred to in Articles 46, 47 and 49(1) of GDPR, a reference to appropriate safeguards and means to obtain a copy of the data or information on where the data was disclosed.
11. HOW IS PERSONAL DATA SECURED?
We follow several basic security measures as part of our object security. Hard copies of documents containing your personal information are stored in locked file cabinets or in locked offices where they are never left unattended by authorized persons. A CCTV system is installed in Kampus, particularly in areas where there is an increased risk of security breaches.
For personnel security reasons, we have adopted rules for employees and others who are authorized to handle personal information. These are contained in the following documents:
- Directive on the protection and processing of personal data;
- Guidelines for the operation of the CCTV system at Kampus Hybernská; and
- Operating Rules.
All employees handle personal data in accordance with the adopted Data Protection Directive and these basic principles:
- the lawfulness principle - processing of personal data based on legal title in accordance with Article 6 of GDPR;
- the principle of fairness - correct and socially sound use of personal data;
- the principle of transparency - all information on data protection addressed to employees must be concise, easily accessible and understandable, using clear and plain language;
- the purpose limitation principle - collecting personal data only for a clearly specified purpose;
- the data minimisation principle - never process more data than is strictly necessary for the purpose;
- the accuracy principle - the personal data processed must be accurate, i.e. as communicated by the subject, not necessarily true, although the employer must endeavour to do so;
- the principle of storage limitation - personal data shall be stored only for as long as is strictly necessary;
- the principles of integrity and confidentiality - appropriate security of personal data, including protection by appropriate technical or organisational measures against unauthorised or unlawful processing and against accidental loss, destruction or damage;
- the controller accountability principle - ensuring that appropriate technical and organisational measures are in place to enable the controller to demonstrate that processing is carried out in accordance with the GDPR and data protection rules.
Files are protected by software. Access to electronic data files is secured by passwords in accordance with the access rights settings. Staff have been instructed on how to work with ICT technology resources.
12. IS PERSONAL DATA AUTOMATICALLY EVALUATED?
Personal data is processed in paper or electronic form in a non-automated manner. We therefore do not carry out any automated decision-making.
13. WHAT ARE YOUR RIGHTS IN RELATION TO THE PROCESSING OF PERSONAL DATA?
In accordance with the provisions of Articles 12 to 22 of GDPR, subjects may exercise their rights.
- the right of access to personal data (Article 15 of GDPR) - you can request information about what data we process about you;
- the right to rectification of personal data (Article 16 of GDPR) - you have the right to request the rectification of incomplete or incorrect personal data relating to you; this is without prejudice to the obligation to report changes to personal data and to provide us with correct and complete personal data;
- the right to erasure of personal data (Article 17 of GDPR) - in certain specified cases you have the right to request that Kampus erases personal data; such cases include, for example, that the processed data is no longer necessary for the purposes mentioned above; Kampus automatically erases the personal data itself after the expiry of the period of necessity, i.e. the request is then subject to an individual assessment (despite your right to erasure, Kampus may have an obligation or legitimate interest to retain the personal data); you will always be informed in detail about the processing of the request;
- the right to limit the processing of personal data (Articles 18 and 19 of GDPR) - Kampus will only process your personal data to the extent strictly necessary; however, if you feel that we are going beyond the purposes for which we process personal data as set out above, you can make a request for your personal data to be processed solely for the most necessary lawful purposes or for personal data to be processed in a limited way (only stored); the request will then be subject to an individual assessment and you will be informed in detail about the processing;
- the right to object to the processing of personal data (Article 21 of GDPR) - in cases where personal data is processed on the basis of a legitimate interest, you have the right to object to the processing; in this case, we will carry out a balancing test (proportionality test) in which we will compare the conflicting interests and evaluate the objection;
- the right to lodge a complaint with the Personal Data Protection Office - you may at any time contact the Personal Data Protection Office, located at Pplk. Sochora 27, 170 00 Prague 7, with a complaint regarding the processing of personal data; more information can be found on the website www.uoou.cz.
In the case of processing based on consent, you have the right to withdraw your consent at any time. However, the withdrawal of consent does not affect the lawfulness of processing based on consent given before its withdrawal.
14. HOW CAN I EXERCISE MY RIGHTS?
You can exercise your individual rights directly with Kampus.
Contact details of the controller (Kampus):
- KAMPUS HYBERNSKÁ, z. ú.
- Hybernská 998/4110 00 PRAHA 1
- E-mail: gdpr@kampushybernska.cz
- Data mailbox ID: 5vh5yde
General information on exercising rights
We provide all communications and statements regarding the rights you have exercised free of charge. However, if the request is manifestly unfounded or unreasonable, in particular because it is repetitive, we are entitled to charge a reasonable fee taking into account the administrative costs involved in providing the information requested. In the event of a repeated request for copies of the personal data processed, we reserve the right to charge a reasonable fee for the administrative costs for this reason.
We will provide you with a statement and, where applicable, information on the measures taken as soon as possible and within one month at the latest. We are entitled to extend the time limit by two months if necessary and in view of the complexity and number of requests. We will inform you of the extension, including the reasons for it.