Personal Data Protection in the Data Stewardship Wizard web portal and its services (DSW)

  1. In compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, further in this text referred to as ‘GDPR’), FIT CTU informs the entities on terms and conditions under which personal data in providing DSW services are processed. Data subjects are natural persons using the services of DSW.
  2. The controller of the personal data as defined by GDPR is Czech Technical University in Prague, Faculty of Information Technology, Thákurova 5, 160 00 Praha 6, Czech Republic, Id.No.: 68407700, Tax id. no.: CZ68407700 (further in this text referred to as "FIT CTU").
  3. the Data Stewardship Wizard web portal and its services (further in this text referred to as "DSW") is a public web portal providing services to entities which conform to the Terms and conditions for the access. By accessing DSW, the entity (and through it individual natural persons – for instance employees and students, i.e. data subjects under GDPR) gains access to a unique portfolio information and communication technology services supporing data stewardship.
  4. As regards the access to the services of DSW, the services are two-fold: services the access to which does not require authentication and authorisation; and services the access to which requires authentication and authorisation. To access the services requiring authentication and authorisation, an user account needs to be created.
  5. As regards the access to the services of DSW the access to which requires authentication and authorisation, the following personal data are being processed: name, surname, e-mail, the user identity created for ELIXIR infrastructure (AAI) IP address (and other identifiers enabling the identification of the communication source and target) and other unique identifiers applied by individual services of DSW.
  6. As regards the access to the services of DSW the access to which does not require authentication and authorisation, the following personal data are being processed: IP address (and other identifiers enabling the identification of the communication source and target) and other unique identifiers applied by individual services of DSW.
  7. The processing of personal data is first launched upon the first use of any DSW’s service. Non-anonymous personal data such as name, surname, e-mail and user identity created for ELIXIR infrastructure (AAI) are stored over the entire period of usage of DSW’s services. For security reasons (in particular in order to prevent any duplicity of user account identities) and for accounting and reporting reasons personal data including name, surname, e-mail and user identity created for ELIXIR infrastructure (AAI) are also stored after the services of DSW are no longer used. The data controller defines the technical and organisations terms and conditions for securing personal data so that their integrity and confidentiality is not breached.
  8. Personal data defined as traffic and location data, such as IP address (and other identifiers enabling the identification of the communication source and target) and other unique identifiers applied by individual services of DSW are deleted after 18 months.
  9. Personal data relating to information about the usage of DSW resources are stored for the period for which they are deemed necessary for the provision and improvement of the service.
  10. In case of DSW services, personal data are being processed for the purpose of:
    • provision of own service comprising the need to authenticate and authorise the user;
    • administration;
    • ensuring the actual provision of DSW service;
    • statistics;
    • service monitoring;
    • optimisation of partial tasks and the services as such;
    • security;
    • drafting annual reports, monitoring reports, project result summaries and other similar documents.
    • delivering service announcements to the users.
  11. In case of DSW services, personal data may be shared with:
    • organisational units (sections or departments) within FIT CTU for reasons specified in art. 4.
    • personal data defined as traffic and location data, such as IP address (and other identifiers enabling the identification of the communication source and target) and other unique identifiers applied by individual services of DSW may be shared with network and service administrators of the entities connected to DSW and members of security teams within the process of addressing traffic issues and security incidents.
    • Other entities provided data subject’s personal data have been rendered anonymous or have undergone pseudonymisation.
  12. Access to the services of DSW may only be granted once the conditions set in the relevant rules of DSW services have been met and the consent to personal data processing provided. Legal grounds allowing for processing personal data are as follows:
    • consent granted by the data subject;
    • justified interest of the controller, including in particular:
      • fraud prevention;
      • sharing personal data within a business group for internal administrative purposes;
      • ensuring network and information security, consisting among others in preventing unauthorised access to electronic communication network and services, proliferation of malicious codes and mitigating attacks, and damage on computer and electronic communication systems.
  13. The data subject may exercise his/her rights in accordance with GDPR. Data subjects should claim their rights from the relevant personal data collector. The procedure for claiming the rights is described at Contact.