The Economics Institute GDPR instructions

Česká verze Pokynů týkajících se ochrany osobních údajů je k dispozici na stránce https://cz.cerge-ei.cz/o-cerge-ei/ochrana-osobnich-udaju-pokyny

Pro účely agendy ochrany osobních údajů je určena kontaktní osoba: Petr Veselý, oddělení výpočetní techniky
GDPR primary contact person: Petr Veselý, Head of Computer Office
Primární kontaktní email / Primary contact: helpdesk@cerge-ei.cz

For the purpose of work communication within the Economics Institute (EI) or towards third parties, EI employees may use only their work e-mail addresses with the cerge-ei.cz (or ei.cas.cz) domain. The GDPR does not permit the use personal e-mail addresses for any type of work communication including communication with students.

As an exception, EI employees may use e-mail addresses from other official domains for the purpose of work communication related to their EI work agendas when they are employees of any of the following organizations associated with the domains: Charles University, the Czech Academy of Sciences (including their joint workplaces), university/faculty hospitals, CESNET, or official domains of other universities and public research institutions.

EI employees may only use e-mail forwarding from the cerge-ei domain to an e-mail account in any of the above listed domains.

The above instructions do not address the placement of e-mail accounts of third-party recipients.

As always, the e-mail content may only include personal data that do not influence the recipient or that were originally included in the communication by the recipient.

The publishing of lists of students and/or alumni in printed form (in annual reports, etc.) or on a public web page is not allowed without their explicit consent.

Gained consent may be used in accordance with its specific purpose only. It must be specific and ‘individual’ so that you get separate consent for separate things.

Any lost or stolen electronic/data device must be reported to the GDPR primary contact person at helpdesk@cerge-ei.cz?subject=[GDPR] Reporting of Lost Device, either by the affected employee/student or his/her superior. The incident will be analyzed and appropriate remedies assessed. CERGE-EI is obliged to document and assess such incidents and report on them to the Data Protection Office (ÚOOÚ) or other subjects involved in the incident.

This instruction concerns any device containing personal data which might conceivably be lost or stolen or containing passwords, the stealing of which might lead to personal data loss (typically PCs, laptops, portable devices including tablets and mobile phones, external data drives and cards, etc.). Personal data include, e.g. students’ seminar papers, seminar attendance lists, students’ grades, personal information contained in research data files, etc.

Dosavadní znění upozornění zůstává v platnosti, za poslední větu tohoto upozornění se nově doplňuje věta:

„Obsahuje-li tento e-mail nebo některá z jeho příloh osobní údaje, dbejte při jeho dalším zpracování (zejména při archivaci) souladu s pravidly evropského nařízení GDPR.“

The original disclaimer remains the same, only the following sentence should be appended:

„If this e-mail or any of its attachments contains personal data, please be aware of data processing (particularly document management and archival policy) in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on GDPR.“

Full text of CERGE-EI disclaimer is available here.