GDPR Transparency

The Directive on management and protection of personal data at The Institute of International Relations Prague v.v.i., No. 33

This internal regulation determines the rules for the preservation of personal data for our employees, clients and other persons and data processing.

1. Introductory provisions

1.1. This internal document regulates the advancement of employees of the Institute of International Relations Prague v.v.i., which is located at the address Nerudova Street 3, 118 50, in Prague (hereinafter the "IIR"), and other persons who have been authorized by the IIR in  document operations, processing and preservation of personal data that are processed in the conditions of the operations and activities of the IIR pursuant to the European Parliament Regulation (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the General Data Protection Regulation) and the annulment of Directive 95/46/ES (the General Data Protection Regulation) (hereinafter the "Regulation"), and other legislation governing the protection of personal data.   

1.2. These precepts are also valid for the personal data of all IIR employees, external collaborators, visitors of IIR events, users of the IIR library, IIR customers and subscribers to the IIR Newsletter that was processed by authorized persons (by the IIR’s internal employees and by other persons who process personal data on the basis of a contract that was concluded with the IIR). This directive must be included as a supplement in each contract between the IIR and an authorized person who is not an IIR internal employee.

1.3. By personal information is meant any kind of information regarding an identified or potentially identifiable data subject. The data subject may be regarded as identified or potentially identifiable in case if the data subject can be directly or indirectly identified on the basis of his or her identification number, identification code or one or more personal elements specific to his or her physical, physiological, psychological, economic, cultural or social identity.

 1.4. Sensitive data means personal information that speaks about the person`s nationality, race or ethnicity; political attitudes and preferences; membership in political parties or political movements, or labor or trade unions or employees` organizations; religion and personal beliefs; criminal history; health; and sex life.

1.5. The data subject is a natural person to whom the personal data applies. The data subject can only be a physical person; it is not decisive whether the person is a citizen of the Czech Republic or a foreigner; moreover, other factors that are not important or relevant in this case include the age of the person, whether the person is fully mentally competent, etc. In the case of the IIR the data subject is a user of its services, a visitor at one or more of its events or its employee.

1.7. The personal data manager is the person who determines the purpose and means of processing of personal data in specific cases. For the purposes of this Directive, the IIR is understood as being the personal data manager.

1.8. The processor of personal data is the person who is responsible for processing the personal data for the personal data manager (for instance a provider of the library system), but it cannot be an employee who serves under the personal data manager. If the processor of personal data makes use of the services of third persons during the processing of personal data, the processor is obliged to make sure that the third persons fulfill all the obligations contained in this directive and the related laws.  Otherwise, the processor is responsible for any damage caused by the third persons not fulfilling these obligations.

1.9. The IIR declares that in case of any modification of the statutory regulation regarding the responsibilities and obligations related to personal data protection, all the new obligations and duties that arise from this modification must be automatically enforced from the time of the modification’s entry into force.

2. Authorized persons

2.1. The authorized persons of the IIR who are allowed to process personal data are the following:

-  The IIR Director, and any employees authorized by the general department management;

- Employees in managerial or executive positions (i.e. the heads of individual departments), administrative workers in the service department, and members of the research department;

-  Persons who provide the security of the information system for processing personal data;

- Other authorized persons who have permission to access and work with personal data pursuant to their contract.

3. Ensuring of Security

3.1. Written and electronic documents that contain subjects’ personal data must be securely stored on the IIR premises in places that are inaccessible (that can be locked and secured). That applies to all copies of the subjects’ personal data documents. Authorized persons are responsible for the fulfillment of their duties, which are determined by individual administration agendas according to the extent of authorization rights that arise from an employment contract or IIR directions. The authorized persons are responsible for fulfilling the aforesaid obligations within the limits of their authorization.

3.2. Data that contain a subject`s personal information which are stored on personal computers must be kept from being accessed by unauthorized users and secured against misuse of private information.

3.3. Every employee is required to maintain confidentiality about personal or sensitive data and the security measures for protecting it, whose being made known would endanger the security of the personal data.

3.4 The liquidation of accounting data is provided by the IIR 5 years after the carrying out of the original cash transaction, and before January 31st of the following year after the five years are up.  This time limit is not valid if the financial assistance provider requests a longer period of time for the liquidation within the contract, or if the time for the archiving must be extended for reasons of protection of justified interests of the IIR.

4. Principles relating to the processing of personal data

The fundamental principles relating to the processing of personal data are governed by the regulation article № 5. In accordance with these principles the IIR has to ensure that the personal data are:

  • processed only on the basis of particular legal reasons;
  • processed in a correct and transparent manner;
  • collected only for specific, explicitly stated and legitimate purposes;
  • appropriate, relevant and limited to the necessary extent for the purpose for which they are processed;
  • accurate, exact and updated if it is necessary;
  • stored only for the period of time that is necessary for the purposes for which they are processed;
  • processed in a way that ensures an adequate degree of defence and security of personal data.

5. The method of data processing

5.1. The personal data are most often processed by the IIR for the purposes of the performance of the given contract or the fulfillment of a legal obligation imposed by the IIR. The processing of personal data is based on the consent of the data subject and for the purposes of legitimate interests of the IIR.

5.2. The IIR has the obligation to conserve the data subject`s personal information that evidently requires the subject’s consent for processing only in its up-to-date form. Any data that are no longer necessary are to be discarded and no longer stored.  In case the subject revokes their consent, it is necessary to discard the related personal data, but they can be possibly archived for a necessary length of time in accordance with the relevant laws.

5.3. The IIR database management system contains the collected personal data and other necessary information for their further processing. The collected data and necessary information can be obtained with the subject’s consent or on the basis of a statutory regulation. The personal data and necessary information are processed with considerations about ensuring their security. The collected data and personal information should be retained and
archived  by an authorized employee in rooms or places that can be locked or that would make accessing the processed data difficult (for example, accessing the data by using a password during the processing of the data with computer technology) so that the destruction, loss, or theft of or other damage to the data would be impossible, or at least the risk of losing the data would be minimized as much as possible.

5.4. The access to the database with personal contacts, the information databases, the Eventival database, which processes the personal data of the IIR service users, and the database o the library and the e-shop is only for authorized employees, persons who secure the database storage systems for processing personal data, and authorized persons who are permitted to access the databases on the basis of an existing contract with the IIR. The enhanced security measures also include measures for limiting or regulating the entry into the IIR building. Personal data are also securely stored in locked offices which only authorized employees can enter. The external drives and disks on which personal data are transported are always password protected.

5.5. Audio, video and photographic recordings which were obtained during events held by the IIR are always released with the participants` permission (for instance, the visitors must sign the attendance list during the registration for an event).

6. The IIR employees' responsibilities concerning the processing of personal data

  • To assemble personal information only in an overt and obvious way; any assembling of personal data for purposes other than those for which it is permitted by the regulation is not allowed.
  • To not assemble redundant personal data or collect personal information that has been obtained for different purposes.
  • If the processing of personal data is implemented on the basis of the consent of the subject, the consent should be granted with a written consent form with the subject`s signature. Furthermore, it should be clear to which personal information the consent relates, who the data administrator is, what the purpose is, for precisely which time period the consent is given and who is giving consent.
  • The consent may be countermand by the subject anytime. The consent form is to be kept by the IIR until the personal data, whose processing was consented to, is processed.
  • Personal data that are stored in a computer database management system can be eliminated by deleting identification data (anonymization). The anonymized personal data can be further used for statistical purposes only.

7. The rights of employees, clients and service users of the IIR

7.1. The rights of employees, clients and service users as data subjects are guaranteed. The data subject has the right of access to his/her personal data and the right to rectify personal data concerning him or her.

7.2. Data subjects have the right to apply to the Office for Personal Data Protection for an arrangement for the rectification or editorial revision of their personal data in case the IIR commits a violation of the international obligation to protect their personal data. A data subject who believes that the IIR is processing his/her personal data in violation of laws protecting one’s private life and privacy, may ask the IIR for an explanation and an elimination of this state of affairs (particularly by rectification, replenishment, limitation of processing or elimination of personal data). If the data subject's request is found to be legitimate and justified, the IIR will immediately eliminate the defective condition in a manner that corresponds to the specific features of the given case. The request should be submitted in written form.

7.3. The data subject has a right to apply for a replenishment and/or rectification of his/her personal data so that they are reliable, accurate and truthful. Also the data subject has a right to obtain his/her personal data from the IIR in a structured, commonly used format that can be easily processed by a computer.

7.4. The data subject has a right to raise an objection against the processing of their personal data and also to request that the IIR restrict the processing of the subject`s personal data on the condition that there are precepts that would allow for such restrictions.

7.5. If the data subjects submits a written application form for it, the data subject has the right to a deletion (to be erased from the IIR databases). In a deletion, all personal information regarding the data subject is deleted from the IIR database management system. According to the IIR cancellation policy the deletion must take place within 30 days of receiving the application, with a possibility of extending this period to 60 days in justified cases. A delation will be executed also in cases in which there is at least one of the reasons for a deletion of personal data pursuant to the relevant regulations. In cases where there is an obligation to preserve the personal data for a certain period of time (for instance, for purposes related to library statistics), the personal data will automatically be anonymized and then later deleted from the IIR database.

8. Supervising compliance with the provisions adopted pursuant to this Directive

8.1. The leading staff of the IIR shall ensure the oversight of the fulfillment of the obligations which follow from this Directive related to the processing of personal data within their sphere of competence.

9. Effectiveness of the Directive

This directive for the processing of personal data shall enter into force on the day of its publication.

 

 

In Prague, 25th May 2018

 

 

 

PhDr. Ondřej Ditrych, MPhil. Ph.D.

The IIR Director





Up