Information about personal data processing and protection in respect of the CESNET association

Contents:

Your personal data controller

In compliance with GDPR, CESNET, assotiation of legal entities, with its registered office at Zikova 1903/4, 160 00 Prague 6, Id. no.: 63839172, Tax id. no.: CZ63839172 (‘CESNET’ or ‘the Association’) is the personal data controller.

The Controller collects your personal data, disposes with them and is responsible for their fair and lawful processing. You can claim your rights on the controller as described below.

Data protection office contact details.

Processed personal data

We only process personal data necessary for the provision of services and user support and for ensuring obligations stipulated by law or otherwise (for instance by terms and conditions of individual grant providers within the projects). We process data from our service users (current and former), and to a limited extent also data about potential users which had indicated their interest in the services and with which a communication about their access to the services is underway.

While providing the e-infrastructure services, we process your basic personal data and contact details, traffic and service use data, data from mutual communication, and any other data as long as the amount of such data is adequate and limited to what is necessary in relation to the purpose for which your personal data are collected and processed. A comprehensive list of purposes for which we process user personal data as well as the specification of type of information processed for a particular purpose, can be found in the Purpose of processing section.

Depending on particular service or purpose, we process in particular the following categories of data:

Personal identification data

These include for instance name, surname, identity card number (passport, ID card), date of birth, name of home organisation (employer), affiliation to home organisation.

Contact details

Contact details include for instance e-mail address, telephone number, domicile (employer) address, user identity in an external (from the CESNET’s point of view) Identity Management system (e.g. Edu Person Principal Name, ‘EPPN’). These data are necessary in order to provide access to the customised services of the CESNET e‑infrastructure. Without these data, the services could not be provided.

Access information

Personal identification data and contact details are pre-requisites to ensuring secure and reliable access to certain services of the CESNET e-infrastructure, namely user verification by means of user name and password when logging to a particular service. The access information consisting of user name and password (so called user identity) combined with personal identification data, contact details and a selected unique user identifier for the e‑infrastructure are stored in IdM (identity management) systems of the Association which serve as central user identity (user accounts) administration point, thus enabling to control and manage the entire user lifecycle.

Data relating to access to services

In order to ensure a stable operation and secure services, to protect the users and their data and to be able to address cyber security events and incidents, CESNET processes data from the network traffic and about the user access to individual services (so called traffic and location data, logs). These data may include for example digital identifiers of traffic made (IP addresses, MAC addresses, etc.), data about the identity of the user requesting the access to the service, the result of the authentication process or the timestamp of the access or access attempt.

Data on utilisation of CESNET e-infrastructure services

Data on the utilisation of the CESNET e-infrastructure are processed in order to be able to plan sources and to streamline and systematically develop the e-infrastructure services, and to fulfil the requirements of purpose-built grant providers and the needs of association members.

Data relating to the monitoring of CESNET communication infrastructure

The communication infrastructure is a network component of the CESNET e-infrastructure. It ensures data communication of users and services within the CESNET e-infrastructure and with external networks and sources. A wide range of data is processed in relation to the communication infrastructure administration. Some of them may contain elements of personal data. The procedure is as follows:

  • Processing of data from individual active network components as a part of the network communication infrastructure monitoring. In this case, the data consist entirely of technology data used predominantly to assess the level of utilisation of network sources, error rate, overrun of traffic limits, etc. Only a limited amount of descriptive data can contain elements of personal data. This applies in particular to IP and MAC addresses of individual device network interfaces. Nonetheless, these data ensure technological and not personal identification.

  • IP traffic data processing. In this case, the data are collected (sometimes even created) comprehensively and traffic data are processed using flows (so called NetFlow, alternatively sFlow). A major portion of processed data contains elements of personal data, including IP and MAC addresses, which are the fundamentals of the traffic data (and it is impossible to distinguish whether this is user or merely technological identification at this level).

Security

The administration of the e-infrastructure and the services also encompasses the issues of security and user protection. Besides communication infrastructure monitoring described above, it covers handling of security incidents, events, vulnerabilities and other anomalies, detected by in-house tools within the CESNET e-infrastructure, reported to us by third parties (e.g. as a part of the incident handling – security incident resolution and coordination thereof). These data are processed in order to ensure secure e-infrastructure operation and user protection. Most frequently, data processed in this area include IP or MAC address, URL, data about geographical location and other digital identifiers which identify a device connected to the network rather than a natural person.

Data acquired at events

CESNET organises a number of educational and community events – conferences, workshops, trainings, etc. The participants apply for the events using the web registration form, and subsequently data such as name, surname, name of the home organisation, job position or email address are processed. These data are used in relation to event administration. At certain events, on-line streams and recordings are made, which are subsequently made publicly available. Photographs are taken do document the event and project results’ attainment. These may subsequently be used for PR activities (on the Association’s website, on social networks, etc.).

Data from communications

In addition, CESNET processes data from communications made – from meetings, consultations, phone calls (in the form of minutes and recordings), from e-mail communications when addressing traffic and security issues (within the ticketing systems) including the resolution of user requirements, complaints, service claims or data from communications while ensuring access to services, etc. These communication data are also kept to enable reviewing the communication made retroactively and may be used as evidence in case of litigations.

Other data

For security reasons, CCTV is used on the Association premises (Zikova 1903/4, Prague 6, Czech Republic) and in special work places (laboratories, computer halls, etc.) deployed in member’s premises.

Purpose of processing

CESNET processes data in order to be able to provide any particular services offered within the CESNET e-infrastructure, to ensure the operation and development of the CESNET e-infrastructure’s comprehensive range of services and network communication infrastructure, as well as to ensure the network traffic and services, enhance quality and user care, and to ensure the protection of your personal data.

Data are processed only to the extent necessary and for the specified purpose.

The duty to process data is stipulated in a number of regulations. Certain data must be processed for the project reporting, certain data are processed to protect the rights and law-protected interests of the Association (Controller), or of third parties. When processing personal data, the existence of a legitimate interest is rigorously assessed.

The Controller’s legitimate interest consists in particular in ensuring the provision of services, their development, optimisation, prevention of any fraud, transfer of personal data between group entities for internal administrative purposes, and in ensuring network and data security, including among other prevention of unauthorised access to electronic communication networks and services, prevention of malware proliferation, attacks and damage on computer and electronic communication systems.

In respect of the CESNET e-infrastructure, personal data are processed in particular for the purpose of:

Provision of own services

In order to be able to provide the services of the CESNET e-infrastructure which require authentication and authorisation, we need to ascertain you personal identification information and contact details. This enables us, among other things, to generate a user identity (access data). Personal data processing starts upon the first use of CESNET e-infrastructure’s service.

Purpose of data processing:

  • actual provision of service;
  • security;
  • legal obligation fulfilment;
  • legitimate interests.

Authentication and authorisation of legitimate user

Certain services of the CESNET e-infrastructure require the users to authenticate and authorise. To enable this, we generate a user identity for you in one of the operated IdM systems. We administer your access information (login name and password) enabling your authentication.

Purpose of data processing:

  • actual provision of service;
  • security;
  • legal obligation fulfilment;
  • legitimate interests.

Ensuring actual provision of CESNET e-infrastructure service

In order to ensure the access to the services of the CESNET e-infrastructure, to offer high-quality services, develop them, address traffic and security issues, protect your personal data which you confined to us or which we collected, a number of activities are continuously carried out, including an analysis and processing of logs from system and service operation, traffic and localisation data from the traffic and security monitoring (for more details see section Security) and streamlining of partial tasks and services as such.

Using external Google Analytics, CESNET monitors the traffic and the number of visitors to the www presentations of the Association, in order to optimize and improve them. The service is configured in a standard way.

Purpose of data processing:

  • actual provision of service;
  • security;
  • legal obligation fulfilment;
  • legitimate interests.

Monitoring and security

GDPR imposes an obligation to ensure the protection of processed personal data. Hence, the Association performs a number of activities in order to fulfil the obligation, starting with the implementation of state-of-art defence mechanisms, systematic employee education to traffic and security monitoring performed at both at network and application level.

The data collated as a part of processing of data from individual active network components as a part of the network communication infrastructure monitoring are necessary for the administration, ensuring the operation and stability of the communication infrastructure and other components of the CESNET e-infrastructure; to achieve optimum source exploitation, to track behaviour patterns and the condition of individual technology units. The data are a prerequisite for the fulfilment of obligations towards professional clusters, such as the FENIX project as the platform of the Czech peering centre NIX.CZ and last but not least for statistical evaluation of the utilisation of CESNET e-infrastructure components as required by the grant provider.

The data collated as a part of IP traffic data processing, where data are collected (sometimes even created) comprehensively and processed using flows (so called NetFlow, alternatively sFlow), facilitate the administration and security of network traffic and CESNET e-infrastructure’s services CESNET. Moreover, processing of these data also constitutes the fulfilment of obligations prescribed by general legislation – including for instance Act no. 127/2005 Coll., on Electronic Communications and on Amendment to Certain Related Acts (Electronic Communications Act, ‘ECA’), as amended; and Act no. 181/2014 Coll., on Cyber Security and the amendment of related acts (Cyber Security Act, ‘CSA’), as amended. ECA and CSA prescribe obligations in respect of storage of traffic and localisation data and detection and reporting of cyber security incidents. Last but not least, CESNET is obliged to fulfil commitments towards professional clusters (e.g. the FENIX project on the NIX.CZ) as well as requirements of the grant provider in respect of statistical evaluation of the utilisation of the CESNET e-infrastructure.

To be able to detect threats and vulnerabilities in time, CESNET processes data about the detected security anomalies, events and incidents discovered concerning the CESNET e‑infrastructure and connected networks. These data, complemented with third party data, are used in security incident handling. These data are made accessible to security team administrators and members of connected entities all over the world in handling security incidents. These data represent security events, and although they contain identifiers such as attack source and target IP addresses, and possibly other digital identifier, they cannot identify a particular person as such.

As an entity governed by CSA [s. 3(b) of CSA], our obligations include detecting any cyber security events and incidents and reporting them to the National CSIRT of The Czech Republic (operated by CZ.NIC association).

Purpose of data processing:

  • actual provision of service;
  • security;
  • legal obligation fulfilment;
  • legitimate interests.

Statistics

To maintain the sustainability of the CESNET e-infrastructure traffic and its services, development, security and service quality enhancement and to be able to provide reporting to the providers of grants and association members, CESNET processes primary data using statistical methods. In general, these data indicate the CESNET e-infrastructure utilisation, the manner of its utilisation, the utilisation of services, the number of detected and reported traffic and security issues, type and materiality of traffic and security issues, etc.

Purpose of data processing:

  • actual provision of service;
  • security;
  • legitimate interests;
  • legal obligation fulfilment.

Communications

CESNET processes data from communications made – from meetings, consultations, phone calls (in the form of minutes and recordings), from e-mail communications when addressing traffic and security issues (within the ticket system environment) including the resolution of user requirements, complaints, service claims or data from communications while ensuring access to services, etc. These data enable us to enhance the quality of services, internal procedures and user support. Feedback, suggestions, proposals and results of non-anonymous surveys are also processed as personal data.

Purpose of data processing:

  • actual provision of service;
  • security;
  • legitimate interests;
  • legal obligation fulfilment;
  • enhancement of the quality of services provided;
  • user support and customer care.

Duration of data storage

Your personal data are processed in accordance with the principal of data minimisation. This means that CESNET only retains those data necessary to provide the services of the CESNET e-infrastructure and to ensure your rights.

Personal data processing starts upon the first provision of the service of the CESNET e‑infrastructure. Personal data including name, surname, e-mail address, telephone number, name of the home organisation, user identity in an external IdM system (e.g. EPPN) are store as non-anonymous data over the entire period the service of the CESNET e-infrastructure is provided. Personal data: name, surname, e-mail address, name of the home organisation, user identity in an external IdM system (e.g. EPPN), user identity generated for the CESNET e-infrastructure and a unique user identifier for the CESNET e-infrastructure are retained even after the provision of a service of the CESNET e-infrastructure has been terminated. This is due to security reasons (in particular to prevent duplicity of user identity). The administrator defines technical and organisations rules in order to protect personal data so as to ensure their integrity and confidentiality.

Personal data in the form of traffic and localisation logs such as IP address (and other identifiers allowing for tracking the communication source and target) and other unique identifiers applied by individual services of the CESNET e-infrastructure are retained for a period of 18 months and are subsequently deleted.

Personal data collated from security incident reports, together with the description of the entire procedure of security incident handling, i.e. including the communication with the person responsible for handling the incident (typically consisting of the following data – name, surname, e‑mail address, name of the home organisation) are retained unchanged and are not deleted. Similar rules apply to traffic issue reports and handling protocols.

Data from the monitoring of communication infrastructure, i.e. data collated by active network components and data about IP flows are retained for a period of 6 months in full format (without impairing their information value), and for a period of 5 years as summarised statistical data (with impaired information value).

Personal data containing information about the usage of CESNET e-infrastructure’s sources are retained for the period necessary to ensure the provision of a particular service and its quality enhancement; or, in case of projects, for the period set by relevant grant providers, for a minimum of 5 years after the project completion.

Personal data relating to the events held (workshops, trainings, conferences) are retained for the period necessary to ensure the provision of a particular service and its quality enhancement, for a maximum of 5 years after the event was held.

Data processed with your consent are retained for a period for which you had rightfully given your consent, i.e. until the consent is withdrawn, or until the purpose for which the consent had been given expires. To remove any doubts, the consent, its amendment or withdrawal is retained on the basis of our legitimate interest for the entire period of the consent validity and 10 years after it expired.

Am I obliged to transfer my personal data to CESNET?

The transfer of personal data the provision of which is subject to your consent is voluntary.

CESNET requests the transfer of other personal data where their processing is necessary to fulfil -our statutory obligations, to provide the requested service of the CESNET e‑infrastructure or to protect our legitimate interests. Should you refuse to transfer your personal data, we shall be unable to provide the requested services the provision of which is conditional upon the transfer of personal data.

Personal data sources

CESNET processes in particular the data provided by you, for instance upon the establishment of your access to a service of the CESNET e-infrastructure, upon the generation of user identity (access information) in the IdM system, upon the access to services (authenticated), upon registration for an event (conferences, workshops, trainings), upon the login in public mail electronic lists, as a part of the communication with you, etc.

In addition, CESNET processes the data which are created as a result of your activity, including service operation logs which contain information when and to which services you access, traffic logs from network communication infrastructure and security-related logs (security events and security incidents).

Data from public available sources (registers, websites, etc.) and data from third parties are also processed.

In case it is necessary and appropriate in order to achieve the purpose of your data processing, the data are complemented from other sources – internal, public and non-public. This concerns in particular the following cases:

Marketing

CESNET uses data provided by you, collated by us, and publicly available data.

Security

Data collated as a part of security monitoring of the CESNET e-infrastructure are complemented with data reported to CESNET (as a part of security incident reporting and handling) by third parties, or from publicly and non-publicly (i.e. with clearly defined restrictions on access) available sources. These data are collated in order to complement the security incident reports which CESNET distributes into connected networks, and in general terms to ensure the security of the CESNET e-infrastructure, connected networks and users.

Registers

CESNET uses data from public registers of national domain administrators and from RIR (Regional Internet Register). Examples include the database of the national domain .cz administered by the CZ.NIC Association, and the RIPE NCC (RIR for Europe and Middle East) database.

Personal data recipients

Your personal data are processed by the Association. The data may only be transferred outside the Association based on your consent, or where it is prescribed by law, or based on administrator’s or third party’s legitimate interest. The Association only enables access to your personal data to other entities provided these entities ensure the functionality of certain systems for the Association.

Transfer on grounds of consent

Certain services (for instance eNews, feedback collection systems, questionnaires and surveys, web analysis) make use of existing third-party services and applications which may result in a transfer of personal data to third countries. When selecting a provider of such a service (processor), CESNET always makes sure that the processor has adequate professional skills and complies with the requirements stipulated in GDPR.

Transfer on grounds of law

The CSA stipulates that the Association is obliged to report any detected cyber security incidents to the National CSIRT of The Czech Republic. The cyber security incident reports may contain IP addresses relating to the reported incident, and certain other digital identifiers. However, only very rarely does the character of data enable to connect them with a data subject.

The ECA stipulates that the Association is obliged, in cases listed in ECA, to transfer traffic and localisation data to entities listed in s. 97 (3) thereof. Such data are transferred provided the services are subject by the ECA.

Further, CESNET is obliged to transfer network traffic logs containing identifiers such as IP address, MAC address, and other digital identifiers to law enforcement authorities.

Transfer on grounds of legitimate interest

Personal data consisting of traffic and localisation logs (see s. 90 and 91 of Act no. 127/2005 Coll., on Electronic Communications and on Amendment to Certain Related Acts – Electronic Communications Act) such as IP address (and other identifiers enabling to track down the communications’ source and target) and other unique identifiers used by individual services of the CESNET e-infrastructure may be transferred to network and service administrators from entities connected into the CESNET e-infrastructure and security team members in the framework of traffic issue and security incident handling.

The Association is a member of a number of national and international security infrastructures (Fenix, TF‑CSIRT, CSIRT.CZ’s Working Group). The informal prerequisite for participation is sharing of security experience and information, including sharing data about detected security events, anomalies and vulnerabilities.

Personal data in the form of statistically processed data about the utilisation of CESNET infrastructure’s sources are transferred to Association members and grant providers.

Your rights

CESNET processes your personal data with due care, fairly and lawfully. You have a number of rights in relation to your personal data – the right of access to the personal data, the right to rectification, erasure, to restriction of processing, data portability or the right to object to processing in case you believe the processing is not fair. You may also file an objection with the Office for Personal Data Protection. You may exercise your rights with the personal data controller, i.e. the Association.

As regards the processed personal data, you can exercise the following rights with the Association:

  • Right of access to personal data – you have the right to obtain a confirmation whether or not the Controller processes your personal data. Where that is the case, you have the right to access to the following information – the purpose of the processing; the categories of personal data concerned; the recipients or the categories of recipient to whom the personal data have been or will be disclosed; whether the personal data are transferred into third countries; the period for which the personal data will be stored; the source of the personal data; and whether or not automated processing or profiling has been or will be applied.

  • Right to rectification – in case your personal data are incorrect or inaccurate, CESNET shall rectify them. Taking into account the purpose of the data processing, you have the right to complete the incomplete personal data.

  • Right to erasure (right to be forgotten) – you have the right to erasure of personal data in the following cases: personal data are no longer necessary; consent withdrawal (and no other legal ground for the processing exists); objection to processing; unlawful processing; compliance with legal obligation; personal data have been collected in relation to the offer of information society services.

  • Right to restriction of processing – you have the right to request that the Controller restricts of processing of your personal data where one of the following applies:

    • your personal data are inaccurate;
    • the processing of your personal data is unlawful but you oppose the erase of data and request the restriction of their use instead;
    • you require the personal data the Controller no longer needs for processing for the establishment, exercise or defence of legal claims;
    • you have objected to processing.
  • Right to data portability – you may request that the Controller transmits the personal data to another controller designated by you, unless hindered by compelling legitimate grounds.

  • Right to object – you have the right to object to processing of personal data by the Controller. However, where the provision of the personal data concerned is obligatory, CESNET can refuse to provide you the relevant service concerned.

  • Right to withdraw consent – in case the Controller requests your consent to personal data processing, you can withdraw the consent at any time. The withdrawal of consent does not affect the processing of your personal data over the period for which your consent has been lawfully granted, nor does it affect the processing of you personal data from other legitimate grounds, where applicable (e.g. compliance with legal obligations or for the purposes of our legitimate interests).

  • Right to lodge a complaint with the Office for Personal Data Protection – you can lodge a request, suggestion or complaint with the Office for Personal Data Protection, with its registered office at pplk. Sochora 27, 170 00 Prague 7, the Czech Republic.

  • Right not to be subject to a decision based solely on automated processing, including profiling.

  • Right to restrict marketing communications – if you have given us consent to marketing communications, or you have been receiving our business offers on other legitimate ground, you may withdraw you consent at any time, or restrict or recall the activity by:

    • replying to the commercial communication in which you clearly indicate your wish to be omitted from such communication;
    • telling us during a phone call that you no longer wish to be contacted in this manner;
    • communicating to us via email, in person or on the phone that you no longer wish to be contacted in any way, see contacts.

We would like to advise you that should you indicate to restrict marketing communications, CESNET may continue to communicate with you in respect of maintenance, support and traffic and security incident handling; and that CESNET shall continue to use your contact details in order to send service rights and for purposes other than the marketing activity.

The rights claimed may not adversely affect the rights of third parties.

In case you decide to claim your rights regarding personal data protection, we shall request you to identify yourself.

In case you claim any of the rights in respect of personal data processing, CESNET shall notify you of the settlement of your request no later than one month after the delivery of the request. This deadline can, however, be extended up to three months in case more complex or higher number of request have been received, in which case CESNET shall inform you about it.

Claiming your rights is free of charge. The Association may, however, charge a fee for the request processing in case the request is clearly groundless or inadequate.

If you have any further questions, please contact CESNET at www.cesnet.cz/kontakty.

Glossary

Sensitive data

Special category of personal data consisting of information about racial or ethnical origin, religious beliefs, political opinions, membership in trade unions or other organisations, sexual life, commission of offence and any sentence for it, genetic data, biometric data, health condition.

Geolocation data

Data about geographical position of a computer system connected to the Internet (whether detailed or on country level).

Legitimate interest

An interest of the controller or of third party, for example where the data subject is controller’s customer.

Personal data

Any information relating to identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Service

Any service provided within the CESNET e-infrastructure (www.cesnet.cz/sluzby), including appropriate support.

Controller

Any person who determines the purposes and means of the processing of personal; the controller may assign the actual data processing to a processor.

Data subject

Any natural person who provided data about himself or herself, or whom the controller/ processor obtained the date from another controller/ processor.

Purpose

Any purpose for which the controller uses your personal data.

Processing

Any operation which is performed on personal data by the controller or the processor.

Processor

Any entity which processes personal data on behalf of the controller.

Overview of relevant legislation

In processing personal data, we adhere by Czech legislation in force, namely the Act on the Protection of Personal Data, Civil Code, GDPR and Anti-spam Act which addresses unsolicited commercial communication.

Anti-spam Act Act no. 480/2004 Coll., on Certain Information Society Services Commercial communication in e-mails, SMS
Charter of Fundamental Rights of the European Union 2012/C 326/02 Personal data protection
Charter of Fundamental Rights and Freedoms Resolution of the presidium of the Czech National Council Nr. 2/1993 Coll. to republication of Charter of Fundamental Rights and Freedoms as component part of constitutional order of the Czech Republic Right to privacy and personal data protection
Civil Code Act no. 89/2012 Coll., the Civil Code Privacy protection
General Data Protection Regulation (EU) – GDPR Regulation no. 2016/679/EU Protection of personal data within the EU in force since 25 May 2018.
Act on Electronic Communications (‘ECA’) Act no. 127/2005 Coll., on Electronic Communications and on Amendment to Certain Related Acts (Electronic Communications Act, ‘ECA’), as amended). General storage of traffic and localisation data
Act on Cyber Security (‘CSA’) Act no. 181/2014 Coll., on Cyber Security and the amendment of related acts (Cyber Security Act, ‘CSA’), as amended. Cyber security incident and event detection and reporting

This document, version 1.0, was published on 24 May 2018.
This document shall be regularly updated.

Last change: 24.5.2018