Personal Data Protection in CESNET e‑infrastructure and other CESNET services

  1. In compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, further in this text referred to as ‘GDPR’), the CESNET association informs the entities on terms and conditions under which personal data in providing the CESNET e-infrastructure services are processed. Data subjects are natural persons using the services of the CESNET e-infrastructure.

  2. The controller of the personal data as defined by GDPR is CESNET, association of legal entities, Zikova 1903/4, 160 00 Prague 6, Czech Republic, Id.No.: 63839172, Tax id. no.: CZ63839172 (further in this text referred to as ‘the CESNET association).

  3. The CESNET e-infrastructure (further in this text referred to as ‘the Infrastructure’) is a research infrastructure as defined by Act no. 130/2002 Coll., on the Support of Research and Development from the Public Funds and on the Amendment of Certain Related Acts, providing services to entities which conform to the Terms and conditions for the access to the CESNET infrastructure. By accessing the CESNET e-infrastructure, the entity (and through it individual natural persons – for instance employees and students, i.e. data subjects under GDPR) gains access to a unique portfolio information and communication technology services: superior high-speed access to the Internet and to partner research and development networks across the world, environment for data storage, sophisticated computations and support of collaboration, security and identity administration.

  4. As regards the access to the services of the e-infrastructure, the services are two-fold: services the access to which does not require authentication and authorisation; and services the access to which requires authentication and authorisation. To access the services requiring authentication and authorisation, an user account needs to be created.

  5. As regards the access to the services of the e-infrastructure the access to which requires authentication and authorisation, the following personal data are being processed: name, surname, e-mail, telephone number, the name of the home organization, affiliation to the home organization, the user identity from home organization (e.g. Edu Person Principal Name), the user identity created for CESNET e‑infrastructure and the unique user identifier for CESNET e‑infrastructure and the corresponding virtual organization (VO), IP address (and other identifiers enabling the identification of the communication source and target) and other unique identifiers applied by individual services of the e-infrastructure. A Virtual Organization (VO) is a system that enables users who are members of VO to provide the CESNET e-infrastructure service.

  6. As regards the access to the services of the e-infrastructure the access to which does not require authentication and authorisation, the following personal data are being processed: IP address (and other identifiers enabling the identification of the communication source and target) and other unique identifiers applied by individual services of the e-infrastructure.

  7. The processing of personal data is first launched upon the first use of any CESNET e-infrastructure’s service. Non-anonymous personal data such as name, surname, e-mail, telephone number, , the name of the home organization, affiliation to the home organization, the user identity from home organization (e.g. Edu Person Principal Name), the user identity created for CESNET e‑infrastructure and the unique user identifier for CESNET e‑infrastructure and the corresponding virtual organization (VO) are stored over the entire period of usage of the e-infrastructure’s services. For security reasons (in particular in order to prevent any duplicity of user account identities) and for accounting and reporting reasons personal data including name, surname, e-mail, the name of the home organization, affiliation to the home organization, the user identity from home organization (e.g. Edu Person Principal Name), the user identity created for CESNET e‑infrastructure and the unique user identifier for CESNET e‑infrastructure and the corresponding virtual organization are also stored after the services of the e-infrastructure are no longer used. The data controller defines the technical and organisations terms and conditions for securing personal data so that their integrity and confidentiality is not breached.

  8. Personal data defined as traffic and location data1, such as IP address (and other identifiers enabling the identification of the communication source and target) and other unique identifiers applied by individual services of the e-infrastructure are deleted after 18 months.

  9. Personal data relating to information about the usage of e-infrastructure resources are stored for the period for which they are deemed necessary for the provision and improvement of the service, or, in case of projects, for the period set by individual providers of purpose-built support, with the minimum period of 5 years after the projects had been terminated.

  10. In case of e-infrastructure services, personal data are being processed for the purpose of:

    • provision of own service comprising the need to authenticate and authorise the user;
    • administration;
    • ensuring the actual provision of the e-infrastructure service;
    • statistics;
    • service monitoring;
    • optimisation of partial tasks and the services as such;
    • security;
    • drafting annual reports, monitoring reports, project result summaries and other similar documents.
  11. In case of e-infrastructure services, personal data may be shared with:

    • organisational units (sections, departments and virtual organization) within the CESNET associations for reasons specified in art. 4.
    • personal data defined as traffic and location data1, such as IP address (and other identifiers enabling the identification of the communication source and target) and other unique identifiers applied by individual services of the e-infrastructure may be shared with network and service administrators of the entities connected to the e-infrastructure and members of security teams within the process of addressing traffic issues and security incidents.
    • Other entities provided data subject’s personal data have been rendered anonymous or have undergone pseudonymisation.
  12. Access to the services of e-infrastructure may only be granted once the conditions set in the relevant rules of the e-infrastructure services have been met and the consent to personal data processing provided. Legal grounds allowing for processing personal data are as follows:

    • consent granted by the data subject;
    • justified interest of the controller, including in particular:
      • fraud prevention;
      • sharing personal data within a business group for internal administrative purposes;
      • ensuring network and information security, consisting among others in preventing unauthorised access to electronic communication network and services, proliferation of malicious codes and mitigating attacks, and damage on computer and electronic communication systems.
  13. The data subject may exercise his/her rights in accordance with GDPR. Data subjects should claim their rights from the relevant personal data collector. The procedure for claiming the rights is described at https://www.cesnet.cz/contacts/?lang=en.

  14. These rules are available in Czech and English. Should any discrepancies between the two versions occur, the Czech version shall prevail.

These rules – version 1.2 have been published 28. 11. 2019.

Previous versions: 1.0 from 29 November 2017, 1.1 from 23 May 2018

1 See s. 90 and 91 of Act no. 127/2005 Coll., on Electronic Communications and on Amendment to Certain Related Acts (Electronic Communications Act).

Last change: 28.11.2019