Personal data processing in CESNET association

Personal data processing in e-INFRA CZ

The CESNET e-infrastructure is part of a unique e-infrastructure for research, development and innovation in the Czech Republic called e-INFRA CZ, which consists of:

•     e-infrastructure CESNET, operated by CESNET, an association of legal entities, ID No.: 63839172;
•     CERIT Scientific Cloud, operated by Masaryk University, ID No.: 00216224
•     IT4Innovations national supercomputing centre, operated by VSB – Technical University of Ostrava, ID No.: 61989100.

One of the goals of e-INFRA CZ is to connect its individual parts so that users gain unified access to e-INFRA CZ services and unified user support when using these services. The e-INFRA CZ services can be used by users who, in accordance with the Conditions for access to e-INFRA CZ infrastructure, have the status of e-INFRA CZ user.

For the purpose of operation and fulfilment of the objectives of e-INFRA CZ, selected personal data of users of the CESNET e-infrastructure, for which it is necessary, are processed jointly by all operators of e-INFRA CZ in the regime of so-called joint controllers within the meaning of Article 26 GDPR. The joint processing of personal data will not apply to users for whom this is legally excluded (see Article  II paragraph  3 of the Conditions for access to e-INFRA CZ infrastructure).

Detailed information on the joint processing of personal data in e-INFRA CZ can be found on the web page: https://www.e-infra.cz/en/personal-data-processing.

Purposes and legal basis for the processing of personal data in e-Infrastructure CESNET

We only process data that is necessary for the provision of services and user support, for the fulfilment of obligations arising from legislative regulations and other obligations (e.g. conditions of support providers in the framework of projects). We process data from users of our services (current and former) and, to a limited extent, from potential users who have expressed an interest in the services and with whom communication is established to make the services available. It is not possible to use the CESNET e-infrastructure services without providing personal data required for the operation of the e-infrastructure.

When providing CESNET e-infrastructure services, we process your basic personal and contact data, data from operation and use of services, data from communication with you, or other data so that the scope of these data is appropriate and limited to the necessary scope in relation to the purpose for which we collect and process your personal data.

Unless otherwise stated, we process the following categories of personal data on the basis of the legitimate interest of CESNET in providing the following services:

• of an appropriate quality, so we monitor the operation of the services and carry out evaluations of them;
• secure manner, so we monitor the network and applications and respond promptly to detected threats;
• provided in compliance with funding bodies and their rules, so we modify the rules for using the services and keep records of them to the required extent;
• in collaboration with national and international organizations and infrastructures with similar focus.

Providing access to service

To access services that require authentication and authorization for quality assurance and security purposes, the user needs to create a user identity in one of the IdM systems. In providing these services, we need to know your basic identification, contact information and home organization information. This information is provided to us when you first access the CESNET e-infrastructure. In addition, we record various internal identifiers and information about user permissions in order to perform authorization and authentication.

In the context of accessing CESNET’s e-infrastructure services that do not require authentication and authorisation, personal data such as IP address (as well as other identifiers that allow tracking the source and destination of communications) and other unique identifiers used by each service are processed.

Providing the actual operation of the service

In order to provide you with access to CESNET e-infrastructure services, to offer quality services, to develop them, to solve operational and security problems and, among other things, to protect your personal data, we analyze and process records from operation of systems and services (logs), operational and location data from operational and security monitoring and optimize the running of sub-tasks and the service itself.

Monitoring and Security

To ensure the stability of operation and security of services, to protect users and their data as well as to deal with cyber security events and incidents, we process information from network traffic and from user access to individual services (so-called operational and location data, logs). This information may include, for example, the technological identifiers of the traffic, information about the identity of the user requesting access to the service, the result of the authentication process or time stamps of the access or access attempt.

We process the above information not only on the basis of our legitimate interest, but also for the purpose of fulfilling our legal obligations. These legal obligations stem, for example, from Act No. 127/2005 Coll., on Electronic Communications, and Act No. 181/2014 Coll., on Cyber Security, which set out obligations in the area of storing traffic and location data and detecting and reporting cyber security incidents.

Statistics

For the sustainability of the operation of the CESNET e-infrastructure and its services, for development, security and quality of service improvement, and for reporting to the purpose support providers and members, we process primary data using statistical methods. These data typically include the usage rate of CESNET e-infrastructure, the way CESNET e-infrastructure is used, the usage of services, the number of detected and reported operational and security problems, the types and severity of operational and security problems, etc.

Communications

We process information from communications made, from meetings, consultations, from telephone calls (in the form of minutes and records), from e-mail communications when solving operational or security problems (in tickler system environment) including the resolution of complaints, service requests or information from communications when providing access to service, etc. This information enables us to improve services, internal processes and user support. We also process feedback, comments, suggestions and the results of non-anonymous surveys as personal data.

Personal data retention period

• When processing your personal data, we follow the rule of minimization. We only keep the data that is necessary to provide the CESNET e-infrastructure services and your rights.
• The processing of personal data is initiated when you first use the CESNET e-Infrastructure service and personal data such as name, surname, e-mail, telephone number, name of your home organisation, user identity in an external IdM system (e.g. EPPN) are stored in a non-anonymised form for the entire period of use of the CESNET e-Infrastructure service.
• Personal data: first name, last name, e-mail, name of the home organisation, user identity in the external IdM system (e.g. EPPN), user identity created for the CESNET e-Infrastructure and unique user identifier for the CESNET e-Infrastructure are kept after the end of the use of the CESNET e-Infrastructure services for security reasons (in particular to prevent duplication of user account identities) and for reporting on the use of CESNET e-Infrastructure resources. The controller shall establish the technical and organisational conditions for the security of personal data to ensure their integrity and confidentiality.
• Personal data in the nature of traffic and location data (so-called logs), such as IP address (as well as other identifiers enabling the source and destination of communication to be traced) and other unique identifiers used by the individual services of the CESNET e-Infrastructure, shall be retained for 18 months and then deleted, unless otherwise specified in the terms and conditions of operation of a particular service.
• Personal data appearing in security incident reports, together with the entire course of the security incident resolution, i.e. including communication with the person responsible for the resolution (which usually includes the following data – first name, last name, e-mail, name of the home organization) are kept in unaltered form and are not deleted. Similarly in the case of reporting and resolving operational issues.
• Information from monitoring of the communication infrastructure, i.e. information obtained by collecting data from active network elements and information about IP flows, we keep in full quality (without loss of information value) for 6 months, summarized (with loss of information value) in the form of statistical data for 5 years. We keep personal data related to information on the use of CESNET e-infrastructure resources for as long as they are needed for the operation and improvement of the service, or, in the case of projects, for the period specified by the individual providers of targeted support, but at least 5 years after completion of the projects.

Recipients of personal data

CESNET transfers personal data to other entities only in necessary cases. Where possible (i.e. where this does not contradict the purposes of the transfer listed below), we only transfer anonymised data.

Transfer on the basis of a legal provision

Under the Cybersecurity Act, CESNET is obliged to report detected cybersecurity incidents. Cybersecurity incident reporting may include IP addresses related to the reported incident, to a lesser extent other technical identifiers, and to a very limited extent the information may be of such a nature that it can be linked to the data subject.

According to the Electronic Communications Act, the CESNET association is obliged to provide operational and location data to designated entities in specified cases. CESNET shall transmit such data in the case of services covered by this Act.

We are also obliged to hand over network traffic records, which may contain identifiers such as IP address, MAC address or other technical identifiers, to law enforcement authorities upon request.

Transmission based on legitimate interest

Personal data in the form of operational and location data and other unique identifiers used by individual CESNET e-Infrastructure services may be disclosed to network and service administrators from organisations connected to the CESNET e-Infrastructure and to members of security teams as part of the process of resolving operational problems and security incidents.

The association is a member of national and international security infrastructures (Fenix, TF-CSIRT, CSIRT.CZ Working Group), where an informal condition of participation is the sharing of experience and information in the field of security, which includes sharing information about detected security events, anomalies and vulnerabilities.

Personal data in the nature of statistically processed data on the use of CESNET e-infrastructure resources is provided to CESNET members and providers of targeted support.

Rights of data subjects

You can exercise the following rights with CESNET Associationin relation to the personal data processed in the CESNET e-infrastructure:

• the right to information and access to personal data (Art. 15 GDPR),,
• the right to rectification (Art. 16 GDPR),
• the right to erasure (Art. 17 GDPR),
• the right to restriction of processing (Art. 18 GDPR),
• the right to object (Art. 21 GDPR),
• the right to raise a complaint to the Office for Personal Data Protection – you can contact the Office for Personal Data Protection, pplk. Sochor 27, 170 00 Prague 7, at any time with a request, suggestion or complaint.

We will require your identification if you choose to exercise your rights in privacy matters. Exercising your rights is free. CESNET may charge a fee for processing a request if the request is clearly unfounded or unreasonable (in which case we may also refuse to comply with the request). The exercise of any right must not affect the rights of third parties.

If you exercise any of your rights in relation to the personal data we process, we will inform you of the resolution of your request within one month of receipt of the request. We may extend this time limit by two months in view of the complexity and number of requests we process, in which case we will inform you accordingly.

Contact details for exercising your rights can be found at www.cesnet/en/contacts.

How we protect your personal data

CESNET users’ personal data are treated legally and with due care in compliance with personal data protection regulations. The same principles apply in respect of the user data stored with us.

The priority is to ensure data confidentiality, availability and integrity, i.e. prevent any unauthorised access to data, their unauthorised leak, disclosure or other unauthorised processing while ensuring their high availability.

The core of security measures applied in the CESNET e-infrastructure consists in cutting-edge devices, highly qualified and ethical staff, customised physical protection, and a number of further organisational measures. We are aware that the softest spot of security is the human factor; accordingly we put great emphasis on continuous training of employees and raise their awareness of fundamental principles of security and privacy protection.

Technical measures

• Personal data are kept in a safe environment, only accessible by Association’s employees.
• Encryption and encrypted protocols are used to process personal data (i.e. in accessing them or in their transmission).
• Before accessing or altering own personal data, the users (data subjects) must verify their identity by providing individual login data.
• In order to ensure data availability, confidentiality and integrity, strict rules in respect of the backup of user personal data backup (and data in general) have been defined.
• The traffic is being monitored meticulously and systematically, thus allowing that any operation and security issued are addressed timely and efficiently and their impact is mitigated.
• The operated systems are being tested continuously to identify any vulnerability and other soft spots in their protection.

Organisational measures

• The minimisation principle in respect of granting privileged access rights is adhered by.
• Strict measures in respect of user identity administration, authentication and authorisation are applied.
• All Association’s employees adhere by confidentiality and secure data treatment principles.
• A number of workshops focusing on security is held, available (some of them even compulsory) to all employees.
• Personal data protection commissioner has been appointed, acting also as privacy protection consultant.
• Procedures for maintain processing logs and risk assessment have been introduced.
• Data processing agreements have been concluded with sub-contractors commissioned to process the data by the Association.

Physical measures

• The Association’s premises, including special work places (laboratories, computer halls, etc.), are protected by means of access management and CCTV systems.
• The fundamental features of the communication infrastructure and services have sufficient performance and redundancy, thus ensuring smooth operation.

Overview of your information – Your user profile in the Perun system.

Služba Zoom poskytovaná sdružením CESNET a ochrana osobních údajů

Sdružení CESNET zajišťuje přístup ke cloudové videokonferenční službě Zoom pomocí uživatelských účtů v rámci e-infrastruktury CESNET.

K zajištění přístupu ke službě Zoom je nezbytné pracovat s následujícími údaji, které mohou být spojeny s konkrétním uživatelem (subjektem dle GDPR):

• Emailová adresa – emailová adresa uživatele slouží jako primární identifikátor uživatele pro službu Zoom,
• Křestní jméno, Příjmení, Zobrazované jméno – slouží pro snazší identifikaci uživatele v rámci meetingů,
• Afiliace – seznam všech afiliací uživatele využívaný pro potřeby autorizace uživatele (licencované účty na službě Zoom například neposkytujeme studentům),
• Organizace – organizace uživatele sloužící pro zpracování statistik a vykazování využití služby. 

Uvedené osobní údaje uvolňuje při přístupu ke službě Zoom prostřednictvím https://cesnet.zoom.us/ a Sign in with SSO nebo v Zoom klientovi na všech platformách při při přihlášení pomocí SSO v doméně cesnet.zoom.us uživatel. 

Výše uvedené osobní údaje jsou při přístupu ke službě Zoom přebírány z IdM systému Perun, který provozuje sdružení CESNET. Jejich zpracování na straně sdružení CESNET se řídí pravidly ochrany osobních údajů sdružení CESNET.

Uvedené osobní dále zpracovává Zoom Video Communications Inc., 55 Almaden Blvd, 6 th Floor, San Jose, CA 95113 v rámci poskytování služby Zoom v cloudu. Zpracování osobních údajů na straně Zoom Video Communications Inc. se řídí podmínkami poskytování služby Zoom, prohlášením o ochraně osobních údajů společnosti Zoom Video Communications Inc. a je v souladu s nařízením GDPR.

Další informace k ochraně osobních údajů najdete také na hlavních stránkách sdružení CESNET.

eduroam

Identity Federation and Personal Data Protection

Personal Certificates

Personal data in the services of electronic mailing lists

1. In compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, further in this text referred to as ‘GDPR’), the CESNET association informs the entities on terms and conditions under which personal data in providing the electronic mailing list service are processed. Data subjects are natural persons using the electronic mailing list service.
2. The personal data controller is CESNET, z. s. p. o., Zikova 1903/4, 160 00 Prague 6, id. no.: 63839172, tax id. no: CZ63839172 (“the CESNET Association“). The contact information you can found at our website.
3. The objective of this electronic email list (“the List”) is to share and exchange information, experience and guidelines among the professional community within a particular industry.
4. Your personal data which we retain in relation to the List administration are and shall only be used in relation to the administration of the List, namely to send e‑mails with registration to the List, e-mails from moderator or administrator and other List members.
5. Please be aware that the e‑mails are stored in archives accessible only to the List members, information about conference traffic is stored in logs for operational and security purposes.
6. Your personal data relating to the administration of the List shall only be stored as long as you remain member of the List. The List archives are kept over the entire period of List’s existence.
7. Your personal data are not made accessible to third parties nor traded with. On the contrary, we care for their protection from the technical, organisational and ethical point of view.
8. You keep all rights to the personal data which we retain in relation to the administration of the List as defined by GDPR. You can claim your rights through the contacts listed in note 2 above.
9. These rules are available in Czech and English. Should any discrepancies between the two versions occur, the Czech version shall prevail.

Rules – version 1.0 have been published 22 May 2018.

Consent to personal data processing in relation to the provision of electronic newsletter

1. In compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, further in this text referred to as ‘GDPR’), the CESNET association requests your consent to process personal data for the purpose of sending an e‑mail newsletter.
2. You give your consent to the personal data controller CESNET, z. s. p. o., Zikova 1903/4, 160 00 Prague 6, Id. No.: 63839172, tax id. no.: CZ63839172 (“the CESNET Association“). The contacts can found in the Contact section.
3. You consent that the CESNET Association sends you their e‑mail newsletter( eNews). In order to be able to send it to you, we need to retain the following personal data:

• Name
• Surname
• E-mail

4. Your personal data are and shall only be used in relation to the subscription to the newsletter.
5. The objective of the electronic newsletter is to inform the subscribers about the activities of the CESNET association, about the organised events (workshops, conferences, trainings) and about the news relating to the CESNET Association.
6. Please be aware that the eNews has the following attributes:

• the news into the newsletter are provided solely by the CESNET Association (the Controller);
• the news are saved in the archives, available on the www.cesnet.cz website;
• anyone can subscribe to the newsletter;
• personal data you have provided us shall only be stored as long as you remain the subscriber of the eNews;
• the eNews can be unsubscribed at any time. Once you have unsubscribed, your personal data shall be deleted from the electronic newsletter database.

7. Personal data provided are processed by The Rocket Science Group LLC d/b/a MailChimp, which operates the technology to distribute email campaigns. MailChimp used to distribute our electronic newsletter. The registered office of MailChimp and personal data processing servers are located in the USA. In order to ensure personal data protection while processing the data, CESNET and the company concluded an agreement on personal data processing.
8. You keep all rights to the personal data which we retain in relation to the provision of the electronic newsletter as defined by the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). You can claim your rights through the contacts listed in note 2 above.
9. These rules are available in Czech and English. Should any discrepancies between the two versions occur, the Czech version shall prevail.

These rules – version 1.0 have been published 24 May 2018.

Information on the use of cookies on the CESNET’s website(s)

To ensure the functionality of the CESNET¨s website(s), the use of so-called functional cookies is essential.

• Cookies are short text files generated by a web server and stored on your computer via your web browser.
• Functional cookies are necessary to ensure the basic functions of the website and cannot be disabled without blocking the website functions.
• Information obtained via functional cookies is not passed on or processed by external subjects.
• Functional cookies can be deleted via options in your web browser.

The performance (analytics) cookies are used on the CESNET’s website(s).

The above information is valid from 1 January 2024.

Information on the processing of personal data in CESNET is available at www.cesnet.cz/en/gdpr.

Informace o zpracování osobních údajů pro osoby spolupracující s odd. TMC CESNET

Osoby spolupracující s oddělením nástrojů pro administraci a bezpečnost sdružení CESNET (dále jen „oddělení TMC“) přistupují k interním informacím a nástrojům tohoto oddělení po přihlášení do IdM systému TMC CESNET. Za tímto účelem je těmto osobám vytvořen v procesu registrace účet, při čemž dochází ke zpracování osobních údajů. Níže naleznete informace o tomto zpracování osobních údajů ve smyslu Nařízení Evropského parlamentu a Rady (EU) 2016/679 ze dne 27. dubna 2016 o ochraně fyzických osob v souvislosti se zpracováním osobních údajů a o volném pohybu těchto údajů a o zrušení směrnice 95/46/ES (obecné nařízení o ochraně osobních údajů, dále jen „GDPR“).

Správcem osobních údajů ve smyslu GDPR je CESNET, zájmové sdružení právnických osob (dále jen „sdružení CESNET“). Správce nese odpovědnost za řádné a zákonné zpracování osobních údajů. Kontakt na sdružení CESNET a jeho pověřence pro ochranu osobních údajů naleznete zde: https://www.cesnet.cz/kontakty/.

V systému TMC CESNET jsou zpracovávány pouze ty osobní údaje, které jsou nezbytné pro vytvoření uživatelského účtu. Jedná se o základní identifikační a kontaktní údaje zadané při registraci. Účelem zpracování těchto údajů je tedy řízení přístupů k interním nástrojům a informacím oddělení TMC.

Osobní údaje jsou zpracovávány na základě oprávněného zájmu sdružení CESNET na zabezpečení interních nástrojů a informací před neoprávněným přístupem k nim.

Osobní údaje jsou zpracovávány po dobu existence uživatelského účtu. Uživatelský účet bude smazán po uplynutí šesti měsíců od ukončení spolupráce a/nebo ukončení členství v některé z pracovních skupin oddělení TMC.

Nezbytně nutné osobní údaje mohou být předávány službám třetích stran, které jsou v rámci oddělení TMC používány pro spolupráci. Jedná se především o externí cloudové služby nebo komunikátory. Aktuální seznam těchto externích služeb a sadu předávaných údajů je možné nalézt na https://www.liberouter.org/liberouter_user/.

Dále pro osoby spolupracující s oddělením TMC přiměřeně platí informace o zpracování osobních údajů uživatelů e-infrastruktury CESNET, které jsou k dispozici zde: https://www.cesnet.cz/zpracovani-osobnich-udaju/.

V případě dotazů ohledně zpracování osobních údajů se můžete kromě výše uvedených kontaktů obrátit také na oou(at)cesnet.cz.

Poslední aktualizace informací: 2. srpna 2022

Information about processing personal data for participants of public events of the CESNET association

When organizing public events of the CESNET association, the personal data of the participants of these events is processed. Below there can be found the information about this processing of personal data within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as “GDPR”).

The controller of personal data within the meaning of the GDPR is CESNET, interest association of legal entities (hereinafter referred to as the „CESNET association”). The controller is responsible for the fair and lawful processing of personal data. The contact details of the CESNET association and its data protection officer can be found here: https://www.cesnet.cz/en/contacts.

When organizing public events of the CESNET association, only personal data limited to what is necessary to ensure communication with the participants of these events are processed. These are the basic identification and contact details provided during registration for the specific event.

Personal data are then processed for the following purposes:

• Ensuring the organisation of the event for which the participant has been registered (confirmation of attendance at the event, transmission of organisational instructions, sending materials from the event, etc.). The processing of personal data is necessary for the implementation of the event and is implemented by sending information emails to the email address provided during the registration.
• Ensuring invoicing and subsequent fulfillment of obligations of the CESNET association’s tax and accounting obligations if it is a paid event. In this case, personal data is processed on the basis of the concluded contract or on the basis of the controller’s legitimate interest in recovering unpaid financial amounts and for the fulfillment of legal obligations in the area of tax and accounting. In such cases, the period of processing of personal data is governed by statutory limitation periods and the mandatory retention period for accounting and tax documents.
• Providing networking opportunities, which is an integral part of most of the CESNET association’s public events. In case of networking events, if participants fill in the information about the organisation they intend to represent at the event when registering, this information will also be included on the participant’s nameplate. In this case, the personal data is processed on the basis of the legitimate interest of the association CESNET, because the support of cooperation in the field of information technology between different entities is one of the objective for which the association CESNET was founded.
• Finding out participant‘s feedback. The CESNET association has a legitimate interest in processing this personal data, because the feedback of participants serves to improve the quality and therefore the effectiveness of the events.
• Archiving of attendance lists from realized events, which the CESNET association holds on the basis of its legitimate interest, because the CESNET association is obliged to document the use of these resources due to character of the sources of funding its activities. Attendance records shall be kept for five years, if the provider of the financial resources would not command differently.
• Adressing participants with the offer of the similar events. The CESNET association has a legitimate interest in using the contacts of participants of past events to send invitations to other similar events and by this way expend awareness of its activities and of various topics in the field of information technologies. Participants have the right to refuse these offers at any time. Personal data is kept for this purpose for 24 months.

The personal data of participants in the association’s events are not transmit to other entities, unless this is an obligation determined by law.

Event participants whose personal data is processed related with their registration for an event are allowed to enforce the following rights at the CESNET association:

• right to informations and access to personal data (Article 15 GDPR),
• right to rectification (Article 16 GDPR),
• right to erasure (Article 17 GDPR),
• right to restriction of processing (Article 18 GDPR),
• right to object (Article 21 GDPR),
• the right to lodge a complaint to Personal Data Protection Office – you can contact the Personal Data Protection Office, pplk. Sochora 27, 170 00 Prague 7, at any time with a request, suggestion or complaint.

In case you choose to enforce your rights in matters of personal data protection, we will require your identification. Enforcing your rights is free of charge. The CESNET association may require a fee to process a request if the request is manifestly unfounded or unreasonable (in which situation we also have the right to refuse the request). The enforce of any of the rights must not affect the rights of third parties.

If you enforce any of the rights in relation to the personal data processed, we will notify you of the resolution of your request within one month of receipt of the request. We may extend this time limit by two months, with respect to complexity and number of requests to be processed, in which case we will inform you.

Contacts for exercising your rights can be found at www.cesnet.cz/en/contacts.

In case of questions regarding the processing of personal data, you can also contact oou(at)cesnet.cz.

Last updated: December  7th 2022