Personal data processing

Information on the processing of personal data valid until 11.11.2021 is available here: https://www.cesnet.cz/cesnet/personal-data-protection/?lang=en.


Information on the processing of personal data in CESNET valid from 12.11.2021:

In accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as “GDPR”), we hereby inform you about how we process personal data when providing CESNET e-infrastructure services.

Who is the data controller and who is the data subject:

The controller of personal data within the meaning of the GDPR is CESNET, an association of legal entities (“CESNET Association”). The controller is responsible for the proper and lawful processing of personal data.

CESNET association contacts and contacts to data protection officer: https://www.cesnet.cz/contacts/?lang=en.

The CESNET e-Infrastructure, which is operated by the CESNET Association, is a large research infrastructure within the meaning of Act No.130/2002 Coll., on Support of Research and Development from Public Funds, and provides services to organisations that comply with the Terms and conditions for the access to the CESNET e-infrastructure. By accessing the CESNET e-Infrastructure, an organisation (and through it, individuals – i.e. employees and students, and thus data subjects as defined by the GDPR) gains access to a unique set of ICT services: superior high-speed access to the Internet and to partner networks for science, research and education worldwide, data storage, compute-intensive environments, collaboration support, security, identity management and other services.

Personal data processing in e-INFRA CZ:

The CESNET e-infrastructure is part of a unique e-infrastructure for research, development and innovation in the Czech Republic called e-INFRA CZ, which consists of:

  • e-infrastructure CESNET, operated by CESNET, an association of legal entities, ID No.: 63839172;
  • CERIT Scientific Cloud, operated by Masaryk University, ID No.: 00216224
  • IT4Innovations national supercomputing centre, operated by VSB – Technical University of Ostrava, ID No.: 61989100.

One of the goals of e-INFRA CZ is to connect its individual parts so that users gain unified access to e-INFRA CZ services and unified user support when using these services. The e-INFRA CZ services can be used by users who, in accordance with the Conditions for access to e-INFRA CZ infrastructure, have the status of e-INFRA CZ user.

For the purpose of operation and fulfilment of the objectives of e-INFRA CZ, selected personal data of users of the CESNET e-infrastructure, for which it is necessary, are processed jointly by all operators of e-INFRA CZ in the regime of so-called joint controllers within the meaning of Article 26 GDPR. The joint processing of personal data will not apply to users for whom this is legally excluded (see Article  II paragraph  3 of the Conditions for access to e-INFRA CZ infrastructure).

Detailed information on the joint processing of personal data in e-INFRA CZ can be found on the web page: https://www.e-infra.cz/en/personal-data-processing.

Purposes and legal basis for the processing of personal data in e-Infrastructure CESNET:

We only process data that is necessary for the provision of services and user support, for the fulfilment of obligations arising from legislative regulations and other obligations (e.g. conditions of support providers in the framework of projects). We process data from users of our services (current and former) and, to a limited extent, from potential users who have expressed an interest in the services and with whom communication is established to make the services available. It is not possible to use the CESNET e-infrastructure services without providing personal data required for the operation of the e-infrastructure.

When providing CESNET e-infrastructure services, we process your basic personal and contact data, data from operation and use of services, data from communication with you, or other data so that the scope of these data is appropriate and limited to the necessary scope in relation to the purpose for which we collect and process your personal data.

Unless otherwise stated, we process the following categories of personal data on the basis of the legitimate interest of CESNET in providing the following services:

  • of an appropriate quality, so we monitor the operation of the services and carry out evaluations of them;
  • secure manner, so we monitor the network and applications and respond promptly to detected threats;
  • provided in compliance with funding bodies and their rules, so we modify the rules for using the services and keep records of them to the required extent;
  • in collaboration with national and international organizations and infrastructures with similar focus.

Providing access to service

To access services that require authentication and authorization for quality assurance and security purposes, the user needs to create a user identity in one of the IdM systems. In providing these services, we need to know your basic identification, contact information and home organization information. This information is provided to us when you first access the CESNET e-infrastructure. In addition, we record various internal identifiers and information about user permissions in order to perform authorization and authentication.

In the context of accessing CESNET’s e-infrastructure services that do not require authentication and authorisation, personal data such as IP address (as well as other identifiers that allow tracking the source and destination of communications) and other unique identifiers used by each service are processed.

Providing the actual operation of the service

In order to provide you with access to CESNET e-infrastructure services, to offer quality services, to develop them, to solve operational and security problems and, among other things, to protect your personal data, we analyze and process records from operation of systems and services (logs), operational and location data from operational and security monitoring and optimize the running of sub-tasks and the service itself.

Monitoring and Security

To ensure the stability of operation and security of services, to protect users and their data as well as to deal with cyber security events and incidents, we process information from network traffic and from user access to individual services (so-called operational and location data, logs). This information may include, for example, the technological identifiers of the traffic, information about the identity of the user requesting access to the service, the result of the authentication process or time stamps of the access or access attempt.

We process the above information not only on the basis of our legitimate interest, but also for the purpose of fulfilling our legal obligations. These legal obligations stem, for example, from Act No. 127/2005 Coll., on Electronic Communications, and Act No. 181/2014 Coll., on Cyber Security, which set out obligations in the area of storing traffic and location data and detecting and reporting cyber security incidents.

Statistics

For the sustainability of the operation of the CESNET e-infrastructure and its services, for development, security and quality of service improvement, and for reporting to the purpose support providers and members, we process primary data using statistical methods. These data typically include the usage rate of CESNET e-infrastructure, the way CESNET e-infrastructure is used, the usage of services, the number of detected and reported operational and security problems, the types and severity of operational and security problems, etc.

Communications

We process information from communications made, from meetings, consultations, from telephone calls (in the form of minutes and records), from e-mail communications when solving operational or security problems (in tickler system environment) including the resolution of complaints, service requests or information from communications when providing access to service, etc. This information enables us to improve services, internal processes and user support. We also process feedback, comments, suggestions and the results of non-anonymous surveys as personal data.

Personal data retention period:

  • When processing your personal data, we follow the rule of minimization. We only keep the data that is necessary to provide the CESNET e-infrastructure services and your rights.
  • The processing of personal data is initiated when you first use the CESNET e-Infrastructure service and personal data such as name, surname, e-mail, telephone number, name of your home organisation, user identity in an external IdM system (e.g. EPPN) are stored in a non-anonymised form for the entire period of use of the CESNET e-Infrastructure service.
  • Personal data: first name, last name, e-mail, name of the home organisation, user identity in the external IdM system (e.g. EPPN), user identity created for the CESNET e-Infrastructure and unique user identifier for the CESNET e-Infrastructure are kept after the end of the use of the CESNET e-Infrastructure services for security reasons (in particular to prevent duplication of user account identities) and for reporting on the use of CESNET e-Infrastructure resources. The controller shall establish the technical and organisational conditions for the security of personal data to ensure their integrity and confidentiality.
  • Personal data in the nature of traffic and location data (so-called logs), such as IP address (as well as other identifiers enabling the source and destination of communication to be traced) and other unique identifiers used by the individual services of the CESNET e-Infrastructure, shall be retained for 18 months and then deleted, unless otherwise specified in the terms and conditions of operation of a particular service.
  • Personal data appearing in security incident reports, together with the entire course of the security incident resolution, i.e. including communication with the person responsible for the resolution (which usually includes the following data – first name, last name, e-mail, name of the home organization) are kept in unaltered form and are not deleted. Similarly in the case of reporting and resolving operational issues.
  • Information from monitoring of the communication infrastructure, i.e. information obtained by collecting data from active network elements and information about IP flows, we keep in full quality (without loss of information value) for 6 months, summarized (with loss of information value) in the form of statistical data for 5 years. We keep personal data related to information on the use of CESNET e-infrastructure resources for as long as they are needed for the operation and improvement of the service, or, in the case of projects, for the period specified by the individual providers of targeted support, but at least 5 years after completion of the projects.

Recipients of personal data

CESNET transfers personal data to other entities only in necessary cases. Where possible (i.e. where this does not contradict the purposes of the transfer listed below), we only transfer anonymised data.

Transfer on the basis of a legal provision

Under the Cybersecurity Act, CESNET is obliged to report detected cybersecurity incidents. Cybersecurity incident reporting may include IP addresses related to the reported incident, to a lesser extent other technical identifiers, and to a very limited extent the information may be of such a nature that it can be linked to the data subject.

According to the Electronic Communications Act, the CESNET association is obliged to provide operational and location data to designated entities in specified cases. CESNET shall transmit such data in the case of services covered by this Act.

We are also obliged to hand over network traffic records, which may contain identifiers such as IP address, MAC address or other technical identifiers, to law enforcement authorities upon request.

Transmission based on legitimate interest

Personal data in the form of operational and location data and other unique identifiers used by individual CESNET e-Infrastructure services may be disclosed to network and service administrators from organisations connected to the CESNET e-Infrastructure and to members of security teams as part of the process of resolving operational problems and security incidents.

The association is a member of national and international security infrastructures (Fenix, TF-CSIRT, CSIRT.CZ Working Group), where an informal condition of participation is the sharing of experience and information in the field of security, which includes sharing information about detected security events, anomalies and vulnerabilities.

Personal data in the nature of statistically processed data on the use of CESNET e-infrastructure resources is provided to CESNET members and providers of targeted support.

Rights of data subjects:

You can exercise the following rights with CESNET Associationin relation to the personal data processed in the CESNET e-infrastructure:

  • the right to information and access to personal data (Art. 15 GDPR),,
  • the right to rectification (Art. 16 GDPR),
  • the right to erasure (Art. 17 GDPR),
  • the right to restriction of processing (Art. 18 GDPR),
  • the right to object (Art. 21 GDPR),
  • the right to raise a complaint to the Office for Personal Data Protection – you can contact the Office for Personal Data Protection, pplk. Sochor 27, 170 00 Prague 7, at any time with a request, suggestion or complaint.

We will require your identification if you choose to exercise your rights in privacy matters. Exercising your rights is free. CESNET may charge a fee for processing a request if the request is clearly unfounded or unreasonable (in which case we may also refuse to comply with the request). The exercise of any right must not affect the rights of third parties.

If you exercise any of your rights in relation to the personal data we process, we will inform you of the resolution of your request within one month of receipt of the request. We may extend this time limit by two months in view of the complexity and number of requests we process, in which case we will inform you accordingly.

Contact details for exercising your rights can be found at https://www.cesnet.cz/contacts/?lang=en.


The above information on the processing of personal data is valid from 12. 11. 2021..


Further information about the processing of personal data in CESNET:

Last change: 2.11.2021