The data controller processing your personal data is the Slovak University of Technology in Bratislava, established at Vazova 5, 812 43 Bratislava, Slovak Republic, registration number: 00397 687 (hereinafter referred to as “STU” or “we”), also considered to be the controller even when your personal data are processed by STU faculties and/or university workplaces and entities of STU designed for specialized purposes. A data controller has the status of a public university pursuant to Act. No. 131/2002 Coll. on Higher Education and on Changes and Supplements to certain acts (hereinafter referred to as “Law on Higher Education”).

A Data Protection Officer has been appointed to enforce the legitimacy and safety of personal data processing within STU. At the same time, the Data Protection Officer is your contact point for any questions or requests related to personal data protection.STU Data Protection Officer’s contact details: e-mail: dpo@uniba.sk, address for correspondence: Data Protection Officer, Slovak University of Technology in Bratislava, Vazovova 5, 812 43 Bratislava, Slovak Republic.

For what purposes are your personal data being processed?

Your personal data are being processed for the following purposes:

Purpose of personal data processing			Primary legal basis
1.	Personnel and salary purposes	Compliance with legal obligations (Article 6 Paragraph 1 Letter c) GDPR)
2.	Employer’s control mechanisms	Legitimate interest (Article 6, Paragraph 1, Letter f) GDPR): Monitoring of maintenance of discipline in the workplace
3.	Accounting and tax purposes	Compliance with legal obligations (Article 6 Paragraph 1 Letter c) GDPR)
4.	Academic organisational structures	Compliance with legal obligations (Article 6 Paragraph 1 Letter c) GDPR) and tasks performed in the pubic interest (Article 6 Paragraph 1 Letter e) GDPR)
5.	Compliance with obligations and tasks of the public university	Compliance with legal obligations (Article 6 Paragraph 1 Letter c) GDPR) and tasks performed in the pubic interest (Article 6 Paragraph 1 Letter e) GDPR)
6.	Provision of studies (study purposes)	Compliance with legal obligations (Article 6 Paragraph 1 Letter c) GDPR) and tasks performed in the pubic interest (Article 6 Paragraph 1 Letter e) GDPR)
7.	Issuing of student ID cards	Compliance with legal obligations (Article 6 Paragraph 1 Letter c) GDPR) and tasks performed in the pubic interest (Article 6 Paragraph 1 Letter e) GDPR)
8.	Compliance with legal obligations	Compliance with legal obligations (Article 6 Paragraph 1 Letter c) GDPR)
9.	Purposes of Alumni	Legitimate interest (Article 6 Paragraph 1 Letter f) GDPR): Maintaining contact with graduates
10.	Voluntary disclosure of personal data	Data subject’s consent (Article 6 paragraph 1 Letter a) GDPR)
11.	Protection of property, discipline and safety	Legitimate interest (Article 6 Paragraph 1 Letter f) GDPR): Protection of property, discipline and safety
12.	Entitlement, exercise and defence of legal claims (administration of legislation)	Legitimate interest (Article 6 Paragraph 1 Letter f) GDPR): Entitlement, exercise and defence of legal claims
13.	Ensuring IT security	Compliance with legal obligations (Article 6 Paragraph 1 Letter c) GDPR)
14.	Provision of catering and accommodation	Compliance with legal obligations (Article 6 Paragraph 1 Letter c) GDPR) and tasks performed in the pubic interest (Article 6 Paragraph 1 Letter e) GDPR)
15.	Library and information purposes (Academic library)	Compliance with legal obligations (Article 6 Paragraph 1 Letter c) GDPR) and tasks performed in the pubic interest (Article 6 Paragraph 1 Letter e) GDPR)
16.	Scientific research	Article 89 GDPR
17.	Academic, artistic and literary purposes	§ 78, Article 1, Law on Personal Data Protection
18.	Journalistic purposes	§ 78, Article 2, Law on Personal Data Protection
19.	Raising awareness about the university (marketing purposes)	Legitimate interest (Article 6 Paragraph 1 Letter f) GDPR): Raising awareness about the university
20.	Sending of marketing communication (newsletters)	Consent (Article 6 Paragraph 1 Letter a) GDPR)
21.	Contracting and performance of contracts with natural persons	Performance of contract including pre-contractual commitments (Article 6 Paragraph 1 Letter b) GDPR)
22.	Dealing with complaints	Performance of legal obligations (§ 13 Paragraph 1 Letter c) Law on Personal Data Protection)
23.	Statistical purposes	Article 89 GDPR
24.	For the purpose of archiving	Article 89 GDPR related to the Law on Archives and Registries

Legitimate interests we pursue while processing personal data for the above-mentioned purposes are as follows:

• Monitoring and maintaining discipline in the workplace;
• Protection of property, discipline and safety;
• Entitlement, exercise and defence of legal claims; and
• Raising awareness about the university.

To whom do we disclose your personal data?

The obligation of confidentiality in respect to your personal data is taken seriously. Therefore, we have adopted internal regulations so that your personal data can only be shared with entitled or authorized persons. Should our employees access your personal data, they can do so explicitly on a “need-to-know” basis, meaning that only authorized employees from a department which deals with personal data processing can obtain authorized access, whilst this access is limited by the position, function and duties of the particular employee. Personal data are provided to the following categories of personal data receivers and only to the extent necessary:

• Senior executives and employees of STU;
• Foreign universities providing mobility programs;
• European Union Institutions;
• Organisations financing some student mobility programs;
• International organisations and international networks connecting universities cooperating together where we are a member;
• State bodies competent in the field of education (Ministry of Education, Slovak Centre of Scientific and Technical Information);
• Scientific institutions;
• Providers of technical and IT support/administration;
• Mail carriers and postal undertakings;
• Lawyers, executors, notaries, auditors, advisers;
• Providers of the ISIC/ITIC licence and data integrators for the use of student ID cards
• Development, testing and execution of some processing operations involving the use of personal data in AIS
• OHS
• Accounting and payroll companies;
• Social insurance institutions, health care insurance companies, and so on.

Provided that we use a mediator in order to process your personal data, we always verify if the mediator meets organizational and technical requirements and thus ensure the security of personal data processing. Provided that we use our recipients (internal employees) to process personal data, we always reassure that the data are processed under appropriate authorizations and instructions. The recipients are instructed not only on internal personal data safety regulations, but they are also informed about their legal responsibilities in case of any infringement of these regulations. Provided that a public authority requires disclosure of your personal data, we examine the conditions of the disclosure as defined by current legislation and do not provide your personal data unless these conditions are met. Provided that there is a request to disclose archived information, we act in compliance with an investigative code.

Is there a chance of a cross-border transfer of your personal data?

By default we limit any cross-border transfers of personal data to third countries outside of the European Economic Area (i.e. outside the member states of EU, Iceland, Norway, Liechtenstein), unless necessary. The reason is that, according to decisions of the European Commission, these third countries are not obliged to provide an appropriate level of personal data protection. Nonetheless, in some cases such transfers are performed. Should you require cross-border mobility within available student or employee mobility programmes enabling studies and/or job placement at foreign universities and/or should you request STU to send a confirmation on proper completion of a study programme at STU to a foreign employer or institution, your personal data can be transferred to third countries. An unlimited cross-border transfer of personal data can be performed within the European Economic Area and the following countries, which currently provide an appropriate level of personal data protection, as decided by the European Commission: The Principality of Andorra, Argentina, Faro Islands, Guernsey, Israel, Jersey, New Zealand, Canada (commercial institutions), The Isle of Man, Switzerland, Eastern Republic of Uruguay, the United States of America (companies certified by the Privacy Shield framework).

Transfer to any other third countries (or companies which do not meet specific sector requirements as is the case of Canada and the United States of America), is regarded as a cross-border personal data transfer to a third country which does not guarantee an appropriate level of protection. Provided that such transfer is necessary, we strive to achieve appropriate guarantees pursuant to Article 46 of GDPR, which obliges the personal data receiver in the third country to follow the policies of personal data protection equivalent to those valid in EU. The most frequently, standard contractual clauses approved by European Commission are concluded, provided that is objectively possible. Provided that it is not possible, we must proceed in compliance with exceptions for specific situations pursuant to Article 49 of GDPR. Most frequently this takes the form of your consent to the transfer or performance of contractual relations.

STU also uses secure cloud services of authorized providers with servers placed within EU jurisdiction. However, should the provider of cloud services acting as our data processor provide your personal data, a cross-border transfer to the USA would be possible. The above mentioned provider is Microsoft Inc. company certified by the system of legal guarantees known as Privacy Shield (URL: https://www.privacyshield.gov/welcome). For more information on specific legal guarantees for these cross-border data transfers containing also your personal data see the statement on personal data protection by Microsoft company. (URL: https://privacy.microsoft.com/sk-sk/privacystatement) as well as answers related to the specific legal guarantees used for cross-border transfers (URL: https://products.office.com/sk-sk/business/office-365-trust-center-eu-model-clauses-faq).

Is there a chance of automated personal data processing with a legal effect and/or other significant impact on you?

Automated individual decisions can take place pursuant to Article 22 of GDPR in all these cases:

	The procedure used	Purpose	Expected consequences
Assessing the claim for accommodation in STU student homes	E-Ubytovanie (E-Accommodation) system automatically assesses successful accommodation applications based on a score system and assessment criteria defined in the respective STU regulation.	Effective and fair processing of a vast number of applications for accommodation within the restricted capacity of STU student houses with regard to the legal obligations of a public university.	Resolution of allocation of accommodation (positive / negative). Negative: accommodation not provided.
Originality verification of a final thesis	Anti-plagiarism software has built its own crowd-ware corpus, which scans publicly accessible resources and absorbs a great amount of information from other works and professional publications from abroad. This software verifies and assesses final theses for plagiarism with regard to other papers in the register.	The legal duties of a public university also include a correct assessment of the percentage of plagiarism with other final theses and academic papers.	Resolution on the percentage of plagiarism (positive / negative). Negative: thesis is not approved, shows signs of plagiarism.

 

Pursuant to § 89 Law on Higher Education we are obliged to provide accommodation facilities for students and pursuant to § 63, Article 7, Law on Higher Education we are also obliged to provide originality verification of final theses. In both cases we rely on the legal basis stipulated by legislation. Therefore, we act in accordance with Article 22 Paragraph 2 Letter b) of GDPR, pursuant to Article 22 Paragraph 3, of GDPR which means that you do not have the right to: receive a Controller’s human intervention; express your opinion or; challenge the resolution. Nonetheless, should we receive relevant requests from data subjects who have reasonable doubts as to the correctness of their personal data processing during automated individual decision-making practices, we shall examine them.

How long do we retain your personal data?

Your personal data are retained as long as is necessary for the purpose we process them for. In general, the length of the retention period arises from legislation. Provided that it is not defined in legislation, the retention period of your personal data is always related to a particular purpose and shall be determined in accordance with our internal regulations and/or our registration plan. Provided that you withdraw your consent upon which we process your personal data, we are obliged to cease processing your personal data. However, this does not take away the fact that we can process your personal data in accordance with other legal basis in case our legal duties must be met.

Retention periods of personal data processing for purposes we defined are to be seen in our registration order –(https://www.stuba.sk/buxus/docs//stu/pracoviska/rektorat/odd_pravne_organizacne/registraturny%20poriadok.pdf).

How do we acquire your personal data?

Should your consent be the legal basis for the processing of your personal data at STU, pursuant to Article 6 Paragraph 1, Letter a) of GDPR, you are never obliged to disclose them. Provision of your personal data is based on your free consideration and voluntary action.You have the right to withdraw the consent you granted any time.Withholding your personal data should not have any negative or significant consequences for you, but it can lessen the comfortable use of some services and make it more difficult for you to remain updated. Should a conclusion or performance of a contractual obligation be the legal basis for the processing of your personal data, pursuant to Article 6 Paragraph 1 Letter b) of GDPR, provision of your personal data is a necessary requirement for the conclusion of the contract. Withholding of your personal data may result in the absence of a contractual agreement. Should a performance of our legal duty pursuant to Article 6 Paragraph 1 Letter c) of GDPR or a performance of the task in the public interest be the legal basis for the processing of your personal data, then provision of your personal data is a statutory requirement.  Withholding of your personal data may result in non-performance of the task provided within the competence of academic authorities, the resolution you could be asking for might not be issued, or performance of any other important task could fail. Provided that the processing of personal data in order to meet legal duties pursuant to Act No. 307/2014 Coll. on Certain Measures Related to the Reporting of Antisocial Activities and on Amendments to Certain Acts, withholding of a notifier’s personal data does not mean that the anonymous complaint shall not be investigated. The consequence of lodging an anonymous compliant is that we shall not inform you about the result of an investigation. Should a legitimate interest be the legal basis for your personal data processing and provided that we use the legal basis pursuant to Article 6 Paragraph 1 Letter f) to process your personal data, you are obliged to tolerate such processing, but you also have the right to lodge an objection against it. For more details on this right see the specifically highlighted part below. We may also obtain your personal data from other public authorities or publicly accessible registers.

What are your rights during the processing of your personal data?

“Provided that we process your personal data on the basis of your consent to personal data processing, you have the right to withdraw your consent at any time. You have the right to lodge an effective objection against personal data processing for the purpose of direct marketing including profiling.”

“You also have the right to lodge objections against the processing of your personal data on the basis of legitimate or public interests pursuant to Article 6 Paragraph 1 Letter e) and f) of GDPR, as explained above.”

Requests to exercise the rights of the data subject can be sent in electronic or written form to the above-mentioned contact details of the responsible person.  This procedure does not disturb your right to withdraw the consent you granted for personal data processing, which can be withdrawn at any time and as easily as it was given (e.g. if you granted your consent electronically, you can also withdraw it via e-mail or application without the need to send a written request to the STU address). Neither is your right to lodge an objection by means of automated tools with the use of technical specifications (if available) disturbed. It is highly recommended to explain to the greatest possible extent which right pursuant to GDPR you are going to exercise, what your identification details are (in order to verify your identity) or what purposes and data are concerned. If the request is too general, we are obliged to ask for more details.

GDPR sets general conditions for execution of respective rights, however their existence does not automatically mean that we shall respond to the each request to exercise the right. In some cases, exceptions may be applied, provided that some rights are bound to a specific condition which does not have to be necessarily met every time. Your request related to the particular right shall be dealt with and examined in the view of current legislation as well as our internal policy for dealing with data subjects’ complaints. As a data subject you have the right:

• To require access to personal data we are processing, pursuant to Article 15 of GDPR. This right includes the right to receive a confirmation on personal data processing, the right to obtain access to these personal data and the right to obtain a copy of your personal data we process, provided that it is technically possible;
• To correct and amend personal data pursuant to Article 16 of GDPR, provided that personal data we process are either incorrect or incomplete;
• To erasure of your personal data pursuant to Article 17 of GDPR;
• To restriction of the processing of personal data pursuant to Article 18 of GDPR;
• To data portability pursuant to Art 20 of GDPR;
• To object against legal or public interests we follow, pursuant to Article 21 of GDPR.

As a data subject you also have the right to raise a complain to a surveillance authority, that  is the Office for Personal Data Protection of the Slovak Republic pursuant to § 100 of the Law on Personal Data Protection. For more information see the website  www.dataprotection.gov.sk.

Please note that should there be any doubts about your identity, we may require a credible verification of your identity while dealing with your request to exercise a data subject’s right pursuant to GDPR. It is our duty to prevent disclosure of your personal data to an unauthorised person. Provided that dealing with your request is related to your rights as a data subject pursuant to GDPR, dealing with your request is free of charge. Provided that your request is manifestly unfounded or inappropriate mainly because of its repetition,  we are entitled to charge a reasonable fee in relation to administrative procedures

Cookies

Cookies are small text files to improve the use of websites. They make it possible to recognize previous visitors during logging into the user environment. They also remember a visitor’s choices while opening a new window, measuring website attendance or the way of its use in order to improve the website for its users. Our websites use cookies particularly to ensure their functionality and for basic measurement of visitors’ attendance. Storing these files on your device can be prevented by relevant settings of your web browser. Pursuant to § 55 Article 5 of the Act on Electronic Communications, your browser settings are considered as your consent to the use of our website’s cookies. However, blocking cookies can restrict the functionality of some websites (especially if logging in is required).

Social networks  

It is highly recommended to become familiar with the conditions for privacy protection applying to the providers of social media platforms through which you communicate. Our conditions for privacy protection clarify only basic questions related to the administration of our profiles. To process your personal data via our profiles we work explicitly with typical administrative authorizations. We presume it is clear for you that your personal data are primarily processed by providers of social network platforms and we are not responsible and do not have any control neither over such processing nor over further provisions of your personal data to third parties, cross-border transfers to third countries performed by the providers of the social network platforms in question.

Amendment of conditions on privacy protection

For us, personal data protection is not an one-off exercise. Information we are obliged to provide you with while we process your personal data can be altered or become outdated. Therefore we reserve the right to amend and change these conditions at any time and to any extent. In case we amend these conditions significantly, you shall be informed on such amendments e.g. by means of a general notification on this website or a separate notification via e-mail.