Regulations and Documents

5.1. Data collection and storage

• Research data are to be stored in a secure location to prevent unauthorised access or data loss, following the methodological guidance on data security. 

• Where possible, research data should be accompanied by rich metadata using standardised vocabularies and should be stored in ​​​​​​standard formats in order to increase their interoperability. 

• If there is an exchange of personal data with a third party where the University is the data exporter, an agreement must be drawn up to ensure the data are protected. 

• When conducting research involving external partners, researchers are advised to draw up an agreement that specifies rights and responsibilities of the involved parties, regarding, for example, intellectual property rights and licensing, or responsibilities in relation to research data management. 

• Researchers are advised to prepare a data management plan for their research projects to ensure the data are complete, accurate, reliable, and secure. Data management plans should be updated regularly to reflect what actually happened with the data. 

5.2. Data preservation

• Research data that serve as a basis for a publication are to be ​​retained for a period of minimum 10 years since the day the research results are published,so that the results may be verified.If it is necessary to delete some data earlier, for example due to contractual obligations, this information is to be provided in the documentation.Researchers are encouraged to retain their research data for as long as feasible. 

• Research data that are being preserved are to be accompanied with ​​sufficient documentation to ensure they can be easily interpreted.  

5.3. Data sharing

Research data should be made available for access and reuse as widely as feasible, in accordance with the principle “as open as possible, as closed as necessary”. When researchers share their data, they should adhere to the following principles. 

• Research data are to be shared along with rich metadata to provide sufficient information on their provenance and to increase their findability and reusability. 

• Metadata of shared data include references, via persistent identifiers, to other related outputs and entities.  

• Research data should be assigned a persistent identifier. 

• Research data should be shared via a trusted repository or a suitable platform that is established within the research field. 

• In compliance with intellectual property rights, research data should be assigned an appropriate licensein order to clearly specify the conditions for reuse, unless funder requirements, statutory or contractual obligations provide otherwise. It is recommended to use open licenses such as Creative Commons Attribution (CCBY). 

• Where appropriate, published research should include a data availability statement which outlines how the underlying data may be accessed.  

6.1. Responsibilities of the researcher

• Researchers are responsible for managing their research data in accordance with the basic principles outlined in this policy. 

• When undergraduate and postgraduate students participate in research, the Principal Investigator or supervisor is obliged to introduce them to the basic principles of research data management.The students have a personal responsibility to contribute to effective data management of the data they work with. 

• Researchers are obliged to comply with the Code of Ethics, General Data Protection Regulation (GDPR),Act on Cyber Security, and with other legal,institutionalor contractual requirements. 

• When reusing or referencing datasets, researchers are obliged to follow proper citation guidelines. 

• Researchers are obliged to allocateappropriate resources for data management in research proposals and grant applications. 

• When researchers find themselves unable to fulfil the requirements set out in this policy due to a failure of the University to provide appropriate resources or support, they should contact the University support team (researchdata@cuni.cz) or the Department of Science and Research (veda@ruk.cuni.cz) to obtain additional advice or support. 

6.2. Responsibilities of the University

• The University is responsible fordisseminating information about the obligations of researchers with respect to research data management. Faculties, Research Institutes and Departments are expected to be proactive in disseminating the information within their communities. 

• The University will provide suitable infrastructure and services to ensure that researchers can comply with the requirements under this policy. 

• The University will provide training and guidance to promote best practice in research data management. 

• The University will provide information and advice on issues related to all aspects of research data management, including research ethics, Intellectual Property Rights, or data protection. 

• The University commits to engage with the research community to discuss the needs of the community in terms of support and infrastructure. 

7. Available support

The Open Science Support Centre manages a website (https://openscience.cuni.cz/en) which provides guidance on best practices in research data management, including information on FAIR data, data collection and storage, data preservation and data sharing as outlined in this policy.

The following departments provide support with research data management: 

Research data management	Open Science Support Centre (researchdata@cuni.cz)
IT support	Computer Science Centre ​ ​(openict@cuni.cz)
Legal advice
Copyright	Open Science Support Centre (openlaw@cuni.cz)
Commercialisation of Intellectual Property	Charles University Innovations Prague a.s. (research.data@cuip.cz)
Personal data protection and other legal support	Legal Department (pravni@ruk.cuni.cz)
Research ethics	Department of Science and Research (veda@ruk.cuni.cz)

Additional support which reflects discipline specific requirements and local environment may be provided by individual Faculties and Research Institutes. 

8. Review period

This policy will be reviewed and updated by the Working Group for the Strategy of Research Data Management at Charles University when changes are required.

9. Related documents

• Guidance on data security: https://hdl.handle.net/20.500.14178/1876 

• Code of Ethics: https://cuni.cz/UKEN-731.html  

The Data Policy was considered and approved by the Research Board of Charles University on 14 December 2023.

The Data Policy was considered with a recommending opinion by the Academic Senate of Charles University on 9 February 2024.

.docx for download

.pdf for download

1. Preamble

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – the GDPR – Charles University informs data subjects about the conditions under which personal data are processed.

2. Personal Data Controller

The personal data controller is Charles University, Ovocný trh 560/5, 116 36 Prague 1, ID no. 00216208, Tax ID no. CZ00216208, Databox ID: piyj9b4 (“Charles University”).

Charles University is a public institution of higher education, in accordance with Act no. 111/1998 Sb., on institutions of higher education, as amended. As a part of its mission, Charles University freely and independently carries out educational activities, and in relation thereto, research, development, innovative, artistic, or other creative activities, and activities associated therewith.

3. Data Protection Officer

The data protection officer at Charles University is Ing. Michal Merta, LL.M., MSc., MBA., , phone: +420 266 266 821.

Should you have any questions or requests concerning the processing and protection of your personal data, you may contact the data protection officer.

4. The principles for processing personal data at Charles University

Charles University considers the protection of personal data to be important and pays careful attention to it. We process your personal data only in the scope necessary for executing the university’s activities or in relation to the services you use at Charles University. We protect personal data to the maximum extent possible and in accordance with law. The principles and rules for processing personal data at Charles University are governed by Rector's Directive No. 16/2018 - Charles University (cuni.cz). The regulation applies the principles and rules arising from the GDPR:

a.	The principle of lawfulness, which requires that we always process your personal data in accordance with law and based on at least one legal title.
b.	The principle of fairness and transparency, which requires that we process your personal data fairly and in a transparent manner and that we provide you information about the manner of their processing together with information about who has access to your data. This includes our obligation to inform you of any case of a serious breach of security or compromise relating to your personal data.
c.	The principle of purpose limitation, which allows us to collect your personal data only for a clearly defined purpose.
d.	The principle of data minimisation, which requires that we process personal data that is necessary, relevant, and adequate in relation to the purpose of the processing.
e.	The principle of accuracy, which requires that we take all reasonable measures allowing us to ensure your personal data is regularly updated or corrected.
f.	The principle of storage limitation, which requires that we store your personal data only for the period necessary for the specific purpose in relation to processing. As soon as the period or purpose for processing expires, we will delete your personal data or anonymized the data (altering the data so that they are no longer personally connected to you).
g.	The principle of integrity and confidentiality, non-repudiation, and availability, which requires that we secure and protect your personal data against unauthorized or unlawful processing, loss, or destruction. For these reasons, we take technical and organizational measures for protecting your personal data. In addition, we ensure that only authorized staff has access to your personal data.
h.	The principle of accountability, which requires that we are able to demonstrate compliance with all of the conditions stipulated above.

5. For what purposes do we process personal data?

For fulfilling its mission, Charles University processes personal data for the following purposes:

a. Educational activities

1. Studies

2. Instruction

3. Entrance proceedings and exams

4. Exchange visits

5. Lifelong learning

6. Library services

b. Research, development, and creative activities

1. Research projects

2. Organizing academic conferences

3. iPublication and editorial activities

4. Procedures for attaining associate professorships and professorships

c. Administrative and operational organization

1. Human resources and wages

2. Finance and accounting

3. Property management

4. Operating agendas

5. E-infrastructure (computing and storage systems, computer networks, electronic mail, voice networks)

6. Providing information pursuant to Act no. 106/1999 Sb., on free access to information

7. Health and safety at the workplace, fire protection, crisis management, and the protection of citizens

8. Public procurement

d. Protection of property and security

1. Camera systems

2. Access to secure areas

3. Security monitoring for operation of the computer network

4. Handling security incidents

5. Building security

e. Commercial activities

1. Karolinum bookshop and UK Point

2. Charles University e-shop

3. Food and accommodation services

4. Commercial contracts

f. Information and promotional activities

1. Websites

2. Marketing and advertising

3. Alumni

4. Junior university

5. Healthcare activities

6. Operation of healthcare facilities

7. Operation of joint workplaces with university hospitals

6. Category of persons for which we process personal data

Charles University processes personal data for the following categories (data subjects):

a.	University staff (or a person in a legal relationship with the university),
b.	Job applicants,
c.	University applicants,
d.	University students,
e.	Former university students (including alumni),
f.	Participants in the lifelong learning programme,
g.	Students of other universities or students on short-term study visits at the university,
h.	Business partners (suppliers, customers),
i.	Researchers and contributors,
j.	External co-workers (e.g. supervisors, co-researchers, co-authors),
k.	Visitors or participants in events organized by the university,
l.	Parties to administrative or court proceedings with the university,
m.	A person requesting information, pursuant to Act no. 106/1999 Sb., on free access to information,
n.	Other persons.

7. Categories of processed personal data

Charles University processes personal data provided directly by private individuals (whether based on consent or other legal grounds) and other personal data created as a part of the activity of processing data and essential for securing the data. This could include the following categories of personal data:

a.	Address and identification data (first name, surname, date and place of birth, marital status, title, citizenship, address (including electronic addresses), telephone numbers, personal ID numbers, digital identifiers, signatures, etc.)
b.	Descriptive data (education, foreign language knowledge, professional qualifications, knowledge and skills, number of children, portrait photos, video/audio recordings of persons, military service, former employment, health insurance company, membership in interest groups, criminal record, etc.)
c.	Study data (records of studies and study activities, study results, awards)
d.	Financial data (bank account number, wages, remuneration, fees, obligations and debts, orders, purchases, taxes, etc.)
e.	Work-related data (records of work and work-related activities, employers, workplaces, assignments and positions, work assessments, awards, etc.)
f.	Operational and location data (typically data from electronic systems relating to a specific data subject – e.g. data on the use of information systems, data operation and electronic communication, use of telephones, access to various areas, records from camera systems, etc.)
g.	Data about the activities of a data subject (publication activity, professional activity, participation in conferences and projects, business travel or study visits, etc.)
h.	Data about other persons (address and identification data for a family member, spouse, child, partner, etc.)
i.	Special categories of personal data (sensitive personal data indicating one’s health status, membership in trade unions, etc.)

8. Legal basis for processing personal data

Personal data as a part of the above activities are processed based on adequate legal grounds:

a.	Fulfilling legal obligations relating to the controller: We require your personal data in this case for the purpose of processing in order to fulfil our legislative obligation as the controller. It relates in particular to Act no. 111/1998 Sb., on institutions of higher education; Act no. 130/2002 Sb., on the support of research and development from public-sector funds; Act no. 262/2006 Sb., the Labour Code; Act no. 563/1991 Sb., on accounting; Act no. 127/2005 Sb., on electronic communication; Act no. 480/2004 Sb. on certain information-society services; Act no. 181/2014, on cybersecurity; and others.
b.	Executing agreements: We require your personal data to enter into contractual relations and for executing the agreements, or also prior to entering into agreements.
c.	Consent of the data subject: Consent that you have provided to process your personal data for one or more specific purposes.
d.	The following authorized interest of the controller in particular: • The protection of property and preventing fraud, • The transfer of personal data within a segment of the university for internal administrative and operational purposes, • Providing security for the computer network and information.

9. Transferring personal data

For the purpose of fulfilling legal obligations, Charles University may transfer select data for specific data subjects (e.g. to public authorities). This applies similarly to cases where authorization for transferring personal data inside Charles University has been provided by the individual consent of data subjects.

10. Period for storing personal data

Data are stored only for the period necessary in relation to the specific activity of processing personal data, and in accordance with the valid Archiving Procedures, the data are then destroyed or archived. We store the personal data that we process with your consent only for the duration of the purpose for which the consent was provided.

11. Rights of data subjects

The right of data subjects to information on processing

Data subjects are entitled to information on whether or not the controller processes their personal data and in what manner this processing is carried out.

The right to access personal data

If a controller processes the personal data of data subjects, the data subjects are entitled to obtain a copy of the data upon providing sufficient proof of their identity.

The right to corrections and supplementation

If the controller processes erroneous or outdated personal data, the controller is obliged to correct the data upon request of the data subjects.

The right to deletion (the right to “be forgotten”)

If consent was given to process data and there does not exist other legal grounds, or if the data subject believes that the controller no longer needs the personal data (because the purpose of the processing has expired), the data subject is entitled to request the termination of processing and deletion of the personal data.

The right to restricted processing

This involves restricting processing to just storing the data if the data subject contests the accuracy of the personal data and the controller needs an additional period for verifying the data or the data subject has objected to the processing based on the legitimate interest of the controller.

The right to data portability

The controller provides personal data in a structured, commonly used electronic format directly to the data subject. The controller may provide the personal data of a data subject to another controller only if it involves automated processing that is based on consent or an agreement, and if it is technically feasible.

The right to object

Data subjects may object to the processing of personal data that pertains to them only in the case of processing that is carried out in the public interest or based on the legitimate interest of the controller.

The right to review automated decisions

If data subjects are subject to decisions established solely on automated processing, they are entitled to review these decisions and any human intervention on the part of the controller.

The right to lodge complaints or to protection

Data subjects are entitled to lodge complaints against the processing of personal data with the supervisory authority (in the Czech Republic, this is the Office for Personal Data Protection) or to request court protection in relation to the supervisory authority, the controller, or the processor.

12. Exercising the rights of data subjects

Data subjects are entitled to exercise their rights arising from the GDPR, commencing on 25 May 2018. The data subjects must exercise their rights against the controller of personal data by sending a request to Charles University’s databox piyj9b4, by sending an e-mail to the officer , or by personal or electronic submission to the officer via the Registrar’s Office of Charles University. For more information on the manner of submission, visit the web page https://www.cuni.cz/UKEN-605.html.

Prior to processing the request, Charles University is entitled and obliged to verify the identity of the requesting party.

13. The right to lodge a complaint with the supervisory authority

Data subjects are entitled to lodge a complaint against the processing of personal data with the supervisory authority, which is the Office for Personal Data Protection.

Contact:

The Office for Personal Data Protection

address: Pplk. Sochora 27, 170 00 Prague 7

phone: +420 234 665 111

web: www.uoou.cz