Legal information

• prof. Ing. Miroslav Tůma, CSc. – chairman
• Ing. Radek Holý, Ph.D. – vice chairman
• Mgr. František Potužník – vice chairman
• Mgr. Michal Bulant, Ph.D.
• Ing. Jan Gruntorád, CSc.
• doc. RNDr. Pavel Satrapa, Ph.D.
• Ing. Tomáš Zouhar

• Ing. Michal Sláma – chairman
• Mgr. Kamil Gregorek, MBA
• Mgr. Martin Maňásek
• prof. JUDr. Radim Polčák, Ph.D.
• RNDr. David Skoupil

Ing. Jakub Papírník

Personal data processing in e-INFRA CZ

The CESNET e-infrastructure is part of a unique e-infrastructure for research, development and innovation in the Czech Republic called e-INFRA CZ, which consists of:

•     e-infrastructure CESNET, operated by CESNET, an association of legal entities, ID No.: 63839172;
•     CERIT Scientific Cloud, operated by Masaryk University, ID No.: 00216224
•     IT4Innovations national supercomputing centre, operated by VSB – Technical University of Ostrava, ID No.: 61989100.

One of the goals of e-INFRA CZ is to connect its individual parts so that users gain unified access to e-INFRA CZ services and unified user support when using these services. The e-INFRA CZ services can be used by users who, in accordance with the Conditions for access to e-INFRA CZ infrastructure, have the status of e-INFRA CZ user.

For the purpose of operation and fulfilment of the objectives of e-INFRA CZ, selected personal data of users of the CESNET e-infrastructure, for which it is necessary, are processed jointly by all operators of e-INFRA CZ in the regime of so-called joint controllers within the meaning of Article 26 GDPR. The joint processing of personal data will not apply to users for whom this is legally excluded (see Article  II paragraph  3 of the Conditions for access to e-INFRA CZ infrastructure).

Detailed information on the joint processing of personal data in e-INFRA CZ can be found on the web page: https://www.e-infra.cz/en/personal-data-processing.

Purposes and legal basis for the processing of personal data in e-Infrastructure CESNET

We only process data that is necessary for the provision of services and user support, for the fulfilment of obligations arising from legislative regulations and other obligations (e.g. conditions of support providers in the framework of projects). We process data from users of our services (current and former) and, to a limited extent, from potential users who have expressed an interest in the services and with whom communication is established to make the services available. It is not possible to use the CESNET e-infrastructure services without providing personal data required for the operation of the e-infrastructure.

When providing CESNET e-infrastructure services, we process your basic personal and contact data, data from operation and use of services, data from communication with you, or other data so that the scope of these data is appropriate and limited to the necessary scope in relation to the purpose for which we collect and process your personal data.

Unless otherwise stated, we process the following categories of personal data on the basis of the legitimate interest of CESNET in providing the following services:

• of an appropriate quality, so we monitor the operation of the services and carry out evaluations of them;
• secure manner, so we monitor the network and applications and respond promptly to detected threats;
• provided in compliance with funding bodies and their rules, so we modify the rules for using the services and keep records of them to the required extent;
• in collaboration with national and international organizations and infrastructures with similar focus.

Providing access to service

To access services that require authentication and authorization for quality assurance and security purposes, the user needs to create a user identity in one of the IdM systems. In providing these services, we need to know your basic identification, contact information and home organization information. This information is provided to us when you first access the CESNET e-infrastructure. In addition, we record various internal identifiers and information about user permissions in order to perform authorization and authentication.

In the context of accessing CESNET’s e-infrastructure services that do not require authentication and authorisation, personal data such as IP address (as well as other identifiers that allow tracking the source and destination of communications) and other unique identifiers used by each service are processed.

Providing the actual operation of the service

In order to provide you with access to CESNET e-infrastructure services, to offer quality services, to develop them, to solve operational and security problems and, among other things, to protect your personal data, we analyze and process records from operation of systems and services (logs), operational and location data from operational and security monitoring and optimize the running of sub-tasks and the service itself.

Monitoring and Security

To ensure the stability of operation and security of services, to protect users and their data as well as to deal with cyber security events and incidents, we process information from network traffic and from user access to individual services (so-called operational and location data, logs). This information may include, for example, the technological identifiers of the traffic, information about the identity of the user requesting access to the service, the result of the authentication process or time stamps of the access or access attempt.

We process the above information not only on the basis of our legitimate interest, but also for the purpose of fulfilling our legal obligations. These legal obligations stem, for example, from Act No. 127/2005 Coll., on Electronic Communications, and Act No. 181/2014 Coll., on Cyber Security, which set out obligations in the area of storing traffic and location data and detecting and reporting cyber security incidents.

Statistics

For the sustainability of the operation of the CESNET e-infrastructure and its services, for development, security and quality of service improvement, and for reporting to the purpose support providers and members, we process primary data using statistical methods. These data typically include the usage rate of CESNET e-infrastructure, the way CESNET e-infrastructure is used, the usage of services, the number of detected and reported operational and security problems, the types and severity of operational and security problems, etc.

Communications

We process information from communications made, from meetings, consultations, from telephone calls (in the form of minutes and records), from e-mail communications when solving operational or security problems (in tickler system environment) including the resolution of complaints, service requests or information from communications when providing access to service, etc. This information enables us to improve services, internal processes and user support. We also process feedback, comments, suggestions and the results of non-anonymous surveys as personal data.

Personal data retention period

• When processing your personal data, we follow the rule of minimization. We only keep the data that is necessary to provide the CESNET e-infrastructure services and your rights.
• The processing of personal data is initiated when you first use the CESNET e-Infrastructure service and personal data such as name, surname, e-mail, telephone number, name of your home organisation, user identity in an external IdM system (e.g. EPPN) are stored in a non-anonymised form for the entire period of use of the CESNET e-Infrastructure service.
• Personal data: first name, last name, e-mail, name of the home organisation, user identity in the external IdM system (e.g. EPPN), user identity created for the CESNET e-Infrastructure and unique user identifier for the CESNET e-Infrastructure are kept after the end of the use of the CESNET e-Infrastructure services for security reasons (in particular to prevent duplication of user account identities) and for reporting on the use of CESNET e-Infrastructure resources. The controller shall establish the technical and organisational conditions for the security of personal data to ensure their integrity and confidentiality.
• Personal data in the nature of traffic and location data (so-called logs), such as IP address (as well as other identifiers enabling the source and destination of communication to be traced) and other unique identifiers used by the individual services of the CESNET e-Infrastructure, shall be retained for 18 months and then deleted, unless otherwise specified in the terms and conditions of operation of a particular service.
• Personal data appearing in security incident reports, together with the entire course of the security incident resolution, i.e. including communication with the person responsible for the resolution (which usually includes the following data – first name, last name, e-mail, name of the home organization) are kept in unaltered form and are not deleted. Similarly in the case of reporting and resolving operational issues.
• Information from monitoring of the communication infrastructure, i.e. information obtained by collecting data from active network elements and information about IP flows, we keep in full quality (without loss of information value) for 6 months, summarized (with loss of information value) in the form of statistical data for 5 years. We keep personal data related to information on the use of CESNET e-infrastructure resources for as long as they are needed for the operation and improvement of the service, or, in the case of projects, for the period specified by the individual providers of targeted support, but at least 5 years after completion of the projects.

Recipients of personal data

CESNET transfers personal data to other entities only in necessary cases. Where possible (i.e. where this does not contradict the purposes of the transfer listed below), we only transfer anonymised data.

Transfer on the basis of a legal provision

Under the Cybersecurity Act, CESNET is obliged to report detected cybersecurity incidents. Cybersecurity incident reporting may include IP addresses related to the reported incident, to a lesser extent other technical identifiers, and to a very limited extent the information may be of such a nature that it can be linked to the data subject.

According to the Electronic Communications Act, the CESNET association is obliged to provide operational and location data to designated entities in specified cases. CESNET shall transmit such data in the case of services covered by this Act.

We are also obliged to hand over network traffic records, which may contain identifiers such as IP address, MAC address or other technical identifiers, to law enforcement authorities upon request.

Transmission based on legitimate interest

Personal data in the form of operational and location data and other unique identifiers used by individual CESNET e-Infrastructure services may be disclosed to network and service administrators from organisations connected to the CESNET e-Infrastructure and to members of security teams as part of the process of resolving operational problems and security incidents.

The association is a member of national and international security infrastructures (Fenix, TF-CSIRT, CSIRT.CZ Working Group), where an informal condition of participation is the sharing of experience and information in the field of security, which includes sharing information about detected security events, anomalies and vulnerabilities.

Personal data in the nature of statistically processed data on the use of CESNET e-infrastructure resources is provided to CESNET members and providers of targeted support.

Rights of data subjects

You can exercise the following rights with CESNET Associationin relation to the personal data processed in the CESNET e-infrastructure:

• the right to information and access to personal data (Art. 15 GDPR),,
• the right to rectification (Art. 16 GDPR),
• the right to erasure (Art. 17 GDPR),
• the right to restriction of processing (Art. 18 GDPR),
• the right to object (Art. 21 GDPR),
• the right to raise a complaint to the Office for Personal Data Protection – you can contact the Office for Personal Data Protection, pplk. Sochor 27, 170 00 Prague 7, at any time with a request, suggestion or complaint.

We will require your identification if you choose to exercise your rights in privacy matters. Exercising your rights is free. CESNET may charge a fee for processing a request if the request is clearly unfounded or unreasonable (in which case we may also refuse to comply with the request). The exercise of any right must not affect the rights of third parties.

If you exercise any of your rights in relation to the personal data we process, we will inform you of the resolution of your request within one month of receipt of the request. We may extend this time limit by two months in view of the complexity and number of requests we process, in which case we will inform you accordingly.

Contact details for exercising your rights can be found at www.cesnet/en/contacts.

How we protect your personal data

CESNET users’ personal data are treated legally and with due care in compliance with personal data protection regulations. The same principles apply in respect of the user data stored with us.

The priority is to ensure data confidentiality, availability and integrity, i.e. prevent any unauthorised access to data, their unauthorised leak, disclosure or other unauthorised processing while ensuring their high availability.

The core of security measures applied in the CESNET e-infrastructure consists in cutting-edge devices, highly qualified and ethical staff, customised physical protection, and a number of further organisational measures. We are aware that the softest spot of security is the human factor; accordingly we put great emphasis on continuous training of employees and raise their awareness of fundamental principles of security and privacy protection.

Technical measures

• Personal data are kept in a safe environment, only accessible by Association’s employees.
• Encryption and encrypted protocols are used to process personal data (i.e. in accessing them or in their transmission).
• Before accessing or altering own personal data, the users (data subjects) must verify their identity by providing individual login data.
• In order to ensure data availability, confidentiality and integrity, strict rules in respect of the backup of user personal data backup (and data in general) have been defined.
• The traffic is being monitored meticulously and systematically, thus allowing that any operation and security issued are addressed timely and efficiently and their impact is mitigated.
• The operated systems are being tested continuously to identify any vulnerability and other soft spots in their protection.

Organisational measures

• The minimisation principle in respect of granting privileged access rights is adhered by.
• Strict measures in respect of user identity administration, authentication and authorisation are applied.
• All Association’s employees adhere by confidentiality and secure data treatment principles.
• A number of workshops focusing on security is held, available (some of them even compulsory) to all employees.
• Personal data protection commissioner has been appointed, acting also as privacy protection consultant.
• Procedures for maintain processing logs and risk assessment have been introduced.
• Data processing agreements have been concluded with sub-contractors commissioned to process the data by the Association.

Physical measures

• The Association’s premises, including special work places (laboratories, computer halls, etc.), are protected by means of access management and CCTV systems.
• The fundamental features of the communication infrastructure and services have sufficient performance and redundancy, thus ensuring smooth operation.

Overview of your information – Your user profile in the Perun system.

Služba Zoom poskytovaná sdružením CESNET a ochrana osobních údajů

Sdružení CESNET zajišťuje přístup ke cloudové videokonferenční službě Zoom pomocí uživatelských účtů v rámci e-infrastruktury CESNET.

K zajištění přístupu ke službě Zoom je nezbytné pracovat s následujícími údaji, které mohou být spojeny s konkrétním uživatelem (subjektem dle GDPR):

• Emailová adresa – emailová adresa uživatele slouží jako primární identifikátor uživatele pro službu Zoom,
• Křestní jméno, Příjmení, Zobrazované jméno – slouží pro snazší identifikaci uživatele v rámci meetingů,
• Afiliace – seznam všech afiliací uživatele využívaný pro potřeby autorizace uživatele (licencované účty na službě Zoom například neposkytujeme studentům),
• Organizace – organizace uživatele sloužící pro zpracování statistik a vykazování využití služby. 

Uvedené osobní údaje uvolňuje při přístupu ke službě Zoom prostřednictvím https://cesnet.zoom.us/ a Sign in with SSO nebo v Zoom klientovi na všech platformách při při přihlášení pomocí SSO v doméně cesnet.zoom.us uživatel. 

Výše uvedené osobní údaje jsou při přístupu ke službě Zoom přebírány z IdM systému Perun, který provozuje sdružení CESNET. Jejich zpracování na straně sdružení CESNET se řídí pravidly ochrany osobních údajů sdružení CESNET.

Uvedené osobní dále zpracovává Zoom Video Communications Inc., 55 Almaden Blvd, 6 th Floor, San Jose, CA 95113 v rámci poskytování služby Zoom v cloudu. Zpracování osobních údajů na straně Zoom Video Communications Inc. se řídí podmínkami poskytování služby Zoom, prohlášením o ochraně osobních údajů společnosti Zoom Video Communications Inc. a je v souladu s nařízením GDPR.

Další informace k ochraně osobních údajů najdete také na hlavních stránkách sdružení CESNET.

Information on the privacy policy of the eduroam Federation can be found here : eduroam

Identity Federation and Personal Data Protection

Personal Certificates

Personal data in the services of electronic mailing lists

1. In compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, further in this text referred to as ‘GDPR’), the CESNET association informs the entities on terms and conditions under which personal data in providing the electronic mailing list service are processed. Data subjects are natural persons using the electronic mailing list service.
2. The personal data controller is CESNET, z. s. p. o., Zikova 1903/4, 160 00 Prague 6, id. no.: 63839172, tax id. no: CZ63839172 (“the CESNET Association“). The contact information you can found at our website.
3. The objective of this electronic email list (“the List”) is to share and exchange information, experience and guidelines among the professional community within a particular industry.
4. Your personal data which we retain in relation to the List administration are and shall only be used in relation to the administration of the List, namely to send e‑mails with registration to the List, e-mails from moderator or administrator and other List members.
5. Please be aware that the e‑mails are stored in archives accessible only to the List members, information about conference traffic is stored in logs for operational and security purposes.
6. Your personal data relating to the administration of the List shall only be stored as long as you remain member of the List. The List archives are kept over the entire period of List’s existence.
7. Your personal data are not made accessible to third parties nor traded with. On the contrary, we care for their protection from the technical, organisational and ethical point of view.
8. You keep all rights to the personal data which we retain in relation to the administration of the List as defined by GDPR. You can claim your rights through the contacts listed in note 2 above.
9. These rules are available in Czech and English. Should any discrepancies between the two versions occur, the Czech version shall prevail.

Rules – version 1.0 have been published 22 May 2018.

Consent to personal data processing in relation to the provision of electronic newsletter

1. In compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, further in this text referred to as ‘GDPR’), the CESNET association requests your consent to process personal data for the purpose of sending an e‑mail newsletter.
2. You give your consent to the personal data controller CESNET, z. s. p. o., Zikova 1903/4, 160 00 Prague 6, Id. No.: 63839172, tax id. no.: CZ63839172 (“the CESNET Association“). The contacts can found in the Contact section.
3. You consent that the CESNET Association sends you their e‑mail newsletter( eNews). In order to be able to send it to you, we need to retain the following personal data:

• Name
• Surname
• E-mail

4. Your personal data are and shall only be used in relation to the subscription to the newsletter.
5. The objective of the electronic newsletter is to inform the subscribers about the activities of the CESNET association, about the organised events (workshops, conferences, trainings) and about the news relating to the CESNET Association.
6. Please be aware that the eNews has the following attributes:

• the news into the newsletter are provided solely by the CESNET Association (the Controller);
• the news are saved in the archives, available on the www.cesnet.cz website;
• anyone can subscribe to the newsletter;
• personal data you have provided us shall only be stored as long as you remain the subscriber of the eNews;
• the eNews can be unsubscribed at any time. Once you have unsubscribed, your personal data shall be deleted from the electronic newsletter database.

7. Personal data provided are processed by The Rocket Science Group LLC d/b/a MailChimp, which operates the technology to distribute email campaigns. MailChimp used to distribute our electronic newsletter. The registered office of MailChimp and personal data processing servers are located in the USA. In order to ensure personal data protection while processing the data, CESNET and the company concluded an agreement on personal data processing.
8. You keep all rights to the personal data which we retain in relation to the provision of the electronic newsletter as defined by the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). You can claim your rights through the contacts listed in note 2 above.
9. These rules are available in Czech and English. Should any discrepancies between the two versions occur, the Czech version shall prevail.

These rules – version 1.0 have been published 24 May 2018.

Information on the use of cookies on the CESNET’s website(s)

To ensure the functionality of the CESNET¨s website(s), the use of so-called functional cookies is essential.

• Cookies are short text files generated by a web server and stored on your computer via your web browser.
• Functional cookies are necessary to ensure the basic functions of the website and cannot be disabled without blocking the website functions.
• Information obtained via functional cookies is not passed on or processed by external subjects.
• Functional cookies can be deleted via options in your web browser.

The performance (analytics) cookies are used on the CESNET’s website(s).

The above information is valid from 1 January 2024.

Information on the processing of personal data in CESNET is available at www.cesnet.cz/en/gdpr.

Information on the Processing of Personal Data for Persons Cooperating with the TMC department at CESNET

Persons working with the CESNET Administration and Security Tools Department (referred to as the "TMC Department") access internal information and tools through the CESNET TMC IdM system. To facilitate this, an account is created for these individuals, involving the processing of personal data. Below is information regarding this data processing in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR").

Data Controller

CESNET, an interest association of legal entities ("CESNET Association"), is the data controller under the GDPR. CESNET is responsible for ensuring the lawful and proper processing of personal data. For contact details of CESNET and its data protection officer, please visit [link to contact information].

Data Processing

In the CESNET TMC system, only the personal data necessary for creating a user account is processed. This includes basic identification and contact details provided during registration. The purpose of processing this data is to manage access to the TMC Department's internal tools and information.

Legal Basis and Retention

The processing of personal data is based on CESNET's legitimate interest in protecting its internal tools and information from unauthorized access. Data is retained for the duration of the user account and will be deleted six months after the end of cooperation or termination of membership in a TMC working group.

Data Transfers

Personal data may be transferred to third-party services used for collaboration within the TMC Department. This primarily includes external cloud services or communication platforms. An updated list of these services and the types of data transferred can be found at [link to list of services].

Contact Information

For questions about personal data processing, please contact us at oou@cesnet.cz or use the contact details provided above.

Last updated: 2 August 2022

Information on the Processing of Personal Data for Participants of Public Events Organized by CESNET Association

When organizing public events, CESNET Association processes personal data of the participants. This document provides information on this data processing in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR").

Data Controller

The data controller under the GDPR is CESNET Association, an interest association of legal entities. CESNET Association is responsible for the fair and lawful processing of personal data. For contact details of CESNET Association and its data protection officer, please visit: CESNET Contacts.

Data Processing

For public events, CESNET Association processes only the personal data necessary for communication with participants. This includes basic identification and contact details provided during event registration.

Personal data is processed for the following purposes:

1. Event Organization: To manage the event, including confirming attendance, sending organizational instructions, and distributing event materials. This processing is necessary for event implementation and involves sending information emails to the address provided during registration.

2. Invoicing and Tax Compliance: For paid events, personal data is processed to fulfill tax and accounting obligations. This processing is based on the contract or CESNET Association’s legitimate interest in recovering unpaid amounts and complying with legal requirements. Data is retained in accordance with statutory limitation periods and mandatory retention for accounting and tax purposes.

3. Networking Opportunities: At networking events, information about the participant's organization may be included on their nameplate. This processing is based on CESNET Association’s legitimate interest in promoting cooperation in the information technology field, which is one of its core objectives.

4. Participant Feedback: Feedback collected from participants helps improve the quality and effectiveness of events. This processing is based on CESNET Association’s legitimate interest in enhancing its event offerings.

5. Archiving Attendance Lists: Attendance records are archived for five years due to funding requirements. This retention is based on CESNET Association’s legitimate interest in documenting the use of its resources.

6. Event Invitations: Personal data may be used to invite participants to similar future events. This processing is based on CESNET Association’s legitimate interest in expanding awareness of its activities. Participants may opt out of receiving such invitations at any time. Data for this purpose is retained for 24 months.

Data Transfers

Personal data of event participants is not transferred to other entities unless required by law.

Rights of Participants

Participants have the following rights regarding their personal data:

• Right to information and access (Article 15 GDPR)
• Right to rectification (Article 16 GDPR)
• Right to erasure (Article 17 GDPR)
• Right to restriction of processing (Article 18 GDPR)
• Right to object (Article 21 GDPR)
• Right to lodge a complaint with the Personal Data Protection Office

Requests to exercise these rights may require identification. While exercising these rights is generally free, CESNET Association may charge a fee for manifestly unfounded or excessive requests, or refuse such requests. Any enforcement of rights must not infringe on the rights of third parties.

CESNET Association will respond to requests within one month of receipt. This period may be extended by an additional two months, depending on the complexity and volume of requests.

Contact Information

For questions regarding personal data processing or to exercise your rights, please contact us at oou@cesnet.cz or use the contact details provided on our website.

Last updated: December 7, 2022

CESNET Articles of Association
These articles of association serve as the foundational document governing the association's structure, operations, and membership.

Terms and Conditions of Access to the CESNET e-Infrastructure
Effective from January 1, 2017, these terms and conditions outline the regulations and requirements for accessing and using the CESNET e-infrastructure.

Green Energy Policy
This policy details CESNET's commitment to environmental sustainability through the adoption of green energy practices.