Go to main content | Go to main menu | Go to search

Information for data subjects on exercising their rights

pursuant to Article 15 et seq. of Regulation (EU) 2016/679 of the European Parliament and of the Council, on the protection of personal data (GDPR)

Rights of the data subject in the processing of personal data

The data subject is granted rights in the processing of personal data that are set out and defined in detail in the legal regulations on the protection of personal data, in particular Articles 15-22 of the GDPR.

Masaryk University is obliged to provide a response to the data subject's request to exercise rights under the GDPR without undue delay and in any case within one month of receiving the request. In exceptional cases, the deadline may be extended by two months, of which the data subject must be informed by MU, including the reasons for the extension.

Right of access to personal data (Article 15 of the GDPR)

The data subject has the right to request confirmation from MU whether personal data concerning the data subject are being processed by MU, and if so, the data subject has the right to access his/her personal data and other related information, which are in particular:

  • the purpose of the processing
  • the categories of personal data concerned
  • the recipients or categories of recipients to whom the personal data have been or will be disclosed
  • the period for which the personal data will be stored
  • information on the transfer of personal data to third countries
  • information on whether automated processing or profiling is taking place.

Right to rectification of personal data (Article 16 of the GDPR)

If the personal data of the data subject are incorrect, inaccurate or have been changed, the data subject has the right to have them corrected. Taking into account the purposes for which MU processes personal data, the data subject also has the right to have incomplete data completed. MU is obliged to take all reasonable measures to ensure that the processed personal data are regularly updated or corrected.

Right to erasure of personal data – right to be forgotten (Article 17 of the GDPR)

The data subject has the right to have MU erase personal data concerning him or her without undue delay, including all copies stored on any devices, storage systems, or other locations where such data may be kept.

This right shall not apply if the processing of personal data is still necessary and MU has a valid legal basis under Article 6(1) of the GDPR, in particular where the processing is necessary for:

  • fulfilment of a legal obligation of MU as a controller
  • for archiving purposes, scientific or historical research purposes or for statistical purposes
  • for the establishment, exercise or defence of legal claims of MU.

Right to restriction of processing of personal data (Article 18 of the GDPR)

The data subject has the right to restrict the processing of personal data, i.e. to have his/her personal data not subject to any processing operations for a limited period of time.

MU must restrict the processing of personal data, in particular when:

  • the data subject disputes the accuracy of the personal data
  • MU processes the personal data without sufficient legal grounds
  • the personal data are not necessary for MU as the controller for the purposes of the processing, but the data subject requires them for the determination, exercise or defence of legal claims
  • the data subject objects to the processing - the controller is obliged to restrict the processing of personal data for the duration of the investigation.

Right to data portability (Article 20 of the GDPR)

The data subject has the right to receive the personal data concerning him/her, which he/she has provided to the controller, in a structured, commonly used and machine-readable format, if technically feasible, and may request that MU transmit the personal data to a previously designated controller, where this is not prevented by a legal obstacle. The condition is that such processing is based on the consent of the data subject or the performance of a contract concluded by the data subject with MU, and at the same time that it is carried out automatically.

Right to object (Article 21 of the GDPR)

The GDPR distinguishes three types of right to object, which are always linked to processing based on a specific legal basis:

  • the right to object to processing which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority or processing based on the legitimate interests of the controller or a third party (Article 21(1) of the GDPR)
  • the right to object to processing for direct marketing purposes, including profiling (Article 21(2) and (3) of the GDPR)
  • the right to object to processing for scientific or historical research purposes or for statistical purposes (Article 21(6) of the GDPR).

When assessing the objection, the controller is entitled to assess whether it is unfounded or must demonstrate that there are compelling legitimate grounds for further processing that outweigh the interests of the subject or the public interest.

Automated individual decision-making, including profiling (Article 22 of the GDPR)

The data subject has the right not to be subject to a decision based solely on automated processing of personal data concerning him or her, including profiling, provided that the decision produces legal effects for the data subject or similarly significantly affects him or her. The right shall not apply if the processing is based on explicit consent, is authorised by law or is necessary for the conclusion of a contract between the data subject and the controller.

Right to withdraw consent to the processing of personal data

The data subject has the right to withdraw his or her consent to the processing of personal data at any time without giving a reason. After the withdrawal of consent, MU will terminate the processing of personal data if the processing has no legal basis other than the consent of the data subject. The withdrawal of consent shall not affect the lawfulness of the processing carried out before its withdrawal.

Exercise of the rights of the data subject

The data subject is entitled to exercise his/her rights arising from Articles 15-22 of the GDPR against the controller, either:

  • by a written request with an officially certified signature, or on the basis of an officially certified power of attorney, sent to Masaryk University, Data Protection Officer, Žerotínovo nám. 9, 601 77 Brno, or
  • by sending a request to the Masaryk University data box, MU data box ID: 9tmj9e4, or
  • by sending a request in the form of an e-mail message bearing at least a recognised electronic signature of the applicant to the following address: dpo@muni.cz, or
  • by sending a request in the form of an e-mail message from the MU institutional electronic address to the following address: dpo@muni.cz.

The request will be answered within the statutory deadline. In accordance with Article 12, paragraph 5 of the GDPR, all information is provided free of charge. If the requests made by the data subject are manifestly unfounded or excessive, the controller may impose an administrative fee on the applicant or refuse to comply with the request.

The right to lodge a complaint with the competent supervisory authority

Data subjects shall be entitled to lodge a complaint concerning personal data processing to the competent supervisory authority.

The office for personal data protection / Úřad pro ochranu osobních údajů
address: Pplk. Sochora 27, 170 00 Prague 7
phone: +420 234 665 111
website: www.uoou.cz

Reporting suspected violations of personal data protection

Form for reporting a suspected personal data breach

  1. for MU students/employees
  2. for external persons

Further information on personal data protection at Masaryk University can be found at Information on the processing and protection of personal data at MU.

You are running an old browser version. We recommend updating your browser to its latest version.

More info