Sensitive personal data processing

CONSENT TO THE PROCESSING OF SENSITIVE PERSONAL DATA

I hereby grant

the company International Study Programs, s.r.o., Company Identification Number: 27166708, registered office Karlovo náměstí 2097/10, Nové Město, 120 00 Prague 2, Czech Republic, listed in the Commercial Registry kept by the Municipal Court in Prague, section C, insert 101374; contact e-mail address: info@studyprograms.com; telephone contact: +420 277 012 500 (hereinafter as the ”ISP“ or ”the Controller“),

the following consent, and I declare that: 

- I voluntarily consent to the processing of My Personal Data to the following extent:

Information about possible medical and dietary restrictions

(hereinafter as “My Personal Data”);

- I am providing My Personal Data for the following purposes:

Maintaining a record of My Personal Data to ensure provision of appropriate services provided by the Controller

- I consent to My Personal Data being stored and processed, in accordance with this consent, for the period until the revocation of my consent to its processing;

- I have been informed that during the processing of My Personal Data, appropriate technical, organisational and administrative security measures will be used which protect My Personal Data against loss, misuse, unauthorised access, publication, changes and destruction;

- I have been informed that ISP is processing My Personal Data as the Controller and that, for the purposes specified above, My Personal Data may also be shared with ISP’s subcontractors so that they can perform processing for ISP. I have also been informed that My Personal Data may be shared with external co-workers and other service providers which ISP uses to fulfil tasks on its behalf, including, for example, providers of accommodation services, transportation services, etc.

- I have been informed that, in order to protect its legitimate interests, ISP reserves the right to store, access and publish all information which is essential for compliance with legal regulations, or for the purpose of defending its legitimate interests within the scope of possible legal proceedings, or for the purpose of protecting the assets or security of ISP, or its employees or clients.

- I consent to the transfer of My Personal Data to countries where the academic trip will be taking place in order to fulfil the contract between me and the Controller.

I am aware that the transfer of My Personal Data to those countries may be associated with the risks of disclosure or misuse of My Personal Data as those countries may not provide same level of protection of personal data as the country of the Controller does.

I hereby grant my consent to the processing of My Personal Data in accordance with Regulation (EU) no. 2016/679 of the European Parliament and of the Council of 27/ 04/ 2016, On the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC, also known as the General Data Protection Regulation, where this Regulation is to come into effect on 25/ 05/ 2018 (hereinafter “GDPR”).

I confirm that I have been informed of my rights in relation with the processing of My Personal Data, in the intentions of the provisions of articles 13, 15-22 and 34 of the GDPR.

In particular, I am aware that:

As per article 13 of the GDPR:
- I have the right to request access to My Personal Data from the Controller,

- I have the right to request the correction, deletion or restricted processing of My Personal Data, and to raise an objection against the processing, as well as the right to the transferability of the data,

- I have the right to file a complaint with a supervisory body,

- The provision of My Personal Data to the Controller is not a statutory or contractual requirement, i.e. I am not obliged to provide My Personal Data to the Controller,

As per article 15 of the GDPR - right to access to My Personal Data:
- I have the right to obtain confirmation from the Controller of whether My Personal Data is being processed or not and, if it is being processed, then I have the right to obtain access to My Personal Data and to the following information: a) purposes of the processing; b) categories of affected personal data; c) recipients or categories of recipients, with whom My Personal Data was or will be shared, particularly recipients in third countries or in international organisations; d) the planned period for which My Personal Data will be stored or, if it cannot be determined, the criteria used to stipulate this period; e) the existence of the right to request, from the Controller, the correction, deletion or restricted processing of My Personal Data and/or raise an objection against this processing; f) the right to file a complaint with a supervisory body; g) all available information about the source of My Personal Data if it was not obtained directly from me; h) the fact that the automated decision-making, including profiling, set forth in article 22 paragraph 1 and 4 of the GDPR has occurred and, in these cases at least, meaningful information relating to the process used, as well as the significance and expected consequences for me of such processing.

- I have the right to be provided with a copy of My Personal Data which is processed by the Controller. For additional copies, the Controller may charge me a reasonable fee on the basis of administrative costs. If I submit the request in electronic form then the information will be provided in such an electronic form that is normally used, unless I ask for it to be provided in a different manner.

As per article 16 of the GDPR – right to the correction of My Personal Data:
- I have the right to have the Controller correct inaccurate personal data which relates to me, without undue delay. With regard to the purposes of the processing, I have the right to have incomplete personal data supplemented via the provision of an additional declaration.

As per article 17 of the GDPR – right to the deletion of My Personal Data:
- I have the right to have the Controller delete My Personal Data without undue delay, if one of the following reasons is given: a) My Personal Data is no longer necessary for the purposes for which it was collected or otherwise processed; b) I revoked this consent to the processing of My Personal Data and there is no other legal reason for the processing; c) I raised objections against the processing as per article 21 paragraph 1 of the GDPR, and there are no predominant legitimate reasons for the processing or I raised objections against the processing as per article 21 paragraph 2 of the GDPR; d) My Personal Data was processed illegally; e) My Personal Data must be deleted in order to fulfil the legal obligations stipulated in the law of the European Union or a Member State thereof, which relate to the Controller. What is set forth under point h) will not be applied if the processing of My Personal Data is essential: a) for the exercise of the right to freedom of speech and information; b) for the fulfilment of a legal obligation which requires the processing as per the law of the European Union or a Member State thereof, which relates to the Controller, or for the fulfilment of a task performed in the public interest or during the exercise of public authority, if the Controller was entrusted with it; c) for reasons of public interest in the area of public health; d) for archiving purposes which are in the public interest, for the purposes of scientific or historical research or for statistical purposes in accordance with article 89 paragraph 1 of the GDPR; e) for the determination, exercise or defence of legal claims.

As per article 18 of the GDPR - right to the restricted processing of My Personal Data:
- I have the right to have the Controller restrict the processing in any of the following cases; a) if I denied the accuracy of My Personal Data, for the period necessary for the Controller to verify the accuracy of My Personal Data; b) the processing is illegal, and I would refuse the deletion of My Personal Data and request a restriction of its use instead or it; c) the Controller no longer requires My Personal Data for processing purposes, but I would require it for the determination, exercise or defence of legal claims; d) I would raise an objection against the processing as per article 21 paragraph 1 of the GDPR, until it can be verified whether the Controller’s legitimate reasons prevail over my legitimate reasons.

- If the processing is restricted as per point j) above then, with the exception of its storage, My Personal Data may only be processed with my consent, or for the determination, exercise or defence of legal claims, for the defence of the rights of another natural or legal person, or for reasons of an important public interest of the European Union or a Member State thereof.

As per article 19 of the GDPR - reporting obligation regarding the correction or deletion of My Personal Data, or restricted processing:
- The Controller notifies the individual recipients to whom My Personal Data was made available of all corrections, deletions or restricted processing of My Personal Data, with the exception of cases where it is shown to be impossible or requires excessive effort. The Controller only informs me about these recipients if I ask them to do so.

As per article 20 of the GDPR – right to the transferability of data
- Under the conditions of the aforementioned provision, I have the right to obtain personal data which relates to me and which I provided to the Controller, in a structured, commonly used and machine-readable format, and the right to share this data with another controller, without the Controller to whom the personal data was provided preventing me from doing so.

As per article 21 of the GDPR – right to raise an objection:
- Based on reasons relating to my specific situation, I have the right to raise an objection against the processing of My Personal Data at any time, on the basis of article 6 paragraph 1 section f) of the GDPR, including profiling based on these provisions. The Controller will no longer process My Personal Data if they do not demonstrate serious legitimate reasons for the processing, which prevail over my interests, rights and freedoms, or for the determination, exercise or defence of legal claims.

- I can exercise my right to raise an objection by automated means using technical specifications.

As per article 22 of the GDPR - automated individual decision-making, including profiling:
- I have the right not to be the subject of any decision based exclusively on automated processing, including profiling, which has legal consequences for me or which significantly affects me in a similar manner. This does not apply if the decision is: a) essential for the conclusion or fulfilment of a contract between me and the Controller; b) permitted by the law of the European Union or a Member State thereof which relates to the Controller and which also stipulates appropriate measures which protect my rights, freedoms and legitimate interests; c) based on my explicit consent.

As per article 34 of the GDPR – reporting of personal data security breaches
- If it is likely that a certain case whereby the security of My Personal Data is breached will result in a great risk to my rights and freedoms, then the Controller is obliged to notify me of this breach, without undue delay.

- However, the notification as per the previous point q) is not required if any of the following conditions if fulfilled: a) the Controller has implemented the appropriate technical and organisational protective measures, and these measures were used, particularly those which make My Personal Data incomprehensible for anyone who is not authorised to access it, such as for example encryption; b) the Controller has implemented the following measures which ensure that the great risk to my rights and freedoms as per point q) above will probably not manifest itself; c) it would require excessive effort.

I am aware that I can also contact The Office for Personal Data Protection, registered office Pplk. Sochora 727/27, 170 00 Prague 7 - Holešovice, Czech Republic, directly with my suggestions in matters relating to personal data.