Personal data protection

Intro

Controller/processor of personal data

www.scio.cz, s.r.o., Company ID: 27156125, registered office at Přestní 34, Prague 8, registered in the Commercial Register maintained by the Municipal Court in Prague, Section C, File 100551 (hereinafter referred to as “Scio”)

At ScioLink, Scio processes personal data of its own customers (the online NSZ project and other testing projects) — in which case it processes personal data as a personal data controller, or it may process the personal data of test participants for other organizations or entities that use ScioLink for its own testing — in which case Scio processes personal data as a processor of personal data.

Data Protection Officer

Scio is not obliged to appoint a Data Protection Officer within the meaning of the GDPR, but considers the protection of personal data to be so important that it has voluntarily appointed such a Data Protection Officer. The officer may be contacted with a request for any information regarding the processing of personal data, as well as for the exercise of any rights related to the processing of personal data.

Contact the Data Protection Officer:

E-mail: poverenec@scio.cz
Phone: 234 705 032

On this page you will find basic information about the processing of personal data in ScioLink, in particular information about the processing of personal data within ScioLink's proctorigenic functions. If you are interested in any additional information, do not hesitate to contact us via email of our representative, we will be happy to answer your questions

General Regulation (EU) 2016/679 of the European Parliament and of the Council on the Protection of Personal Data (GDPR)
GDPR is a comprehensive legislation on the protection of personal data. Scio, like all other controllers and processors of personal data, is obliged to comply with this Regulation.

The aim of the GDPR is to protect data subjects from unauthorised handling of their personal data, including allowing greater control over what happens to their personal data.

Processing of personal data in Sciolink

Categories of personal data processed

What basic data do we process about test participants in ScioLink within NSZ?
The extent of the data processed in the case of a particular test depends on the requirements of the test sponsor for setting the proctoring functions, more simply on how strict ScioLink's supervision should be on the regularity of passing the test.
Data processed when passing each test:

• participant identification data: as a standard, the name, surname, email, date of birth, and the subscriber ID generated for each participant are processed, but at least always at least you need to enter at least an email address and date of birth to identify a particular participant
• answers to test questions

Data which may be further processed but whose processing depends on the requirements of the test sponsor:

• if necessary, verification of the identity of the test participant: a photograph of selected parts of the ID card, including a photograph (parts of the document are selected by the test participant when taking a picture of the document, the whole identity document is not stored) and a video camera image of the participant taken before the start of the test
• video and audio recording of the scan of the room where the exam is held
• video and audio recording of the exam itself
• screen recording of the computer during the test
• device metadata (web browser, running applications in the background during the test, connected devices, IP address, operating system and hardware configuration)

Purpose of processing personal data

Why do we process data?

The purpose of processing personal data depends on the specific testing project.
In the event that Scio's customers participate directly in testing as part of one of its projects (e.g. online NSZ), Scio determines the processing purposes and more detailed information about them is available on the website https://www.scio.cz/osobni-udaje/

If Scio conducts testing in ScioLink for another organization or entity, for its customers, then such organization or entity is the controller of the personal data of the direct test participants and determines the purposes for the processing of personal data and informs the test participants about them.

In general, the purpose of processing personal data in ScioLink is to ensure the regularity and correctness of the testing, and the scope of the data processed and the processing methods correspond to the degree of need to ensure more or less reliably for specific testing that the test participants could not cheat or did not cheat. Other technical data (e.g. browser type, hardware configuration of the device, running applications and date/time stamp) are processed for the proper functioning of ScioLink and its proctoring functions.

Legal title of personal data processing

What authorizes us to process this personal data, or why do we need to process this data?

More information on the legal titles of personal data processing in connection with testing, where Scio is the controller of personal data, can be found by project on the website https://www.scio.cz/osobni-udaje/.

In cases where Scio processes personal data as a processor for another controller, it does so on the basis of a personal data processing agreement with such controller.

Period of processing of personal data

How long the data will be processed in ScioLink depends on the conditions of the particular testing project () or the requirements of the controller for whom Scio, as processor, processes personal data in ScioLink. The usual time is one month from the date of testing.

Method of processing personal data

Verification of the identity of the test participant: The participant shows his identity card to the camera, then confirms the capture of a picture of the document on the computer screen and selects the data to be stored from it, the remaining part of the document will be stored blurred (completely illegible). Next, ScioLink saves a snapshot of the participant from the webcam. The comparison of the identity document and the participant's snapshot is done by the employee of the administrator for whom the testing is carried out (Scio or another administrator).

Acquisition of audio and video recordings from the so-called room scan (according to the established rules, the participant shows the room where the test takes place on the webcam), obtaining audio and video recordings from the test, recording from the participant's device screen during the exam, recording from the participant's device screen during the exam: The recordings are evaluated according to the rules set for the specific testing. First, the record evaluates ScioLink's “artificial intelligence” and marks in the record if it detects rule violations. Based on this automatic evaluation, ScioLink can (again according to the settings for the specific test) alert the test participant to suspected rule violations. Otherwise, the suspicion is put on record and checked by the administrator, and he then evaluates whether the rules have been violated or not.

Rights of data subjects

Anyone whose personal data is processed by the controller (hereinafter referred to as the “data subject”) has the following rights. They can then be claimed by a legal guardian on behalf of the child.

Right of access

Everyone has the right to know whether or not his data is being processed — if so, then he has the right to access this data, as well as information about the purposes, categories of data, recipients, storage time, the right to lodge a complaint, the source of the data (if it is not from the data subject), that automated decision-making takes place and also has the right to obtain a copy of this data.

Right to information
The controller shall inform the data subjects of all methods of processing of their personal data, whether data obtained from the data subject or in the event that it obtains the data in another way. The data subject also has the right to request the Controller to provide information about the processing of his/her personal data and the Controller shall comply with it.

Right to rectification
The data subject has the right to have the Controller correct inaccurate personal data concerning him without undue delay. Taking into account the purposes of the processing, the data subject has the right to supplement incomplete personal data.

Right to erasure
The data subject has the right to have the Controller erase personal data relating to the data subject without undue delay and the Controller will delete them. However, the condition for deletion is compliance with certain conditions stipulated by the GDPR:

• Personal data is no longer needed for the purpose for which it was collected.
• The data subject withdraws consent and there is no other legal reason (title) for processing.
• The data subject objects to the processing and there is no overriding reason for the processing.
• Personal data are processed unlawfully.
• Deletion is imposed by legal regulation.
• This is data about the child collected in connection with information society services.

Right to restriction of processing
The data subject has the right for the Controller to restrict the processing of personal data, in cases stipulated by the GDPR (the subject denies the accuracy of the data; the processing is unlawful, but the subject refuses to delete it; the controller does not need the data for the original purpose, but the subject requires it for the exercise of its claims; the data subject has objected). In such a case, the processing of the data shall be limited only to the storage of the data, unless the consent of the subject to other processing is given.

Right to data portability
The data subject has the right to obtain the personal data concerning him, which he has provided to the Controller, in a structured, commonly used and machine-readable format, and the right to transmit such data to another controller without the Controller being prevented from doing so. This right applies to cases expressly mentioned in the GDPR, i.e. if the data are processed on the basis of consent or contract and at the same time if the data is processed automatically. In the case of personal data processed by Scio, such a situation does not normally occur.

Right to object
The data subject has the right to object to the processing of personal data and the Controller does not process such data if:

• the processing of personal data necessary for the performance of a task in the public interest or has a legitimate interest in it by the controller, and the controller does not demonstrate compelling legitimate grounds for processing that outweigh the interests or rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
• This is processing for direct marketing purposes.

Right to withdraw consent
If the processing of personal data is based on the consent to the processing of personal data provided by the data subject, the data subject has the right to withdraw this consent at any time.

Withdrawal of consent shall not affect the lawfulness of processing based on the consent given prior to its withdrawal. Withdrawal of consent also does not affect the processing of personal data processed by the Controller on the basis of a legal basis other than consent (i.e., in particular, if the processing is necessary for the fulfillment of a contract, legal obligation or for other reasons specified in the applicable legislation).

Right to lodge a complaint
If the data subject considers that there has been a violation of the legislation relating to the protection of his/her personal data, he/she has the right to lodge a complaint with the Office for Personal Data Protection or to seek judicial protection, if necessary.