Data Protection Officer/ Management Control and Security Office

Processing of personal data in connection with the organization of events, conferences, and competitions

DATA CONTROLLER

1. The data controller (administrator) of personal data of participants of events, conferences and competitions organized by the University is the Silesian University of Technology represented by the Rector
2. If the event is organized jointly with another university or partner and these entities jointly decide on the purposes and means of processing the personal data of the participants, they act as joint controllers of the data. In such a situation, a written co-administration agreement should be concluded in accordance with Article 26 of the GDPR, specifying in particular:

• • the responsibilities of the parties,
  • the rules for exercising the rights of data subjects,
  • how to comply with the information obligation.
    A template for the personal data co-administration agreement is in annex 1. 

3. If the co-organizers do not jointly decide on the purposes and means of data processing but process the data of the participants in the scope of their own tasks, they act as separate controllers of personal data.

ENTRUSTING THE PROCESSING OF DATA

1. In the case of using the services of an external entity (e.g. handling registration of participants), the processing of personal data may be entrusted to this entity on the basis of the contract for entrusting the processing of  personal data, in accordance with Article 28(3) of the GDPR - a template for the personal data processing agreement is in annex 2.
2. Entrusting may only take place to an entity that ensures an adequate level of security of data processing, verified, among others, through a security survey             –  a template for the processor verification questionnaire is in annex 3.

LEGAL BASIS FOR DATA PROCESSING

1. Personal data of participants of events and competitions are processed for the purpose of registration, organization, and documentation of the event on the basis of Article 6(1)(e) of the GDPR, i.e. the performance of a task performed in the public interest.
2. These activities result from the mission of the university specified in the Law on Higher Education and Science, including, among others, conducting scientific activities and popularizing science.
3. Therefore, obtaining the consent of the participants to the processing of data in order to organize the event is not required.
4. Documentation related to the organization of the event is kept for the period resulting from the archiving and financial regulations in force at the University.

IMAGE PROCESSING AND INFORMATION COMMUNICATION

1. In the case of processing the image of participants or sending information about events organized by the University, the legal basis for data processing is the consent of the data subject (Article 6 paragraph 1 letter a of the GDPR).
2. Consent must be given separately for each purpose of processing and may be withdrawn at any time.
3. Failure to consent to the use of the image or sending information about events may not constitute a reason for refusal to participate in the event.

• • A template for the consent to use the image of an adult is in annex 4 
  • A template for the consent to use the image of a minor is in annex 5
  • A template for the consent to receive information about events with a scientific profile or promoting science is in annex 6.

IT TOOLS

1. When organizing events, only IT tools approved for use at the University must be used.
2. The use of other tools requires the prior consent of the Administrator of IT Systems after conducting the security assessment of data processing.

RESPONSIBILITY OF THE EVENT OR CONTEST ORGANIZER

The organizer of the event is responsible in particular for:

1. preparation of the rules of the event or competition
2. ensuring the security of personal data processed;
3. obtaining consents to the processing of data in cases required by the provisions of the GDPR (e.g. image, sending information about events);
4. conclusion of a co-administration agreement or data processing agreement – if required;
5. storage of documentation related to consents and data processing;
6. applying the principle of data minimization, which consists in collecting only data necessary for the organization of the event;
7. compliance with the information obligation toward participants in accordance with Art. 13 GDPR (e.g. by placing an information clause on the registration page, in invitations or at the event venue): 

• • a template for the information clause for participants of an event in which the Silesian University of Technology is the Controller (administrator) of personal data is in annex 7,
  • a template for the information clause for participants of an event in which the Silesian University of Technology is the Joint -Controller of personal data is in annex 8.