Personal Data Controller / Processor
www.scio.cz, s.r.o., Company ID: 27156125, with its registered office at Pobřežní 34, Prague 8, registered in the Commercial Register maintained by the Municipal Court in Prague, Section C, Insert 100551 (hereinafter referred to as “Scio”)
Scio processes its customers’ personal data in ScioLink (online National Comparative Exams project and other projects involving testing), in which case Scio processes the personal data as a Data Controller, or may process test participants’ personal data for other organizations or entities that use ScioLink for their testing, in which case Scio processes personal data as a Data Processor.
Data Protection Officer
The Data Protection Officer may be contacted to request any information regarding personal data processing, as well as to exercise any rights related to personal data processing.
Contact details of the Data Protection Officer:
Telephone: 234 705 032
On this page, you will find basic information about personal data processing in ScioLink, particularly information about the personal data processing within Sciolink’s proctoring services. If you are interested in any additional information, do not hesitate to contact us via our Data Protection Officer’s email. We will be happy to answer your questions.
Categories of Personal Data Processed
What basic data concerning test participants do we process in ScioLink?
The extent of the data processed for a particular test depends on the test sponsor’s requirements for proctoring settings, or, in short, on how strict ScioLink’s monitoring of any given test’s fairness should be.
Data processed during each test:
Data that can be further processed but whose processing depends on the test sponsor’s requirements:
Why do we process the data?
The purpose of personal data processing depends on the specific testing project.
Where Scio’s customers participate directly in the testing as part of one of Scio’s projects (e.g. the online National Comparative Exam), Scio determines the purposes of the processing. Further information is available on our website https://www.scio.cz/osobni-udaje/.
If Scio conducts testing in ScioLink for another organization or entity or their customers, then that organization or entity is the Controller of the test participants’ personal data, determines the purposes of the personal data processing, and informs the test participants about them.
In general, the purpose of personal data processing in ScioLink is to ensure the testing’s fairness and correctness, and the scope of the processed data and processing methods correspond to the need to reliably ensure that the test participants could not cheat or did not cheat. Other technical data (e.g. browser type, device hardware configuration, running applications, and date/time stamp) are processed to ensure ScioLink and its proctoring functions are functioning correctly.
Legal Title of Personal Data Processing
What entitles us to process the personal data, and why do we need to process it?
Further information is provided on a project-by-project basis on the website https://www.scio.cz/osobni-udaje/ on the legal personal data processing titles connected with testing where Scio is the Data Controller. As a rule, this is the performance of a contract concluded with the customer – that is, the test participant.
Personal Data Processing Period
The processing time is usually one month from the test date; in exceptional cases, a maximum of 1 year. How long the data will be processed in ScioLink depends on the conditions of the specific testing project, or on the requirements of the Controller for whom Scio processes the personal data as a Processor in ScioLink. Further information on the processing period can be found here: https://www.scio.cz/osobni-udaje/
Personal Data Processing Method
Verification of the test participant’s identity: the participant shows their ID card to the camera, then confirms on the computer screen that a picture of the document has been taken and selects the data to be saved; the remaining part of the document will be saved in a blurred way (completely illegible). ScioLink further saves an image of the participant from the webcam. The comparison between the ID and the participant’s image is made by the administrator performing the testing (Scio or another administrator).
Taking an audio and video recording of the so-called room scan (according to the rules, the participant shows the room where they are taking the test to the webcam), taking an audio and video recording of the test, recording the screen of the participant’s device during the test: The recordings are evaluated according to the rules set for the specific test. First, the recording is evaluated by ScioLink’s “artificial intelligence” and flagged if a rule violation is detected. Based on this automatic evaluation, ScioLink may (again, depending on the settings for the specific test) notify the test participant that a rule violation is suspected. Otherwise, the suspicion is saved to the recording and checked by an administrator, who then evaluates whether a violation has occurred or not. Thus, there is no automated decision-making within the GDPR’s Article 13(2)(f).
Personal Data Recipients
Personal data processed in ScioLink will not be transferred to other recipients, except for possible external IT administrators, if strictly necessary for operational reasons. These recipients are always bound by confidentiality and conclude a data processing contract guaranteeing the necessary protection of the data subjects’ rights. Personal data will not be transferred outside the EU unless such a transfer is required by a specific project. In that case, the test participant will be informed of the personal data transfer in advance.
Personal Data Categories Processed
The Purpose of Personal Data Processing
We collect the above data to contact (potential) clients who express interest in ScioLink’s services by sending a message via the form on the website.
Legal Personal Data Processing Title
We process the personal data provided upon the data subject’s consent.
Personal Data Processing Period and Method
The personal data provided by a prospective customer via the form on the website www.sciolink.cz, www.sciolink.com or www.sciolink.eu will be stored on our server for five years and used for further communication with the person interested in ScioLink services or for sending new information related to ScioLink. The data will be deleted after this period (if the cooperation with the prospective customer does not continue).
Personal Data Recipients
Personal data processed through the ScioLink website will not be transferred to other recipients.
Anyone whose personal data is processed by the Controller (hereinafter the “Data Subject”) has the following rights. They may be exercised on behalf of a child by their legal guardian.
Right of Access
Everyone has the right to know whether their data is being processed – if so, they have the right to access that data, as well as information about the data’s purposes and categories, their recipients, the storage period, the right to lodge a complaint, the source of the data (if not from the data subject), that automated decision-making is taking place, and the right to obtain a copy of the data.
Right to Information
The Controller informs Data Subjects of any processing of their personal data, whether the data is obtained from the Data Subject or by other means. The Data Subject also has the right to request information from the Controller about the processing of their personal data and the Controller must comply with the request.
Right to Correction
The Data Subject has the right to have inaccurate personal data concerning them corrected by the Controller without undue delay. Taking into account the purposes of the processing, the Data Subject has the right to have incomplete personal data completed.
Right to Erasure
The Data Subject has the right to have the Controller erase personal data concerning the Data Subject without undue delay, and the Controller is obliged to erase the personal data without undue delay if one of the reasons in GDPR Article 17(1) applies or if the exception set out in GDPR Article 17(3) does not apply.
Right to Processing Restriction
The Data Subject has the right to have the Controller restrict personal data processing in the cases set out in GDPR Article 18. In such cases, the data processing shall be limited to storage only, unless the Data Subject consents to further processing.
Right to Data Portability
The Data Subject has the right to obtain the personal data they have provided to the Controller in a structured, commonly used and machine-readable format, and to transmit those data to another Controller without hindrance from the Controller. This right applies in cases expressly provided for in the GDPR, i.e. where the data are processed based on consent or contract and where the data are processed by automation.
Right to Object
The Data Subject has the right to object to the personal data processing and the Controller must no longer process such data if:
Right to Withdraw Consent
If the personal data processing is based on consent to process personal data provided by the Data Subject, the Data Subject has the right to withdraw this consent at any time.
Withdrawal of consent does not affect the lawfulness of processing based on consent given before its withdrawal.
Withdrawal of consent also does not affect personal data processed by the Controller on a legal basis other than consent (in particular if the processing is necessary to perform a contract, legal obligation, or for other reasons specified in applicable law).
Right to Lodge a Complaint
If the Data Subject believes that there has been a breach of the law concerning the protection of their personal data, they have the right to lodge a complaint with the Office for Personal Data Protection or seek judicial protection.
Obligation to Provide Personal Data
Personal data processing of Data Subjects by the Controller is necessary to perform the contract or to enable testing through ScioLink. If the Data Subject does not provide their personal data to the Controller, it will not be possible to conclude a contract between the Data Subject and the Controller or to perform it properly.