University of Tuzla Privacy Policy

 

 I Introductory Information

 

Recognizing the importance of privacy, security, and the protection of personal data of all individuals who participate in the business processes of the University of Tuzla, this Privacy Policy (hereinafter: the Policy) is an act that describes the purpose and objectives of the collection, processing, and use of personal data by the personal data controller of the University of Tuzla (hereinafter: the University).

The aim of this Policy is to establish appropriate processes for the protection and management of personal data of individuals whose personal data are processed, in accordance with the GDPR Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter: the Regulation), the Law on the Protection of Personal Data (“Official Gazette of Bosnia and Herzegovina”, No. 12/25; hereinafter: the Law), and the general acts of the University.

This Policy applies to all current, former, and prospective students of the University, employees and external associates of the University, as well as other natural persons who, as data subjects, share their personal data with the University on various grounds.

The University bases the protection of personal data on the principles of lawfulness, fairness, and transparency; the principle of data minimization and storage limitation; the principle of accuracy and completeness of personal data; the principle of integrity and confidentiality of personal data; and the principle of accountability and reliability.

 

II Purpose of the Collection, Processing and Use of Personal Data

 

The University collects, processes, and uses personal data for the purpose of performing its registered activities, fulfilling legal obligations or tasks carried out in the public interest, as well as exercising the rights and obligations that the University is required to perform in accordance with concluded contracts.

The University collects, processes, and uses personal data lawfully, fairly, and transparently, exclusively for specific, explicit, and legitimate purposes, in a manner that ensures an appropriate level of security of personal data, including protection against unauthorized or unlawful processing, as well as against accidental loss, destruction, or damage, through the application of appropriate technical and organizational measures.

The University collects and processes personal data only if at least one of the following conditions is met:

• the data subject has given consent to the University for the processing of their personal data for one or more specific purposes;
• processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
• processing is necessary for compliance with a legal obligation of the University;
• processing is necessary in order to protect the vital interests of the data subject or of another natural person;
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University;
• processing is necessary for the purposes of the legitimate interests pursued by the University or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Personal data are obtained directly from the data subject orally or in writing, or indirectly from other sources.

Depending on whether the data subject is an employee, a student, a contractual party as a natural person, a business associate as a natural person, etc., the University collects, processes, uses, and analyzes the following categories of personal data:

• basic personal data: first and last name, address, personal identification number (JMBG), date and place of birth, gender, contact details (telephone/mobile number, address, e-mail address), information on the type of contractual relationship;
• other personal data made available by the data subject upon establishing and/or during the duration of employment, upon enrollment in studies and/or during studies, or upon establishing other types of contractual/business relationships, such as data from an identity card, bank account details, level of education, other knowledge and skills, data on previous employment, and data on previously completed education;
• special categories of personal data: racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a person’s sex life or sexual orientation, data on medical fitness, information from criminal records, which the University may collect on the basis of legal regulations or the consent of the data subject, etc.;
• data collected through video surveillance systems in the University’s premises for the purpose of increasing the security of movable property within University facilities, enhancing the safety of all persons entering University premises, and increasing the safety of students and employees present in University facilities during the teaching process, as well as during periods when teaching activities are not conducted (night hours, weekends, non-working days, and periods of collective annual leave).

 

III Rights of the Data Subject

 

In the process of personal data processing, the University shall, in an appropriate manner and in written, electronic, or oral form, provide the data subject, at their request, with all information related to the processing of their personal data, in particular information on the purpose of data processing, the legal basis for data processing, legitimate interests, the intention to transfer personal data to third parties, the period for which personal data will be stored, the existence of the data subject’s right of access to personal data, as well as the right to rectification, erasure, or restriction of the processing of personal data, the right to object, withdrawal of consent, and other related rights.

If the request of the data subject is submitted by electronic mail, the University shall provide the information in the same manner, unless the data subject requests otherwise.

The data subject may request from the University, as the data controller, confirmation as to whether their personal data are being processed and may request other information related to the processing of personal data, such as the purpose of the collection and processing of data, the period for which personal data are stored, the right to lodge a complaint with a supervisory authority, as well as other rights related to the processing of personal data.

In case, that the University holds incomplete or inaccurate personal data of the data subject, the data subject may contact the University at any time with a request for the completion or rectification of such data.

The data subject has the right to submit a request for the erasure of personal data (“the right to be forgotten”) in cases where the personal data are no longer necessary in relation to the purposes for which they were collected, or where the data subject withdraws consent and there is no other legal basis for processing the personal data, or where the personal data have been unlawfully processed, or where legitimate interests for processing personal data no longer exist, etc.

The data subject has the right to request restriction of the processing of personal data from the University in cases where the data subject contests the accuracy of the personal data, for a period enabling the University to verify the accuracy thereof, or where the processing of personal data was unlawful and the data subject requests restriction of processing instead of erasure, or in situations where the personal data are no longer needed by the University for the purposes of processing, but are required by the data subject for the establishment, exercise, or defense of legal claims, as well as where the data subject has objected to processing based on legitimate grounds.

The data subject has the right to request from the University the transfer of their data to another controller in a structured, commonly used, and machine-readable format, where this is technically feasible, if the data are processed on the basis of consent that may be withdrawn or for the performance of contractual obligations, and if the processing is carried out by automated means.

The right to object to the processing of personal data belongs to the data subject in cases where the processing of personal data is not necessary for the performance of tasks carried out in the public interest or in the exercise of official authority vested in the University, or where the legitimate interests of the University are overridden by the fundamental rights and freedoms of the data subject which require protection of personal interests.

Where the University relies on consent as the lawful basis for processing personal data, it shall obtain consent from the data subject that is given freely, in written form, using clear, understandable, and plain language with a clearly defined purpose. The data subject has the right to withdraw their consent at any time, which shall not affect the lawfulness of processing based on consent before its withdrawal.

With regard to information about their rights, the data subject may contact the Data Protection Officer (see Section VII of this Policy).

 

IV Storage and Erasure of Personal Data

 

The University shall store personal data only for as long as necessary for the purposes for which the personal data are processed, or within the time limits prescribed by applicable legal regulations. In order to ensure that personal data are not retained longer than necessary, the University, in accordance with applicable legal regulations, defines erasure periods in its general acts, conducts periodic reviews, and undertakes reasonably justified actions to ensure that personal data are erased.

Personal data shall be erased upon the termination of the purpose for which they were collected and processed, and at the latest upon the expiry of statutory obligations and prescribed retention periods related to the storage of personal data, except in cases where enforcement proceedings for the collection of outstanding receivables, court proceedings, or a complaint regarding a service have been initiated, in which case personal data shall be processed and used until the final and legally binding completion of such proceedings.

 

V How and which of your data we collect

 

a) During enrollment in study programs

In accordance with the terms and conditions of the public call for enrollment in study programs, the personal data of prospective students contained in applications and other supporting documents in the enrollment process are collected for the purpose of obtaining student status, i.e., to verify the fulfillment of the criteria for concluding a study contract.

b) Data of students, employees, external associates, as well as users and visitors of the University

In accordance with the Higher Education Act, other laws and bylaws, and the general acts of the University, we carry out higher education activities, as well as professional and scientific-research/artistic-research activities through our public authorizations. Among other things, we perform the following processing of personal data:

• Records of employees at the University;
• Records of payroll calculation and salary payments to University employees;
• Records of calculated and paid income from occasional independent activities and other independent activities, as well as calculated and paid taxes and contributions;
• Records of work-related injuries;
• The registry – records of enrolled students in undergraduate/first cycle and integrated first and second cycle studies, postgraduate/second cycle studies, and doctoral students (pre-Bologna)/enrolled students in third cycle doctoral studies;
• Records of issued diplomas for undergraduate studies / issued diplomas and diploma supplements in the first and integrated first and second cycle studies, scientific/artistic master’s degrees / issued diplomas and diploma supplements of second cycle studies, and issued doctoral degrees;
• Records of academic performance, including exams and other study requirements;
• Other records prescribed by laws and bylaws, implementing and general acts of the University.

In this regard, the University processes personal data through records of candidates for enrollment in the first, integrated first and second cycle studies, second cycle studies, third cycle studies, and lifelong learning programs.

c) Scientific/Artistic Research
Within scientific-research/artistic-research activities, personal data are collected for research purposes in compliance with recognized ethical standards for scientific/artistic research and in accordance with the application of the University of Tuzla’s Code of Ethics.

d) Library
The use of the University Library services is available to students and employees of the University. During the borrowing of library materials, the membership card or student record book is retained only for the duration of the loan period, until the borrowed item is returned, while personal data are not stored.

e) Video Surveillance
Based on its legitimate interest, the University uses a video surveillance system for the purpose of optimizing the protection and safety of students, employees, and third parties present on the University premises, as well as for ensuring the security of facilities and the protection of University property. Personal data contained in video surveillance records are processed solely for these purposes.

f) Website and Automatic Processing of Personal Data
In its operations, the University uses information and communication technologies and digital information resources (hardware, software, access to the internal network and the internet).

The University website – www.untz.ba – as well as the websites of the faculties/Academy of the University may be used without providing any personal data.

In the course of automatic processing of personal data via email, the information system, and other platforms at the University, data are processed and stored for the purposes of official correspondence and for the purposes for which the information systems or platforms of the University have been established. The University will not share personal data with any third party, nor allow them access to such data. In the automatic processing of personal data, the University ensures organizational data protection measures, such as maintaining password confidentiality, secure downloading and saving of documents via email or other sources, compliance with technical instructions during the installation, use, and maintenance of data protection equipment, etc., in accordance with a specific general act.

The University does not offer any online services to children under the age of 16. If you are under 16 years of age, please do not disclose your personal data to us, including your name, address, telephone number, or email address, without the consent of your parent, adoptive parent, guardian, or legal representative. In the event that we become aware that we have collected or received personal data of a child under the age of 16 without the consent of the holder of parental responsibility, such data will be deleted without delay. If you have information indicating that data of a child under the age of 16 have been provided to us, please contact us at rektorat@untz.ba or through the Data Protection Officer (see Section VII of this Policy).

Our websites contain links to other websites and social media platforms, which are not subject to this Privacy Policy. We recommend that you read the privacy protection terms of each website and social media platform you visit, especially where you provide personal data.

The University uses various services and platforms provided by other legal entities (such as Google LLC), subject to mandatory acceptance of their terms of use and privacy policies. We recommend that you review the terms of use and privacy protection policies of such third parties whenever you use their services or platforms at the University on any basis.

 

VI Cookie Policy (“Cookies”)

 

Cookies are small files that your browser stores on your device’s disk when you visit our websites. This enables our websites to recognize your computer. Cookies are not intended to spy on users and do not track everything a user does; they are not malicious code or viruses. Cookies are also not associated with unsolicited messages or spam, cannot store passwords, and are not used exclusively for advertising or marketing purposes. Information such as your name or email address will not be stored – the University’s websites cannot access your personal data or files on your computer.

The University website – www.untz.ba – as well as the websites of the faculties/Academy of the University collect the following types of cookies:

• Strictly necessary cookiesrequired to ensure the proper and uninterrupted functioning of the websites;
• Statistical cookiesthat allow the monitoring of visit statistics of the faculties’/Academy’s websites.

You may always block the use of some or all cookies used on our websites; however, this may affect the functionality of the websites. Additionally, you may accept or reject some or all cookies by adjusting your browser settings.

Information on how to change settings for some of the most commonly used web browsers can be found at the following links:

• Microsoft Edge: https://support.microsoft.com/hr-hr/help/4028646/microsoft-edge-view-and-delete-browsing-history
• Internet Explorer: https://support.microsoft.com/hr-hr/help/17479/windows-internet-explorer-11-change-security-privacy-settings
• Google Chrome: https://support.google.com/chrome/answer/95647
• Mozilla Firefox: https://support.mozilla.org/hr/kb/Brisanje%20kola%C4%8Di%C4%87a
• Safari: https://support.apple.com/hr-hr/guide/safari/sfri47acf5d6/mac
• Opera: https://www.opera.com/help/tutorials/security/privacy/

Some browsers allow you to browse websites in “private” or “incognito” mode, limiting the amount of data stored on your device and automatically deleting persistent cookies placed on your device when you end your browsing session. There are also many third-party applications that can be added to your browser to block or manage cookies. You may also delete cookies that have previously been placed in your browser by selecting the option to delete browsing history and including the option to delete cookies.

More information about cookies can be found at the following links:
http://www.allaboutcookies.org/
http://www.youronlinechoices.eu/

 

VII Data Protection Officer Details

 

Name and surname: Negra Mrkonjić, Bachelor of Laws

Contact telephone: 

Email: sluzbenik@untz.ba

 

VIII Final Provisions

 

We reserve the right to periodically amend and improve the text of this Policy, primarily for the purpose of complying with legislative changes and/or changes in the purposes and methods of data processing. However, we will not limit the rights arising from this Policy or from applicable legal regulations. In the event of changes that may affect your rights, we will inform you thereof in a timely and appropriate manner.

For all matters not specifically regulated by this Policy, the applicable laws and other valid legal regulations of Bosnia and Herzegovina relating to the protection of personal data, as well as the general acts of the University, shall apply accordingly.