Information on Personal Data Processing When Testing via the ScioLink Application

Introduction

Personal Data Controller / Processor

www.scio.cz, s.r.o., Company ID: 27156125, with its registered office at Pobřežní 34, Prague 8, registered in the Commercial Register maintained by the Municipal Court in Prague, Section C, Insert 100551 (hereinafter referred to as “Scio”)

Scio processes its customers’ personal data in ScioLink (online National Comparative Exams project and other projects involving testing), in which case Scio processes the personal data as a Data Controller, or may process test participants’ personal data for other organizations or entities that use ScioLink for their testing, in which case Scio processes personal data as a Data Processor.

Data Protection Officer

The Data Protection Officer may be contacted to request any information regarding personal data processing, as well as to exercise any rights related to personal data processing.

Contact details of the Data Protection Officer:
Email: poverenec@scio.cz
Telephone: 234 705 032

On this page, you will find basic information about personal data processing in ScioLink, particularly information about the personal data processing within Sciolink’s proctoring services. If you are interested in any additional information, do not hesitate to contact us via our Data Protection Officer’s email. We will be happy to answer your questions.

Personal Data Processing in ScioLink

Categories of Personal Data Processed

What basic data concerning test participants do we process in ScioLink?
The extent of the data processed for a particular test depends on the test sponsor’s requirements for proctoring settings, or, in short, on how strict ScioLink’s monitoring of any given test’s fairness should be.

Data processed during each test:

• participant identification data: usually the first name, last name, email, date of birth, and participant ID generated for each participant are processed, but at a minimum, an email address and date of birth must always be entered to identify a specific participant
• answers to test questions

Data that can be further processed but whose processing depends on the test sponsor’s requirements:

• if the identity of the test participant needs to be verified: photographs of selected parts of the identity document, including a photograph (the parts of the document are selected by the test participant when photographing the document, the whole identity document is not processed) and the participant’s image from a video camera taken before the test starts
• video and audio recording of the room where the test is being held
• video and audio recording of the actual examination
• computer screen recording of the examination
• device metadata (web browser, applications running in the background during the test, connected devices, IP address, operating system, and hardware configuration)

The Purpose of the Personal Data Processing

Why do we process the data?

The purpose of personal data processing depends on the specific testing project.

Where Scio’s customers participate directly in the testing as part of one of Scio’s projects (e.g. the online National Comparative Exam), Scio determines the purposes of the processing. Further information is available on our website https://www.scio.cz/osobni-udaje/.

If Scio conducts testing in ScioLink for another organization or entity or their customers, then that organization or entity is the Controller of the test participants’ personal data, determines the purposes of the personal data processing, and informs the test participants about them.

In general, the purpose of personal data processing in ScioLink is to ensure the testing’s fairness and correctness, and the scope of the processed data and processing methods correspond to the need to reliably ensure that the test participants could not cheat or did not cheat. Other technical data (e.g. browser type, device hardware configuration, running applications, and date/time stamp) are processed to ensure ScioLink and its proctoring functions are functioning correctly.

Legal Title of Personal Data Processing

What entitles us to process the personal data, and why do we need to process it?

Further information is provided on a project-by-project basis on the website https://www.scio.cz/osobni-udaje/ on the legal personal data processing titles connected with testing where Scio is the Data Controller. As a rule, this is the performance of a contract concluded with the customer – that is, the test participant.

Personal Data Processing Period

The processing time is usually one month from the test date; in exceptional cases, a maximum of 1 year. How long the data will be processed in ScioLink depends on the conditions of the specific testing project, or on the requirements of the Controller for whom Scio processes the personal data as a Processor in ScioLink. Further information on the processing period can be found here: https://www.scio.cz/osobni-udaje/

Personal Data Processing Method

Verification of the test participant’s identity: the participant shows their ID card to the camera, then confirms on the computer screen that a picture of the document has been taken and selects the data to be saved; the remaining part of the document will be saved in a blurred way (completely illegible). ScioLink further saves an image of the participant from the webcam. The comparison between the ID and the participant’s image is made by the administrator performing the testing (Scio or another administrator).

Taking an audio and video recording of the so-called room scan (according to the rules, the participant shows the room where they are taking the test to the webcam), taking an audio and video recording of the test, recording the screen of the participant’s device during the test: The recordings are evaluated according to the rules set for the specific test. First, the recording is evaluated by ScioLink’s “artificial intelligence” and flagged if a rule violation is detected. Based on this automatic evaluation, ScioLink may (again, depending on the settings for the specific test) notify the test participant that a rule violation is suspected. Otherwise, the suspicion is saved to the recording and checked by an administrator, who then evaluates whether a violation has occurred or not. Thus, there is no automated decision-making within the GDPR’s Article 13(2)(f).

Personal Data Recipients

Personal data processed in ScioLink will not be transferred to other recipients, except for possible external IT administrators, if strictly necessary for operational reasons. These recipients are always bound by confidentiality and conclude a data processing contract guaranteeing the necessary protection of the data subjects’ rights. Personal data will not be transferred outside the EU unless such a transfer is required by a specific project. In that case, the test participant will be informed of the personal data transfer in advance.

Processing Personal Data Collected Through the ScioLink Website

Personal Data Categories Processed

Via the form on the websites www.sciolink.cz, www.sciolink.com and www.sciolink.eu, you can provide us with the following information:

• Email
• First and last name
• Name of company or institution

The Purpose of Personal Data Processing

We collect the above data to contact (potential) clients who express interest in ScioLink’s services by sending a message via the form on the website.

Legal Personal Data Processing Title

We process the personal data provided upon the data subject’s consent.

Personal Data Processing Period and Method

The personal data provided by a prospective customer via the form on the website www.sciolink.cz, www.sciolink.com or www.sciolink.eu will be stored on our server for five years and used for further communication with the person interested in ScioLink services or for sending new information related to ScioLink. The data will be deleted after this period (if the cooperation with the prospective customer does not continue).

Personal Data Recipients

Personal data processed through the ScioLink website will not be transferred to other recipients.

Rights of Data Subjects

Anyone whose personal data is processed by the Controller (hereinafter the “Data Subject”) has the following rights. They may be exercised on behalf of a child by their legal guardian.

Right of Access

Everyone has the right to know whether their data is being processed – if so, they have the right to access that data, as well as information about the data’s purposes and categories, their recipients, the storage period, the right to lodge a complaint, the source of the data (if not from the data subject), that automated decision-making is taking place, and the right to obtain a copy of the data.

Right to Information

The Controller informs Data Subjects of any processing of their personal data, whether the data is obtained from the Data Subject or by other means. The Data Subject also has the right to request information from the Controller about the processing of their personal data and the Controller must comply with the request.

Right to Correction

The Data Subject has the right to have inaccurate personal data concerning them corrected by the Controller without undue delay. Taking into account the purposes of the processing, the Data Subject has the right to have incomplete personal data completed.

Right to Erasure

The Data Subject has the right to have the Controller erase personal data concerning the Data Subject without undue delay, and the Controller is obliged to erase the personal data without undue delay if one of the reasons in GDPR Article 17(1) applies or if the exception set out in GDPR Article 17(3) does not apply.

Right to Processing Restriction

The Data Subject has the right to have the Controller restrict personal data processing in the cases set out in GDPR Article 18. In such cases, the data processing shall be limited to storage only, unless the Data Subject consents to further processing.

Right to Data Portability

The Data Subject has the right to obtain the personal data they have provided to the Controller in a structured, commonly used and machine-readable format, and to transmit those data to another Controller without hindrance from the Controller. This right applies in cases expressly provided for in the GDPR, i.e. where the data are processed based on consent or contract and where the data are processed by automation.

Right to Object

The Data Subject has the right to object to the personal data processing and the Controller must no longer process such data if:

• the personal data processing is necessary to perform a task carried out in the public interest or the legitimate interest of the Controller, and the Controller does not demonstrate compelling legitimate grounds for the processing which override the interests or rights and freedoms of the Data Subject or to establish, exercise or defend legal claims.
• the data is processed for direct marketing purposes.

Right to Withdraw Consent

If the personal data processing is based on consent to process personal data provided by the Data Subject, the Data Subject has the right to withdraw this consent at any time.

Withdrawal of consent does not affect the lawfulness of processing based on consent given before its withdrawal.

Withdrawal of consent also does not affect personal data processed by the Controller on a legal basis other than consent (in particular if the processing is necessary to perform a contract, legal obligation, or for other reasons specified in applicable law).

Right to Lodge a Complaint

If the Data Subject believes that there has been a breach of the law concerning the protection of their personal data, they have the right to lodge a complaint with the Office for Personal Data Protection or seek judicial protection.

Obligation to Provide Personal Data

Personal data processing of Data Subjects by the Controller is necessary to perform the contract or to enable testing through ScioLink. If the Data Subject does not provide their personal data to the Controller, it will not be possible to conclude a contract between the Data Subject and the Controller or to perform it properly.