Personal data

This webpage informs Scio’s clients on methods of personal data processing, on their protection and on Scio’s personal data policy in general.

Why to read this webpage?

Scio processes personal data from many different clients: students, schools, parents and their children etc.

  • Clients and participants in the National Comparative Exams can find information on data processing here.
  • Customers from among schools can find information here
  • and parents as clients here.
  • If you want to learn whether and how Scio processes sensitive data in accordance with GDPR Art. 9, look here.
  • If you wish to obtain information on the use of cookies, look here.
  • You can learn about sending business messages here. 
  • And finally, if you are interested in knowing how ScioSchools process and protect their students’ personal data, you can learn more here.

Who is the controller of personal data?

The controller of personal data is, s.r.o. Company, Id. No. 27156125, registered office: Pobřežní 34, Praha 8, registered in the Register of Companies kept by the Metropolitan Court in Prague, Section C, File 100551, hereinafter referred to also as Controller or Scio.

In personal data processing, the Controller meets the duties stipulated by legal regulations, especially by Act no. 110/2019 Sb., On Personal Data Processing, and by Regulation (EU) 2016/679 of the European Parliament and of the Council, General Data Protection Regulation (GDPR).

Does SCIO have a data protection officer?

Scio is not obliged to designate a data protection officer within the meaning of GDPR; however, Scio considers personal data protection so important that it designated one voluntarily. Scio and ScioSchools, whose founder is Scio, have a common data protection officer. 

The data protection officer can be contacted with requests for any information regarding personal data protection, as well as with the aim of exercising any rights related to personal data processing.

Contact of the data protection officer:

  • E-mail:

Regulation (EU) 2016/679 of the European Parliament and of the Council, General Data Protection Regulation (GDPR) 

GDPR is a comprehensive legislation on personal data protection. Scio, like all other controllers and processors of personal data, is obliged to obey this Regulation.

The purpose of GDPR is the protection of data subjects against unlawful treatment of their personal data, including the possibility of a higher control over what happens to their personal data.

National Comparative Exams

Categories of personal data processed

Which basic data of the clients and the participants of NCE are processed within NCE?

  • At the registration to our e-shop (creation of NCE participant’s personal profile): name, surname, e/mail, phone, addres
  • Beyond this registration, due to the character of NCE as a condition of university admission and the necessity to verify NCE participant’s identity, date of birth and/or Birth Registration Number  in addition to the above
  • Account number in the case of payment by bank transfer
  • Products bought are saved in the personal profile; further, the participants marks here his/her preferred faculty(ies) he/she applies for Information of socio-demographic nature in the questionnaires. The filling in of the questionnaires takes place within the realization of the exams and is voluntary; the questionnaires are pseudonymized. 
  • Identity card number as part of the identity check
  • Photos and/or video recordings from the room where an attendance exam takes place
  • Video recordings / photos taken by a webcam and a shot of the identity card or another document if NCE is taken online; screenshots of the computer monitor 
  • If NCE is taken online, we also process data on the type of the browser and on the hardware configuration of the device from which the test is accessed, its operation system, and information on system configuration, applications running and date/time stamp of saving of the answers on servers
  • And NCE results of course

In case the NCE participant has a health restriction that could make more difficult for him/her to pass NCE, he/she can ask for an adjustment of NCE conditions. In this case, he/she provide us information on his/her health restriction, and we process this piece of data, usually in cooperation with the Teiresiás centre (Centre for assistance to students with specific needs of the Masaryk University in Brno). Teiresiás will assess information provided and medical reports if any, and decide how the conditions of the exam should be modified. The cooperation with Teiresiás has a contractual basis, and the participants’ data are processed this way for no longer than necessary for the adjustment of NCE conditions. Information on exam modification (not on the health restriction) is provided to the faculty on request. 

Accordingly, the NCE participant can inform us that he/she is left-hander, and we will take this into account during the exam. 

Purpose of personal data processing

Why we process personal data:

Performance of a contract with the data subject, i.e. for the purpose of the provision of a service – the participation in the National Comparative Exams, assessment of the exam and communication of the result to the participant 

  • We pass the result to the faculty or faculties chosen based on the instruction given to us by the participant in his/her personal profile 
  • We may also use the e-mail address to send information on NCE or related products by Scio; we send other information by e-mail only subject to consent
  • Questionnaire survey for statistical and research purposes
  • Identity card number in case of complaints of the faculties and to dispel doubts about the presence of a particular participant in the venue of the exam
  • Photos and/or video shots from the rooms where NCE are taking place to guarantee correct course of the exam and to be able to verify it in future 
  • During online NCE, data are processed so as to verify the participant’s identity and to guarantee the fairness and objectiveness of the exam in accordance with usual requirements of standardized testing, to check that the exam rules are observed and to prevent/reveal cheating 

Legal title to process personal data

What gives us the right to process these personal data, or why do we have to process them?

  • We are allowed (and obliged at the same time) to process basic personal data so as to be able to perform a contract made – that is to provide a service bought to the NCE participant. 
  • Accordingly, we have to process personal data to perform a contract in relation to the online mode of NCE, as the subject matter of the contract with a client includes, among other things, the comparability of his/her NCE result with those of other participants, and so we have to be able to guarantee that all results compared are achieved correctly. 
  • Also, the contract made binds us to pass the data of the participant, including the NCE result, to the faculty or faculties chosen. 
  • The Act on Certain Information Society Services enables us (subject to prescribed conditions) to address our clients by e-mail, or by SMS for example, with the offer of our other similar products (we do so on the basis of the controller’s legitimate interest within the meaning of GDPR), just as we are allowed to address those who are not our clients if they have given us their consent (you can find more information here). In a similar way, we can address NCE participant with the offer of the participation in a pilot study on the basis of the controller’s legitimate interest. 
  • Identity card number based of the controller’s legitimate interest 
  • As a matter of principle, information on health or other restrictions in relation to the participation in NCE are processed subject to the NCE participant explicit consent. 
  • Data within a questionnaire survey – filling the questionnaire in is absolutely voluntary; filling it in or failure to do so has no influence on the assessment of the exam. Data are processed exclusively on the basis of the NCE participant’s consent. 

Duration of personal data processing

Documentary data (recording sheets, questionnaires, list for identity check) are processed into the electronic form immediately after the end of the NCE test day in question. The documents are then deposited in a secured store in case a problem occurs with the electronic form of the data, for no longer than necessary, and then they are shredded.

After the documents are converted into the electronic form, all personal data including NCE results are further processed in the electronic form only. Data are saved on Scio’s server and backed up on backup server. All necessary technical measures for the protection of data on the servers are taken so as to eliminate the risk of data loss or leakage. Access to the data is made possible only to Scio’s staff, duly trained about correct personal data protection and correct measures guaranteeing that no loss or leakage of, or damage to the data or the results can occur. The circle of employees with access to the data is limited only to those who need it. Due to the character of NCEs and the necessity to guarantee their absolute confidentiality and trustworthiness, these measures have been in place in our Company since long, even in the days when GDPR represented only a random cluster of consonants.

The following data are processed and saved during the period of one month after the date of the exam:

  • Audio and video recordings of on-line NCE, including recordings of the participant’s monitor, with the exception of recordings of the exams, the execution of which was found irregular and Scio decided on the invalidity of their results, and with the exceptions of the recordings of the participants who chose the possibility of keeping the recordings saved until the end of the admission procedure 
  • Examination records in the documentary form
  • Questionnaires in the documentary form
  • A photo of the identity card and a photo of the participant for his/her identification verification serve exclusively for this verification. (Exceptionally, it can be necessary to save these photos in the case of uncertainty about the identity of the person who took the exam, until such uncertainty is solved. However, the participant is always informed in time if such situation arises.)
  • Onboarding recordings, including answers to questions in the trial test and in the questionnaire 

The following data are archived, in case various objections or complaints have to be solved, until the end of October of the relevant academic year (in view of the end of the admission procedure in the given year, in which the NCE results are to be used): 

  • Recording sheets
  • Lists for identity check from the attendance NCE
  • Audio and video recordings of on-line NCE, including recordings of the participant’s monitor, which were not deleted after the lapse of one month from the exam, see previous point
  • Questionnaires in the electronic form

Identification data related to the questionnaire survey are deleted from the questionnaire immediately after the data are processed. Questionnaire data are processed by interconnecting questionnaire data with the participant’s final percentile and other basic socio-demographic data obtained within NCE application (e.g. gender, year of birth). After these additional data are completed, all identification codes are deleted from the data base, and so it is impossible to find out later how a particular participant answered to the questions in the questionnaire.

The following data are saved on the backup server (without user access) for 5 years after the end of the admission procedure in the given academic year (in case of a complaint on the part of the faculties): 

  • Recording sheets, lists for identity checks and other materials in the electronic form (e.g. records of attendance exams, photos from the venue of the exam, records of on-line NCEs, records of modifications of the exam conditions because of special needs)
  • The participant remains a registered client, has his/her personal profile in the data base of the e-shop, for him/her to be able to purchase there again in future. Exam results are accessible to participants with this registration for five years. We shall delete these data anytime at the participant’s request. 

The participant’s data also remain in accounting documents during the statutory archiving period for accounting documents.

After the expiry of 5 years, further processing of the participant’s data including NCE results takes place exclusively in the pseudonymized form. It means that a code called hash is assigned instead of the name, surname and date of birth{Birth Certificate Number. The participant’s identity cannot be traced back from the hash, and so no one who works with the data base and processes it for various scientific or statistical purposes can find out the participant’s identity. Such pseudonymized data can be assigned to a particular individual only if the hash is created again by inputting certain personal data of the participant. Data from the data base can be looked up according to the hash then. It means that anyone who wants to find out the NCE result (and other related data) of a particular NCE participant, would have to have access to the participant’s identification data, to the algorithm for hash creation, and to the pseudonymized data base. We do not keep these three parts together, and the risk on unauthorized access to all the data including NCE results is completely eliminated thereby. Moreover, identification data are completely deleted after the expiry of 5 years, and therefore finding out an older NCE result is only possible in case the participant himself/herself gives us the data from which we could re-create the hash to be able to look up the result in the pseudonymized data base. The data are absolutely anonymous to us from that moment; we are not able to find out whose result is whose. 

How are NCE results passed on to the faculties?

As stated above, NCE result of each participant is passed on to the faculty or faculties exclusively based on an instruction given to us by the participant in his/her personal profile. Instruction can be given either to provide the results to one or more particular faculties or to provide NCE results to any faculty which will ask for them. 

Therefore, the NCE result must be assigned to the applicant for study at the faculty in cooperation with the faculties. Such assignment can be done by the faculty itself or by Scio that will compile a data base of applicants for study at that school by assigning the NCE result to those who participated in NCE and gave the instruction to provide the result to that faculty.  This handover of results or assigning results to each participant takes place on the basis of a Contract on Personal Data Processing made between the faculty in question and Scio. A secure application by Scio designated for this purpose is used for the assigning.

In case the faculty provides us with their own data base of applicants based on the Contract on Personal Data Processing, we keep the data base throughout the processing (assigning of the results) and then during the period given in the Contract if applicable, however, no more than for the warranty period for the services which is 5 years for the faculties. 

Specifics of personal data processing in relation with on-line NCE

If NCE is realized in the distance form, i.e. where the participant sits for NCE at home, using a computer connected to the testing interface via Internet, other personal data of such a participant must be processed in addition to the above data and the methods and purposes of their processing so as to verify the fairness of the exam.

Like with attendance NCE, the identity of the participant in on-line NCE must be verified. Just as the identity is verified according to an identity card presented by the participant at the venue of attendance NCE, the participant has to prove his/her identity by means of the video recording or a photo taken by the camera where the participant holds his/her identity card in front of the camera for a while. Scio’s authorized official (evaluator) verifies the participant’s identity based on the photo of the identity card and the photo of the participant. The participant has the possibility of selecting parts of the scan of the identity card to be saved. The remaining parts are digitally destroyed and are not saved. The participant has to leave undestroyed the parts of the document which contain his/her name, surname, date of birth and the participant’s photo.

Then, pictures from the webcam and sound from the microphone will be recorded for the whole time, as well as all activities displayed on the monitor of the computer used for the testing throughout the exam itself. ScioLink web application evaluates other activities done with the computer only using Proctoring Desktop application by monitoring running processes and devices connected. Information on unauthorized running processes is saved. These records are evaluated by the “artificial intelligence” of the testing application in real time. If the artificial intelligence has evaluated the record as indicating an infringement of the rules laid down, and thus endangering the fairness of the exam, a warning to the participant and a call for remedy can be displayed anytime during the exam. This warning is only informative and has no impact on the fairness of the exam in itself, without the authorized official’s decision. All these records are displayed to the authorized official for him/her to check the record and decide whether the exam will be evaluated as irregular or not.  The decision on the fairness or irregularity of an exam is never done automatically by the artificial intelligence. Each automatic evaluation is checked by Scio’s official who decides about the fairness of the exam and its (in)validity. Accordingly, Scio’s official may check the recordings of exams which the artificial intelligence has not evaluated as suspicious but the check is needed for other reasons.

On-line NCE cannot be realized without the recordings because the fairness of the exam could not be verified without them, and no faculty could then acknowledge the NCE result as a criterion for admission in its admission procedure. 

ScioLink and Proctoring Desktop applications, for their proper functioning, detect data on browser type, on the hardware configuration of the device from which the test is accessed, on its operation system, as well as information on system configuration, running applications and date/time stamp. Such information is necessary, for example in case of a failure of the Internet connection, or for proper functioning of the application/web interface on the given device. Such information is processed mainly using automatic means and is not interconnected in any way with the individual participants after the exam is over. 



Sensitive Data Processing

In exceptional cases, Scio in its activities has to process even special categories of personal data within the meaning of Article 9 of the GDPR, i.e. sensitive data. 

The following sensitive data can be processed within projects for parents, and especially for children:

  • Data on health restrictions for the participation in ScioCamps and other events so that the necessities and possibilities of each child could be taken into account; 
  • Data on food allergies for the participation in events where catering for children is provided so that convenient food could be procured; 
  • Data on specific learning disabilities for the purposes of individual preparation of some educational programmes. 

The following sensitive data are processed within various testing projects including the National Comparative Exams: 

  • Data on health restrictions so that the test or exam could be adjusted so that participants with health restrictions could participate in the test under the same conditions as the other participants; 
  • Data on special educational needs so that they could be taken into account in the testing or in the evaluation of the test or exam. 

These sensitive data are processed only to the absolutely necessary extent and for no longer that necessary. 

Sensitive data are not transferred to third persons without previous consent. 



Rights of Data Subjects

Anyone whose personal data are processed by the Controller (hereinafter referred-to as “data subject”) has the following rights. In the case of a minor, these rights can be exercised by his/her legal representative.


Anyone has the right to know whether his/her personal data are processed or not – if they are, then he/she has the right to obtain access to the data, as well as to obtain information about the purposes of processing, the categories of personal data concerned, their recipients, the period for which the personal data will be stored, about the right to lodge a complaint, about the source of the data (if not collected from the data subject), about the existence of automated decision-making; the data subject has also the right to obtain a copy of his/her data.


The Controller informs data subjects about all manners of processing of their personal data, both obtained from the data subject in question and otherwise. The data subject also has the right to ask the Controller to provide information on his/her personal data processing, and the Controller shall oblige.


The data subject has the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him/her. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed. 


The data subject has the right to obtain from the Controller the erasure of personal data concerning him/her without undue delay, and the Controller shall erase them. However, the erasure is subject to the condition that one of the following applies: 

  • The personal data are no longer necessary for the purpose for which they were collected;
  • The data subject withdraws his/her consent  and, at the same time, there is no other legal grounds (title) for the processing; 
  • The data subject objects to the processing, and there are no overriding legitimate grounds for the processing; 
  • The personal data have been unlawfully processed; 
  • The erasure is imposed by a legal regulation;
  • The personal data have been collected in relation to the offer of information society services.


The data subject has the right to obtain from the Controller restriction of processing in cases determined by the GDPR (the accuracy of the personal data is contested by the data subject; the processing is unlawful and the data subject opposes the erasure; the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the exercise of his/her claims; the data subject has objected to processing). In such cases, the processing of the data shall be restricted to their storage only unless the data subject consents to other processing.


The data subject has the right to receive the personal data concerning him/her, which he/she has provided to the Controller, in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller without hindrance from the Controller. This right applies to cases explicitly mentioned by the GDPR, i.e. where the processing is based on consent or on a contract and, at the same time, the data are processed by automated means. This situation does not normally occur in the case of personal data processed by Scio.  


The data subject has the right to object to processing of his/her personal data, and the Controller shall no longer process such data in case:

The processing of personal data is necessary for the performance of a task carried out for reasons of public interest or the Controller has a legitimate interest in the processing, and the Controller fails to demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

Personal data are processed for the purposes of direct marketing.


Where the processing of personal data is based on consent given by the data subject, the data subject has the right to withdraw his/her consent anytime.
The withdrawal of the consent shall not affect the lawfulness of the processing based on consent before its withdrawal. The withdrawal of the consent shall not affect personal data processing which the Controller processes based on another legal grounds than consent (i.e. especially where the processing is necessary for the performance of a contract, for the compliance with a legal obligation, or for other reasons laid down by valid legal regulations).


If the data subject believes that a breach of legal regulations occurred in relation to the protection of his/her personal data, he/she has the right to lodge a complaint with the Office for the Personal Data Protection and/or seek judicial remedy. 


Customer Care

For our customer care services, i. e. answering questions regarding our products both via phone and via email, we use services of IPEX, a.s. company (telephone switchboard). The customer care workers are Scio employees.

Categories of Processed Personal Data

For the purpose of answering questions and solving potential problems of our customers we process their personal data such as their first name, last name, customer number, eventually the NCE applicant number.

We also have the option of recording phone calls which we use to effectively deal with our customers’ requests. The caller is always informed in advance that the call is being recorded and has the option of not starting the recorded call and contacting us some other way, e. g. via email.

Purpose of Personal Data Processing

The data is being processed for the purpose of providing quality services, problem solutions and answers to requests of individual customers.

Legal Title of Personal Data Processing

The data is being processed on the basis of Scio’s obligations to properly fulfill contracts with customers, eventually on the basis of legitimate interest, which is to solve requests and answer questions of customers.

Time Period of Personal Data Processing

The call recordings are being stored for up to one year.

The retention period of other personal data depends on the product ordered by the customer and is specified in the information section for each product.

Providing Remote Customer Support for Online Exams

In case the applicant (online NCE or online faculty exams) has problems connecting to the test interface (ScioLink) or with entering or continuing the test, they can reach our customer care, our workers will try to help them to solve the problem. In case the problem cannot be solved via telephone consultation, the applicant can be offered the online remote support performed by Scio IT specialist. Using this option is completely voluntary and it’s solely up to the applicant whether they use it.

How does the remote support work via the TeamViewer and QuickAssist Programme?

Our IT specialist will connect to the applicant's device via the TeamViewer or QuickAssist programme. Thanks to that the IT specialist will be allowed to remotely control the applicant's device and eliminate all issues that could possibly prevent the applicant from undertaking the exam.

The IT specialist is only entitled to make actions that are essential to solve the issue, no other interventions/accessing data will be made. The applicant will be informed in advance in case of any significant settings changes that are essential for solving the issue. The applicant may follow the steps of the IT specialist on his screen during the whole process.

Using the help of our IT specialist via remote assistance is completely voluntary.

The applicant, by launching the TeamViewer or QuickAssist, is giving us consent with such intervention.

You can find more information about remote assistance here:
for TeamViewer:  
for QuickAssist: 


Cookies on this website

This website uses cookies to personalize the website and make it more convenient to browse.

What are cookies and what are they used for?

Cookies are small data files that the visited site sends to the browser and which allow you to record information about your visit to the website, so you do not have to enter this information repeatedly the next time you visit. Cookies can therefore be imagined as a kind of website memory. Cookies can also be used to display so-called behaviorally targeted online advertising, ie to display only such advertising that is relevant to a particular user, without being bothered by advertising that does not interest him. Cookies cannot be used to identify visitors to the site or to misuse login data.

What cookies are used on our website?

Cookies on our website can be divided into three groups:

The first group is our own cookies, which we use to support the ordering process in our e-shop. They are necessary for the proper functioning of our e-shop, for example, so that you can stay logged in throughout the process.

The second group are cookies, which we use mainly to individualize the website. Based on them, we can show you updates based on the pages you have visited or recommend the products that are most relevant to you during the order.

The third group of cookies are third-party cookies related to the implementation of certain elements in the website, without which these elements would usually not even work. These are, for example, Google and its Google Analytics and HotJar (statistics and information on the movement of visitors on the website), Facebook (to display information from our Facebook page directly on the website), YouTube,, Snack Tools (tool for displaying printed magazines in online form for our Perepetuum, How to university), Tockify (a tool to support the operation of the calendar on the Scio homepage). (web site help tool). These cookies are managed by third parties and we do not have access to write this information. On the contrary, we have access to some stored data within the declared functionalities of individual cookies.

Standard web browsers, such as Internet Explorer, Mozilla Firefox, Google Chrome, Opera and others, allow the management of cookies, in the browser, cookies can be deleted, completely disabled, or enabled only for certain sites. If you set cookies to be blocked in your browser, you can use our website on a regular basis, but some elements of the site will not work.

Související stránky