This webpage informs Scio’s clients on methods of personal data processing, on their protection and on Scio’s personal data policy in general.
Why to read this webpage?
Scio processes personal data from many different clients: students, schools, parents and their children etc. Clients and participants in the National Comparative Exams can find information on data processing here.
The controller of personal data is www.scio.cz, s.r.o. Company, Id. No. 27156125, registered office: Pobřežní 34, Praha 8, registered in the Register of Companies kept by the Metropolitan Court in Prague, Czech Republic, Section C, File 100551, hereinafter referred to also as Controller or Scio.
In personal data processing, the Controller meets the duties stipulated by legal regulations, especially by Act no. 110/2019 Sb., On Personal Data Processing, and by Regulation (EU) 2016/679 of the European Parliament and of the Council, General Data Protection Regulation (GDPR).
Scio is not obliged to designate a data protection officer within the meaning of GDPR; however, Scio considers personal data protection so important that it designated one voluntarily. Scio and ScioSchools, whose founder is Scio, have a common data protection officer.
The data protection officer can be contacted with requests for any information regarding personal data protection, as well as with the aim of exercising any rights related to personal data processing.
Contact of the data protection officer:
GDPR is a comprehensive legislation on personal data protection. Scio, like all other controllers and processors of personal data, is obliged to obey this Regulation.
The purpose of GDPR is the protection of data subjects against unlawful treatment of their personal data, including the possibility of a higher control over what happens to their personal data.
Which basic data of the clients and the participants of NCE are processed within NCE?
In case the NCE participant has a health restriction that could make more difficult for him/her to pass NCE, he/she can ask for an adjustment of NCE conditions. In this case, he/she provide us information on his/her health restriction, and we process this piece of data, usually in cooperation with the Teiresiás centre (Centre for assistance to students with specific needs of the Masaryk University in Brno). Teiresiás will assess information provided and medical reports if any, and decide how the conditions of the exam should be modified. The cooperation with Teiresiás has a contractual basis, and the participants’ data are processed this way for no longer than necessary for the adjustment of NCE conditions. Information on exam modification (not on the health restriction) is provided to the faculty on request.
Accordingly, the NCE participant can inform us that he/she is left-hander, and we will take this into account during the exam.
Performance of a contract with the data subject, i.e. for the purpose of the provision of a service – the participation in the National Comparative Exams, assessment of the exam and communication of the result to the participant
What gives us the right to process these personal data, or why do we have to process them?
Documentary data (recording sheets, questionnaires, list for identity check) are processed into the electronic form immediately after the end of the NCE test day in question. The documents are then deposited in a secured store in case a problem occurs with the electronic form of the data, for no longer than necessary, and then they are shredded.
After the documents are converted into the electronic form, all personal data including NCE results are further processed in the electronic form only. Data are saved on Scio’s server and backed up on backup server. All necessary technical measures for the protection of data on the servers are taken so as to eliminate the risk of data loss or leakage. Access to the data is made possible only to Scio’s staff, duly trained about correct personal data protection and correct measures guaranteeing that no loss or leakage of, or damage to the data or the results can occur. The circle of employees with access to the data is limited only to those who need it. Due to the character of NCEs and the necessity to guarantee their absolute confidentiality and trustworthiness, these measures have been in place in our Company since long, even in the days when GDPR represented only a random cluster of consonants.
The following data are processed and saved during the period of one month after the date of the exam:
The following data are archived, in case various objections or complaints have to be solved, until the end of October of the relevant academic year (in view of the end of the admission procedure in the given year, in which the NCE results are to be used):
Identification data related to the questionnaire survey are deleted from the questionnaire immediately after the data are processed. Questionnaire data are processed by interconnecting questionnaire data with the participant’s final percentile and other basic socio-demographic data obtained within NCE application (e.g. gender, year of birth). After these additional data are completed, all identification codes are deleted from the data base, and so it is impossible to find out later how a particular participant answered to the questions in the questionnaire.
The following data are saved on the backup server (without user access) for 5 years after the end of the admission procedure in the given academic year (in case of a complaint on the part of the faculties):
The participant’s data also remain in accounting documents during the statutory archiving period for accounting documents.
After the expiry of 5 years, further processing of the participant’s data including NCE results takes place exclusively in the pseudonymized form. It means that a code called hash is assigned instead of the name, surname and date of birth{Birth Certificate Number. The participant’s identity cannot be traced back from the hash, and so no one who works with the data base and processes it for various scientific or statistical purposes can find out the participant’s identity. Such pseudonymized data can be assigned to a particular individual only if the hash is created again by inputting certain personal data of the participant. Data from the data base can be looked up according to the hash then. It means that anyone who wants to find out the NCE result (and other related data) of a particular NCE participant, would have to have access to the participant’s identification data, to the algorithm for hash creation, and to the pseudonymized data base. We do not keep these three parts together, and the risk on unauthorized access to all the data including NCE results is completely eliminated thereby. Moreover, identification data are completely deleted after the expiry of 5 years, and therefore finding out an older NCE result is only possible in case the participant himself/herself gives us the data from which we could re-create the hash to be able to look up the result in the pseudonymized data base. The data are absolutely anonymous to us from that moment; we are not able to find out whose result is whose.
As stated above, NCE result of each participant is passed on to the faculty or faculties exclusively based on an instruction given to us by the participant in his/her personal profile. Instruction can be given either to provide the results to one or more particular faculties or to provide NCE results to any faculty which will ask for them.
Therefore, the NCE result must be assigned to the applicant for study at the faculty in cooperation with the faculties. Such assignment can be done by the faculty itself or by Scio that will compile a data base of applicants for study at that school by assigning the NCE result to those who participated in NCE and gave the instruction to provide the result to that faculty. This handover of results or assigning results to each participant takes place on the basis of a Contract on Personal Data Processing made between the faculty in question and Scio. A secure application by Scio designated for this purpose is used for the assigning.
In case the faculty provides us with their own data base of applicants based on the Contract on Personal Data Processing, we keep the data base throughout the processing (assigning of the results) and then during the period given in the Contract if applicable, however, no more than for the warranty period for the services which is 5 years for the faculties.
If NCE is realized in the distance form, i.e. where the participant sits for NCE at home, using a computer connected to the testing interface via Internet, other personal data of such a participant must be processed in addition to the above data and the methods and purposes of their processing so as to verify the fairness of the exam.
Like with attendance NCE, the identity of the participant in on-line NCE must be verified. Just as the identity is verified according to an identity card presented by the participant at the venue of attendance NCE, the participant has to prove his/her identity by means of the video recording or a photo taken by the camera where the participant holds his/her identity card in front of the camera for a while. Scio’s authorized official (evaluator) verifies the participant’s identity based on the photo of the identity card and the photo of the participant. The participant has the possibility of selecting parts of the scan of the identity card to be saved. The remaining parts are digitally destroyed and are not saved. The participant has to leave undestroyed the parts of the document which contain his/her name, surname, date of birth and the participant’s photo.
Then, pictures from the webcam and sound from the microphone will be recorded for the whole time, as well as all activities displayed on the monitor of the computer used for the testing throughout the exam itself. ScioLink web application evaluates other activities done with the computer only using Proctoring Desktop application by monitoring running processes and devices connected. Information on unauthorized running processes is saved. These records are evaluated by the “artificial intelligence” of the testing application in real time. If the artificial intelligence has evaluated the record as indicating an infringement of the rules laid down, and thus endangering the fairness of the exam, a warning to the participant and a call for remedy can be displayed anytime during the exam. This warning is only informative and has no impact on the fairness of the exam in itself, without the authorized official’s decision. All these records are displayed to the authorized official for him/her to check the record and decide whether the exam will be evaluated as irregular or not. The decision on the fairness or irregularity of an exam is never done automatically by the artificial intelligence. Each automatic evaluation is checked by Scio’s official who decides about the fairness of the exam and its (in)validity. Accordingly, Scio’s official may check the recordings of exams which the artificial intelligence has not evaluated as suspicious but the check is needed for other reasons.
On-line NCE cannot be realized without the recordings because the fairness of the exam could not be verified without them, and no faculty could then acknowledge the NCE result as a criterion for admission in its admission procedure.
ScioLink and Proctoring Desktop applications, for their proper functioning, detect data on browser type, on the hardware configuration of the device from which the test is accessed, on its operation system, as well as information on system configuration, running applications and date/time stamp. Such information is necessary, for example in case of a failure of the Internet connection, or for proper functioning of the application/web interface on the given device. Such information is processed mainly using automatic means and is not interconnected in any way with the individual participants after the exam is over.
In exceptional cases, Scio in its activities has to process even special categories of personal data within the meaning of Article 9 of the GDPR, i.e. sensitive data.
The following sensitive data can be processed within projects for parents, and especially for children:
The following sensitive data are processed within various testing projects including the National Comparative Exams:
These sensitive data are processed only to the absolutely necessary extent and for no longer that necessary.
Sensitive data are not transferred to third persons without previous consent.
Anyone whose personal data are processed by the Controller (hereinafter referred-to as “data subject”) has the following rights. In the case of a minor, these rights can be exercised by his/her legal representative.
Anyone has the right to know whether his/her personal data are processed or not – if they are, then he/she has the right to obtain access to the data, as well as to obtain information about the purposes of processing, the categories of personal data concerned, their recipients, the period for which the personal data will be stored, about the right to lodge a complaint, about the source of the data (if not collected from the data subject), about the existence of automated decision-making; the data subject has also the right to obtain a copy of his/her data.
The Controller informs data subjects about all manners of processing of their personal data, both obtained from the data subject in question and otherwise. The data subject also has the right to ask the Controller to provide information on his/her personal data processing, and the Controller shall oblige.
The data subject has the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him/her. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed.
The data subject has the right to obtain from the Controller the erasure of personal data concerning him/her without undue delay, and the Controller shall erase them. However, the erasure is subject to the condition that one of the following applies:
The data subject has the right to obtain from the Controller restriction of processing in cases determined by the GDPR (the accuracy of the personal data is contested by the data subject; the processing is unlawful and the data subject opposes the erasure; the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the exercise of his/her claims; the data subject has objected to processing). In such cases, the processing of the data shall be restricted to their storage only unless the data subject consents to other processing.
The data subject has the right to receive the personal data concerning him/her, which he/she has provided to the Controller, in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller without hindrance from the Controller. This right applies to cases explicitly mentioned by the GDPR, i.e. where the processing is based on consent or on a contract and, at the same time, the data are processed by automated means. This situation does not normally occur in the case of personal data processed by Scio.
The data subject has the right to object to processing of his/her personal data, and the Controller shall no longer process such data in case:
The processing of personal data is necessary for the performance of a task carried out for reasons of public interest or the Controller has a legitimate interest in the processing, and the Controller fails to demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
Personal data are processed for the purposes of direct marketing.
Where the processing of personal data is based on consent given by the data subject, the data subject has the right to withdraw his/her consent anytime.
The withdrawal of the consent shall not affect the lawfulness of the processing based on consent before its withdrawal. The withdrawal of the consent shall not affect personal data processing which the Controller processes based on another legal grounds than consent (i.e. especially where the processing is necessary for the performance of a contract, for the compliance with a legal obligation, or for other reasons laid down by valid legal regulations).
If the data subject believes that a breach of legal regulations occurred in relation to the protection of his/her personal data, he/she has the right to lodge a complaint with the Office for the Personal Data Protection and/or seek judicial remedy.
For our customer care services, i. e. answering questions regarding our products both via phone and via email, we use services of IPEX, a.s. company (telephone switchboard). The customer care workers are Scio employees.
For the purpose of answering questions and solving potential problems of our customers we process their personal data such as their first name, last name, customer number, eventually the NCE applicant number.
We also have the option of recording phone calls which we use to effectively deal with our customers’ requests. The caller is always informed in advance that the call is being recorded and has the option of not starting the recorded call and contacting us some other way, e. g. via email.
The data is being processed for the purpose of providing quality services, problem solutions and answers to requests of individual customers.
The data is being processed on the basis of Scio’s obligations to properly fulfill contracts with customers, eventually on the basis of legitimate interest, which is to solve requests and answer questions of customers.
The call recordings are being stored for up to one year.
The retention period of other personal data depends on the product ordered by the customer and is specified in the information section for each product.
Providing Remote Customer Support for Online Exams
In case the applicant (online NCE or online faculty exams) has problems connecting to the test interface (ScioLink) or with entering or continuing the test, they can reach our customer care, our workers will try to help them to solve the problem. In case the problem cannot be solved via telephone consultation, the applicant can be offered the online remote support performed by Scio IT specialist. Using this option is completely voluntary and it’s solely up to the applicant whether they use it.
How does the remote support work via the TeamViewer and QuickAssist Programme?
Our IT specialist will connect to the applicant's device via the TeamViewer or QuickAssist programme. Thanks to that the IT specialist will be allowed to remotely control the applicant's device and eliminate all issues that could possibly prevent the applicant from undertaking the exam.
The IT specialist is only entitled to make actions that are essential to solve the issue, no other interventions/accessing data will be made. The applicant will be informed in advance in case of any significant settings changes that are essential for solving the issue. The applicant may follow the steps of the IT specialist on his screen during the whole process.
Using the help of our IT specialist via remote assistance is completely voluntary.
The applicant, by launching the TeamViewer or QuickAssist, is giving us consent with such intervention.
You can find more information about remote assistance here:
for TeamViewer: https://www.teamviewer.com/en/products/teamviewer/?t=1677851198933
for QuickAssist: https://learn.microsoft.com/en-us/windows/client-management/quick-assist
This website uses cookies to personalize the website and make it more convenient to browse.
Cookies are small data files that the visited site sends to the browser and which allow you to record information about your visit to the website, so you do not have to enter this information repeatedly the next time you visit. Cookies can therefore be imagined as a kind of website memory. Cookies can also be used to display so-called behaviorally targeted online advertising, ie to display only such advertising that is relevant to a particular user, without being bothered by advertising that does not interest him. Cookies cannot be used to identify visitors to the site or to misuse login data.
Cookies on our website can be divided into three groups:
The first group is our own cookies, which we use to support the ordering process in our e-shop. They are necessary for the proper functioning of our e-shop, for example, so that you can stay logged in throughout the process.
The second group are cookies, which we use mainly to individualize the website. Based on them, we can show you updates based on the pages you have visited or recommend the products that are most relevant to you during the order.
The third group of cookies are third-party cookies related to the implementation of certain elements in the website, without which these elements would usually not even work. These are, for example, Google and its Google Analytics and HotJar (statistics and information on the movement of visitors on the website), Facebook (to display information from our Facebook page directly on the website), YouTube,, Snack Tools (tool for displaying printed magazines in online form for our Perepetuum, How to university), Tockify (a tool to support the operation of the calendar on the Scio homepage). Tawk.to (web site help tool). These cookies are managed by third parties and we do not have access to write this information. On the contrary, we have access to some stored data within the declared functionalities of individual cookies.
Standard web browsers, such as Internet Explorer, Mozilla Firefox, Google Chrome, Opera and others, allow the management of cookies, in the browser, cookies can be deleted, completely disabled, or enabled only for certain sites. If you set cookies to be blocked in your browser, you can use our website on a regular basis, but some elements of the site will not work.