Information About Personal Data Processing
ČEZ Prodej, a. s., Business ID: 27232433, with its registered office at Duhová 1/425, 140 53 Prague 4, incorporated in the Commercial Register kept by the Municipal Court of Prague under File Ref. B 22581 (hereinafter ‘ČEZ Prodej’), as a personal data controller, would hereby like to inform you about the method and scope of personal data processing by the said company, including the scope of rights of data subjects connected with the processing of their personal data by ČEZ Prodej.
ČEZ Prodej processes personal data in accordance with the European Union law, in particular pursuant to Regulation 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and in accordance with international treaties binding upon the Czech Republic, namely in accordance with the Convention for the Protection of Individuals with Regard to Automated Processing of Personal Data, No. 108, promulgated under No. 115/2001 of the Collection of International Treaties, and also in accordance with relevant national laws and regulations, in particular pursuant to Act No. 101/2000 Coll., on Personal Data Protection and on Amendments to Certain Acts (hereinafter the ‘PDPA’).
Purpose and Scope of Personal Data Processing
ČEZ Prodej processes only specific personal data that has been acquired in accordance with the PDPA, whereby ČEZ Prodej collects and processes this personal data only for the defined purpose, in the scope and for duration of the contract and subsequently for three additional years after its termination or for one year of no contract is made.
Primary Purposes of Personal Data Processing by ČEZ Prodej
- Perform contracts and provide services;
- Arrange for the connection and access to systems/networks;
- Manage operations;
- Accounting and tax purposes;
- Identify system or service misuse (i.e., repeated delays with settling the price or making obtrusive calls);
- Account receivable collection;
- Make location data accessible and enable emergency calls;
- Legal compliance;
- Direct marketing (information and product campaigns) of ČEZ Prodej;
- Protect assets and persons.
Scope of Personal Data Processing by ČEZ Prodej
ČEZ Prodej processes personal data in the following scope:
- Identification details: degree, first name, family name, date of birth, ID card number, birth registration number;
- Address details: place of permanent and/or temporary residence, correspondence or other contact address, supply point address, telephone, e-mail address;
- Other personal data: bank account number, details of customers’ payment history, customer account number, information acquired based on meter readings, operational and location details other personal data as required by a specific contract or law.
Personal Data Sources
ČEZ Prodej acquires personal data in particular from the data subject during contractual negotiations and, as the case may be, from third parties.
ČEZ Prodej always informs data subjects about cases when the disclosure of their personal data is necessary for the delivery of a particular service and when it is voluntary; however, such personal data disclosure will make mutual communication easier between the data subject and ČEZ Prodej and significantly increase the effectiveness of service delivery.
ČEZ Prodej also collects personal data from public registers, state administration authorities or based on special legislation.
To improve service quality, objectiveness, demonstrability and safety, ČEZ Prodej as well monitors and records its communication with data subjects (in particular telephone calls to operation centers or sales centers). Data subjects are informed about this in advance and have a right to refuse this procedure.
Processors and Recipients
To achieve the purposes described above, apart from ČEZ Prodej and its employees, personal data may also be processed by ČEZ Prodej’s processors based on personal data processing contracts made in accordance with the PDPA.
ČEZ Prodej processes personal data manually and automatically. Personal data protection is ensured by ČEZ Prodej technically and organizationally in accordance with the PDPA. ČEZ Prodej Distribution requires the same security measures also from its personal data processors.
ČEZ Prodej hereby informs that, based on a lawful request, personal data may be disclosed to third parties who have authority granted to them by law to request the disclosure of such personal data.
Data Subject Rights
Every data subject may request information about the processing of their personal data, purpose of personal data processing, scope and, as the case may be, categories of personal data processed, sources of personal data, nature of its automated processing, processors, recipients or, if relevant, categories of personal data recipients.
ČEZ Prodej will provide the requested information without undue delay for a reasonable consideration that may not exceed the costs connected with disclosing such information.
If a data subject finds out or feels that ČEZ Prodej or its contractual processor processes personal data in a manner infringing the protection of the data subject’s privacy and personal life or in violation of the applicable law, the data subject may:
- Request an explanation from ČEZ Prodej or its contractual processor;
- Request that ČEZ Prodej or its contractual processor remedy such a situation; in particular, the data subject may request that their personal data be blocked, corrected, amended or removed.
ČEZ Prodej will always without undue delay inform the data subject that their request has been accommodated. The data subject may at any time contact the Office for Personal Data Protection with their comments.
ČEZ Prodej would hereby like to inform that, on May 25, 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – hereinafter the ‘GDPR’), will take effect and be directly applicable and effective also under the law of the Czech Republic. Following the above date, the Information About Personal Data Processing will be updated to ensure that, as at May 25, 2018, it fully reflects the new legislation on the protection of personal data of individuals, as regulated in the GDPR.
Definitions of Terms
- Personal data – personal data is to be understood as any information pertaining to an identified or identifiable data subject; a data subject is considered as identified or identifiable if the data subject can be identified either directly or indirectly;
- Data subject – a data subject is an individual to whom the personal data pertains;
- Controller – a controller is every person or entity that determines the purpose and means of personal data processing, carries out and is responsible for the processing;
- Processor – a processor is every person or entity that processes personal data based on a special act or has been commissioned by a controller to do so;
- Recipient – a recipient is any person or entity to whom personal data has been made accessible; an entity that processes personal data is not considered to be a recipient;
- Customer – a customer is to be understood as a legal entity or individual with whom ČEZ Prodej has made a contract;
- Operational data –this data is to be understood as any data processed for the purpose of transmitting messages by electronic communication networks or for the billing thereof. In particular, operational data includes the calling and the called number, call start and end times, type of the service provided, price of the service provided, type of access to the Internet, terminal device identification, configuration data, method and volume of service use;
- Location data – location data is to be understood as any data processed in the networks/systems or by the service that specify the geographical position of the service user’s telecommunication terminal device. In particular, this means identifying a terminal point in the network to which the customer is connected;
- Personal data processing – personal data processing is to be understood as any operation or set of operations that the controller or processor systemically perform with personal data in an automated manner or using other means; personal data processing is in particular to be understood as the collecting, using, handing over, distributing, publishing, keeping, exchanging, sorting or combining, blocking and removal of personal data;
- Public register – for the purposes of this document, this is to be understood as (i) a public register kept pursuant to Act No. 304/2013 Coll., on Public Registers of Legal Entities and Individuals, as amended, i.e., association register, foundation register, institute register, register of home unit owners, commercial register and Register of Generally Beneficial Companies, and (ii) other registers within the meaning of Act No. 111/2009 Coll., on Primary Registers, as amended.