Information About Personal Data Processing

ČEZ, a. s., Business ID: 45274649, with its registered office at Duhová 2/1444, 140 53 Prague 4, incorporated in the Commercial Register kept by the Municipal Court of Prague under File Ref. B 1581 (hereinafter ‘ČEZ’), as a personal data controller, would hereby like to inform you about the method and scope of personal data processing by the said company, including the scope of rights of data subjects connected with the processing of their personal data by ČEZ.

ČEZ processes personal data in accordance with the European Union law, in particular pursuant to Regulation 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and in accordance with international treaties binding upon the Czech Republic, namely in accordance with the Convention for the Protection of Individuals with Regard to Automated Processing of Personal Data, No. 108, promulgated under No. 115/2001 of the Collection of International Treaties, and also in accordance with relevant national laws and regulations, in particular pursuant to Act No. 101/2000 Coll., on Personal Data Protection and on Amendments to Certain Acts (hereinafter the ‘PDPA’).

Purpose and Scope of Personal Data Processing

ČEZ processes only specific personal data that has been acquired in accordance with the PDPA, whereby ČEZ collects and processes this personal data only for the defined purpose, in the scope and for duration of the contract and subsequently for three additional years after its termination or for one year of no contract is made.

Primary Purposes of Personal Data Processing by ČEZ

  • Perform contracts and provide services;
  • Manage operations;
  • Accounting and tax purposes;
  • Account receivable collection;
  • Legal compliance;
  • Direct marketing (information and product campaigns) of ČEZ;
  • Protect assets and persons.

Scope of Personal Data Processing by ČEZ

ČEZ processes personal data in the following scope:

  • Identification details: degree, first name, family name, date of birth, ID card number;
  • Address details: place of permanent and/or temporary residence, correspondence or other contact address, supply point address, telephone, e-mail address;
  • Other personal data: bank account number, other personal data as required by a specific contract or law, video recordings, biometric data in accordance with Act No. 263/2016 Coll., the Atomic Act, as amended.

Personal Data Sources

ČEZ Distribuce acquires personal data in particular from the data subject during contractual negotiations and, as the case may be, from third parties.

ČEZ always informs data subjects about cases when the disclosure of their personal data is necessary for the delivery of a particular service and when it is voluntary; however, such personal data disclosure will make mutual communication easier between the data subject and ČEZ and significantly increase the effectiveness of service delivery.

ČEZ also collects personal data from public registers, state administration authorities or based on special legislation.

To improve service quality, objectiveness, demonstrability and safety, ČEZ as well monitors and records its communication with data subjects (in particular telephone calls to operation centers or sales centers).

To ensure ČEZ’ security and also the safety of the services provided, camera (CCTV) systems have been installed on buildings managed or owned by the CEZ Group. Data subjects are always informed about the presence of such systems by information boards and pictograms at the entrance to such premises. Recordings from the CCTV systems are archived for a necessary period of time and are not further processed for any other purpose.

Processors and Recipients

To achieve the purposes described above, apart from ČEZ and its employees, personal data may also be processed by ČEZ’s processors based on personal data processing contracts made in accordance with the PDPA.

ČEZ uses in particular the following personal data processors:

  • Member companies of the CEZ Group,
  • Alternative suppliers or service providers,
  • Suppliers of camera (CCTV), access and attendance systems installed on the premises of ČEZ,
  • Other persons in connection with the execution, administration and archiving of contracts and related documents,
  • Persons who provide services to ČEZ if the client decides to use such services,
  • Other third parties who provide or receive services in connection with the fulfillment of contractual or statutory obligations by ČEZ.

ČEZ processes personal data manually and automatically. Personal data protection is ensured by ČEZ technically and organizationally in accordance with the PDPA. ČEZ Distribution requires the same security measures also from its personal data processors.

ČEZ hereby informs that, based on a lawful request, personal data may be disclosed to third parties who have authority granted to them by law to request the disclosure of such personal data.

Data Subject Rights

Every data subject  may request information about the processing of their personal data, purpose of personal data processing, scope and, as the case may be, categories of personal data processed, sources of personal data, nature of its automated processing, processors, recipients or, if relevant, categories of personal data recipients.

ČEZ will provide the requested information without undue delay for a reasonable consideration that may not exceed the costs connected with disclosing such information.

If a data subject finds out or feels that ČEZ or its contractual processor processes personal data in a manner infringing the protection of the data subject’s privacy and personal life or in violation of the applicable law, the data subject may:

  • Request an explanation from ČEZ or its contractual processor;
  • Request that ČEZ or its contractual processor remedy such a situation; in particular, the data subject may request that their personal data be blocked, corrected, amended or removed.

ČEZ will always without undue delay inform the data subject that their request has been accommodated. The data subject may at any time contact the Office for Personal Data Protection with their comments.

GDPR Regulation

ČEZ would hereby like to inform that, on May 25, 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – hereinafter the ‘GDPR’), will take effect and be directly applicable and effective also under the law of the Czech Republic.

Following the above date, the Information About Personal Data Processing will be updated to ensure that, as at May 25, 2018, it fully reflects the new legislation on the protection of personal data of individuals, as regulated in the GDPR.

Definitions of Terms

  • Personal data – personal data is to be understood as any information pertaining to an identified or identifiable data subject; a data subject is considered as identified or identifiable if the data subject can be identified either directly or indirectly;
  • Data subject – a data subject is an individual to whom the personal data pertains;
  • Controller – a controller is every person or entity that determines the purpose and means of personal data processing, carries out and is responsible for the processing;
  • Processor – a processor is every person or entity that processes personal data based on a special act or has been commissioned by a controller to do so;
  • Recipient – a recipient is any person or entity to whom personal data has been made accessible; an entity that processes personal data is not considered to be a recipient;
  • Personal data processing –personal data processing is to be understood as any operation or set of operations that the controller or processor systemically perform with personal data in an automated manner or using other means; personal data processing is in particular to be understood as the collecting, using, handing over, distributing, publishing, keeping, exchanging, sorting or combining, blocking and removal of personal data;
  • Public register – for the purposes of this document, this is to be understood as (i) a public register kept pursuant to Act No. 304/2013 Coll., on Public Registers of Legal Entities and Individuals, as amended, i.e., association register, foundation register, institute register, register of home unit owners, commercial register and Register of Generally Beneficial Companies, and (ii) other registers within the meaning of Act No. 111/2009 Coll., on Primary Registers, as amended.