Information on personal data processing
ČEZ, a.s., Company ID: 45274649, registered office: Duhová 2/1444, Prague 4, 140 53, registered in the Commercial Register maintained by the Municipal Court in Prague under the file no. B 1581, as the data controller (hereinafter referred to as “our company”), hereby informs you through this document about the principles and procedures for processing your personal data and about your rights in relation to the protection of personal data in accordance with Act No. 110/2019 Coll., on the processing of personal data, as amended (hereinafter referred to as the “Data Processing Act”), and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; hereinafter “GDPR Regulation”).
Our company is the head of the ČEZ Group and also serves as the main governing entity within the ČEZ Group. We perform this role in accordance with Section 79 of Act No. 90/2012 Coll., on Business Corporations and Cooperatives, also known as the Business Corporations Act (hereinafter “BCA”). The principles and procedures for the processing and protection of personal data, their security, the exercise of your rights as data subjects, including the appointment of the data protection officer, are thus uniformly established for all companies that are part of the ČEZ Group and selected companies of the ČEZ Group.
Mgr. Petr Brázda, LL.M., has been appointed as the Data Protection Officer for the ČEZ Group’s corporate group companies and selected companies within the ČEZ Group.
The information provided here is of a general normative legal nature; it is therefore not part of any contract and may be supplemented with details relevant to specific cases of personal data processing during our mutual communication.
Our company and its contractual processors process, based on the relevant legal grounds and the purpose of processing, in particular the following categories of your personal data:
- Identification, authentication, and address data: name, surname, academic title, date of birth, identity document details, permanent and (if applicable) temporary residence address, mailing or other contact address, nationality, place and country of birth, registered business address, company ID, in rare cases personal identification number, handwritten and electronic signature;
- Contact data: telephone number, email address, data box ID;
- Electronic data: IP address, cookies, authentication certificates and electronic signature certificates, location data of the user’s device, identifiers on social networks and communication platforms;
- Other personal data linked to a contractual relationship: bank account number, customer account number, SIPO reference number, access card ID number (if issued to you), login ID and password for a personal user account (if created);
- In specific cases, special categories of personal data;
- Personal data in audio recordings – audio recordings;
- Personal data in visual recordings – CCTV footage, photographs, videos.
Your personal data may be processed by us manually or automatically; however, in the case of automated processing, we do not use automated decision-making, including profiling, that would affect your rights.
Our company primarily obtains your personal data directly from you, especially during the contract negotiations and execution; in some cases, we may obtain data from third parties who act as intermediaries in these negotiations. In such situations, we inform you when the provision of personal data is necessary for the performance of a specific service or business cooperation and when it is voluntary but intended to facilitate communication and enhance cooperation between you and our company.
We may also generate additional personal data about you, particularly regarding your consumption and consumer behaviour (e.g., in the supply of commodities such as electricity etc.).
Additionally, we may obtain your personal data from public records or state authorities (e.g., the Trade Register, Land Registry, Insolvency Register, or Central Register of Executions, etc.). Or, we may obtain your personal data from non-public records in specific cases based on applicable law. We only use data obtained from such sources for the purposes for which they were originally published.
To improve the quality of our services, ensure objectivity, verifiability, safety, and the protection of rights, our company monitors and records communication with you (for example, calls with customers). In these cases, you are always informed in advance, and you have the right to object to this method of communication. You can also contact us via our web form: Contact us | ČEZ Group. Special communication lines dedicated exclusively to dealing with crisis and emergency situations are always recorded.
Our company uses camera systems to protect property, personal health, and the safety of services being provided; these cameras are located on buildings owned or managed by our company or another company within the ČEZ Group. You are always informed about the use of camera systems through informational signs placed on the relevant premises. Additionally, you may obtain further information upon request at the reception desks of selected facilities. More details are also available on the website, here. The recorded footage may be provided to administrative authorities or law enforcement agencies if necessary.
The legal title for our processing of the data subject's personal data within the meaning of the GDPR may be the following:
- Consent to the processing of personal data for one or more specific purposes (Art. 6(1)(a) of the GDPR Regulation);
Your consent is obtained only in specific cases where the processing of personal data cannot be carried out on the basis of another legal title. In such cases, you will always be informed about the specific purpose, data retention period, and other relevant details regarding your consent. Providing consent is voluntary and may be withdrawn at any time either through the procedure specified for the specific data processing or by contacting the ČEZ Data Protection Officer via GDPR ČEZ (cez.cz).
- Processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract (Art. 6(1)(b) of the GDPR Regulation);
In the context of this processing of personal data, you or your representative are a party to the contract being prepared or concluded, i.e. you have access to the content of the contract and, at the same time, to information related to the processing of personal data. If a contract is concluded electronically through a website or app, information about personal data processing for that purpose is provided directly on the site or in the app.
- Processing is necessary for compliance with a legal obligation to which the controller is subject (Art. 6(1)(c) of the GDPR Regulation);
Our company is subject to many legal obligations under both Czech and EU law. For greater clarity and better awareness, we present the main applicable legal regulations that determine the areas of personal data processing based on the fulfilment of a legal obligation in the overview of specific purposes attached below.
- Processing is necessary to protect the vital interests of the data subject or another natural person (Art. 6(1)(d) of the GDPR Regulation);
This basis is not commonly used in our operations. Such processing of personal data could only occur under exceptional circumstances, of which you would be informed, including further details concerning such potential processing of your personal data.
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Art. 6(1)(e) of the GDPR Regulation);
This basis is not commonly used in our operations. Such processing of personal data could only occur under exceptional circumstances, of which you would be informed, including further details concerning such potential processing of your personal data.
- The processing is necessary for the purposes of the legitimate interests pursued by the relevant controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Art. 6(1)(f) of the GDPR Regulation).
The legitimate interest of our company is in particular the ensuring of safety and the protection of the health of individuals and property, keeping of necessary internal records (e.g., lists of qualifications of suppliers' employees working on our premises, overviews of donation requests, etc.), verification of the qualifications of key employees, preparation of contracts with suppliers, customers, and employees, marketing surveys, etc. In all cases of personal data processing based on the legal ground of the legitimate interest of the personal data controller, we conduct a so-called balancing test. We only proceed with the processing of personal data when we have verified through the test that our interests override the interests, rights, and freedoms of the concerned data subjects. During the processing of personal data itself, we always strictly ensure that the interests, rights, and freedoms of data subjects are affected to the least extent possible.
An overview of the specific purposes, legal titles, and periods for which personal data are retained are provided in the table attached. The legal titles marked A–F are defined above.
|
PURPOSE OF PERSONAL DATA PROCESSING |
LEGAL GROUND |
RETENTION PERIOD |
LEGAL REGULATIONS |
|
Compliance checks of contractual partners and job applicants |
C |
Up to 5 years |
Act No. 69/2006 Coll., on the implementation of international sanctions Act No. 253/2008 Coll., on certain measures against the legalization of proceeds from criminal activities and financing of terrorism |
|
Transport services – processing of insurance claims |
B |
5 years |
Government Regulation No. 322/2025 Coll., on Employer’s Obligations Regarding Occupational Accidents |
|
Supply of thermal energy to customers receiving heat from production plants |
B |
11 years |
|
|
Electromobility |
B |
11 years |
Act No. 235/2004 Coll., on value-added tax |
|
Records of business partners for concluding purchase and sales contracts for materials, services, investments, and software acquisition |
B |
Up to 1 year after contract termination and expiry of archiving period |
|
|
Records of persons provided with accommodation in connection with the armed conflict in Ukraine |
B |
4 years |
Council Decision (EU) 2022/382 of 4 March 2022 |
|
Records of legal disputes within the ČEZ Group |
F |
Up to 1 year after the end of the legal dispute |
|
|
Records of customers receiving heat from ČEZ Group production plants and fulfilment of obligations associated with the supply of thermal energy |
B |
Up to 11 years after the termination of the contractual relationship |
|
|
Corporate volunteering |
B |
5 years |
|
|
Physical protection |
C |
For the duration of the employment contract or contractual relationship with the supplier |
Act No. 240/2000 Coll., the Crisis Act |
|
Innovation of customer products within the ČEZ Group |
B |
For the duration of the project |
|
|
Camera systems |
C |
7 days |
Act No. 264/2025 Coll, Cybersecurity Act, as amended by the related implementing decrees |
|
Marketing research and contests (Public Relations) |
B |
Up to 1 year |
|
|
Recruitment and scholarship programs for students |
A |
For the duration of consent or up to 11 years |
|
|
Recording of calls to the Integrated Security Operations Centre telephone line |
F |
6 months |
|
|
Recording of telephone calls and audio communication in the workplaces of the nuclear power plant in view of fulfilling the requirements for the safety of the nuclear facility |
C |
1 year |
Act No. 263/2016 Coll., the Atomic Act |
|
Procurement for production |
B |
Up to 1 year after contract termination and expiry of archiving period |
|
|
Commodity trading and fulfilment of obligations arising from related legislation |
B |
Up to 11 years |
Directive 2009/72/EC concerning common rules for the internal market in electricity |
|
Protection of classified information and security eligibility |
C |
10 years |
Act No. 412/2005 Coll., on the protection of classified information and on security eligibility |
|
Personal data protection and processing |
C |
Up to 11 years |
Regulation 2016/679/EU, General Data Protection Regulation |
|
Assessment of psychological/personality aptitude/assumptions of job applicants |
C |
Throughout the life cycle of the nuclear facility and for up to 10 years afterward |
Decree No. 247/2001 Coll., on the organization and activities of fire protection units |
|
Reporting and investigation of possible breaches of regulations (whistleblowing) |
C |
5 years from the conclusion of the investigation |
Act No. 171/2023 Coll., on the protection of whistleblowers |
|
Pilot project – Virtual assistant |
B |
1 year |
|
|
Fulfilment of the agenda of the Data Protection Officer |
B |
5 years |
Regulation 2016/679/EU, General Data Protection Regulation |
|
Postal and registry services |
F |
According to the shredding period of the respective document |
|
|
Issuer obligations, especially maintaining the list of persons with access to inside information |
C |
11 years |
Regulation 596/2014/EU on market abuse |
|
Operation of information centres |
A |
Up to 5 years or according to the shredding period |
Act No. 264/2025 Coll, Cybersecurity Act, as amended by the related implementing decrees |
|
Radiation protection |
C |
30 years |
Decree No. 422/2016 Coll., on radiation protection and security of a radionuclide source |
|
Implementation of information and cybersecurity |
B |
Up to 11 years |
Act No. 181/2014 Coll., on cybersecurity |
|
Management of qualifications of suppliers' employees in the nuclear energy division |
B |
45 years or for the lifetime of the nuclear facility |
Act No. 263/2016 Coll., the Atomic Act |
|
Contractual documentation for financing |
B |
5 years |
|
|
Investigation of suggestions from ČEZ Group companies' customers by the ČEZ Ombudsman |
B |
5 years |
|
|
Execution of trades on financial markets – recorded conversation |
B |
6 months |
|
|
Recordkeeping of occupational injury records |
C |
45 years |
Government Regulation No. 322/2025 Coll., on Employer’s Obligations Regarding Occupational Accidents |
|
Keeping of the construction log |
C |
For the duration of the existence of the respective facility |
Act No. 283/2021 Coll., the Building Act |
|
Search and analysis/evaluation of data in connected systems |
C |
Up to 1 year |
Act No. 264/2025 Coll, Cybersecurity Act, as amended by the related implementing decrees |
|
Shareholder extract from the statutory register of the Central Securities Depository for the purpose of dividend payment and general meeting |
C |
11 years |
Act No. 256/2004 Coll., on capital market business |
|
Handling and recordkeeping of requests under the Freedom of Information Act |
C |
5 years from request resolution |
Act No. 106/1999 Coll., on free access to information |
|
Organization and conduct of the General Meeting of ČEZ, a. s. |
C |
For the duration of the existence of ČEZ, a. s. |
Act No. 89/2012 Coll., the Civil Code |
|
Ensuring access to information and business resources |
B |
11 years |
|
|
Cookie processing on websites |
A |
Processing on the user's device depending on the type of cookies |
Act No. 127/2005 Coll., on electronic communications |
|
Processing of accounting documents |
C |
11 years after the end of the financial year |
Act No. 563/1991 Coll., on accounting |
Our company may, for the purpose of ensuring the efficiency and professionalism of processes, make your personal data accessible in justified cases to its employees or contractual partners in the position of a personal data processor (based on a personal data processing agreement or other legal act) or to contractual partners in the position of joint personal data controllers (based on an agreement on the mutual rights and obligations of joint controllers or other legal act), or to another personal data controller in the position of a personal data recipient.
We require our contractual personal data processors to maintain a comparable organizational and technical standard of personal data protection as is uniformly established for the entire ČEZ Group, including adherence to contractual conditions related to personal data processing (e.g., the obligation to use the given personal data solely for the purposes for which they were provided, prohibition of sharing the provided personal data with other personal data processors without our prior consent, etc.).
We verify the fulfilment of our requirements for the processing of transferred personal data with the relevant contractual processors before concluding a data processing agreement (or another legal act), during its validity, and even after its termination (especially with regard to the deletion of the transferred personal data, etc.).
PERSONAL DATA PROCESSORS
|
CATEGORY OF PROCESSOR |
ACTIVITY |
|
Security agencies |
Ensuring the protection of life, health, and property (through external security agencies). |
|
Other companies within the ČEZ Group |
The company is a part of the ČEZ Group and, in order to ensure quality of services, also cooperates with other companies within the ČEZ Group, which are listed in more detail on the website cez/skupina-cez. |
|
Corporate volunteering |
Implementation of corporate volunteering aimed at helping individuals as well as specific projects. |
|
IT services and software suppliers |
Development and maintenance of relevant IT systems, websites, systems for the electronic execution of general meetings, management and operation of electromobility, etc. |
|
Marketing and Communication |
Ensuring communication with the public, including implementation of advertising campaigns, communication materials, and marketing research. |
|
Recruitment agencies |
Ensuring the recruitment and selection of suitable job applicants. |
|
Postal and courier services |
Postal services including the delivery of remitted monetary amounts, as well as the transport of postal and courier shipments. |
|
Legal services and consulting |
Provision of legal services and consulting. |
|
Authorized entity |
Acting and legal representation on behalf of the principal (in this case ČEZ, a.s.) on the basis of a power of attorney or contract. |
RECIPIENTS OF PERSONAL DATA
Your personal data may also be transferred to third parties who are authorized to receive such personal data. This includes, for example, tax, administrative, or regulatory authorities.
Our company primarily transfers personal data to the following recipients:
- Czech National Bank
- Energy Regulatory Office
- National Security Authority
- National Office for Cyber and Information Security
- Law enforcement authorities (courts, public prosecutors, and the Police of the Czech Republic)
- Providers of occupational medical services
- Postal service providers
- Companies providing insurance and claims services
- State Labour Inspection Office
- State Office for Nuclear Safety
- Labour Office of the Czech Republic
- Office for Personal Data Protection
Our company processes your personal data either directly or through its contractual processors primarily within the territory of the Czech Republic, or within the territory of the European Union (hereinafter referred to as the “EU”), where the same conditions for the protection and security of personal data processing are set by the GDPR Regulation, which is valid and effective throughout the European Union and the European Economic Area (hereinafter referred to as the “EEA”).
Exceptionally, personal data are transferred to third countries or international organizations. In these cases, before the transfer of personal data, we assess whether the selected controller or processor provides appropriate guarantees and conditions, including the enforceability of your rights as data subjects, while also evaluating the effectiveness of legal protection of personal data in the given country. The transfer of your personal data to third countries or international organizations can therefore only occur if the following conditions are met:
- There is a decision by the European Commission regarding the selected third country/international organization, recognizing that this third country/international organization ensures an adequate level of personal data protection;
- The selected processor or sub-processor is able to provide appropriate organizational and technical safeguards, and enforceability of data subject rights and effective legal protection of data subjects exists in the country of this processor or sub-processor.
APPROPRIATE SAFEGUARDS MAY INCLUDE:
- Legally binding and enforceable instruments between public authorities or public bodies;
- Binding corporate rules;
- Standard data protection clauses adopted by the European Commission;
- Standard data protection clauses adopted by a relevant supervisory authority and approved by the European Commission;
- An approved code of conduct with binding and enforceable commitments by the processor in the third country to apply appropriate safeguards, including data subject rights;
- An approved certification mechanism along with binding and enforceable commitments by the processor in the third country to apply appropriate safeguards, including data subject rights.
Cookies are used on our company’s websites.
In order for websites to display correctly, we need to collect so-called technical cookies. For all other types of cookies, we need your consent, and it is entirely up to you whether you give us your consent, and to what extent. The scope of cookie permissions can be set via the so-called “Cookie bot,” which is displayed on the relevant web page. Here, you will also find detailed information about the cookies used.
Depending on whether and to what extent you give us your consent, cookies may be used to personalize content and advertising, provide social media functions, and analyse traffic to our company’s websites. Information about how you use our website may then be shared with our partners for social media, advertising, and analytics. Partners may combine this data with other information you have provided to them or that they have collected in connection with your use of their services. Detailed information about cookies is available to you in the Website Information.
Our company strives for transparent and fair processing of your personal data and ensuring its proper protection, always in accordance with the relevant legal regulations. To reassure you of our responsible approach to processing your data, we are ready to respond quickly and professionally to your legitimate requests.
- If the processing of personal data is based on your consent, you have the right to withdraw your consent for future processing at any time.
- You have the right to request from us, as the data controller, access to your personal data and more detailed information about its processing.
- You have the right to request from us the correction of your inaccurate or incomplete personal data.
- You have the right to request that we provide your personal data in a commonly used and machine-readable format, allowing its transfer to another controller, if we obtained it based on your consent or in connection with the conclusion and performance of a contract, and it is processed automatically.
- You have the right to object to the processing of some or all of your personal data on the lawful basis under Article 6(1)(e) and (f) of the GDPR Regulation.
- You have the right to request the erasure of your personal.
- You have the right to lodge a complaint with the Office for Personal Data Protection.
We would like to inform you that the exercise of data subjects' rights under Articles 12 to 22 of the GDPR Regulation may be restricted in accordance with Article 23(1) of the GDPR Regulation. Detailed information regarding your rights, including the ways to exercise your rights in matters of personal data protection, can be found here.
Cookies
A short text file that the visited website sends to the browser. It allows the website to record information about your visit, such as your preferred language and other settings. Your next visit to the site can thus be easier and more productive. Cookies are important. Without them, browsing the web would be much more complicated.
Supervisory Authority
An authority in the Czech Republic established as the Office for Personal Data Protection (hereinafter referred to as “OPDP”) by the Act on the Processing of Personal Data. It is entrusted with the competencies of a central administrative authority for the area of personal data protection to the extent determined by this Act and other competencies set by special legal regulations.
CEZ Group
A business group declared according to Section 79(3) of Act No. 90/2012 Coll. (Business Corporations Act), headed by the controlling entity ČEZ, a.s., and including other controlled entities. An overview of Information on the Processing of Personal Data of all companies within the ČEZ Group is available here: Information Memoranda of Group Companies of the ČEZ Group.
GDPR Regulation
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
Personal data (hereinafter referred to as “PD”)
Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Data Protection Officer
A person appointed for the entire ČEZ Group and selected companies of the ČEZ Group pursuant to Article 37 of the GDPR Regulation. The Data Protection Officer (hereinafter also referred to as “DPO”) has independent responsibility for the defined area of personal data protection for the ČEZ Group and selected companies of the ČEZ Group and acts as a partner for dealings with the OPDP and data subjects. The responsibility of the Data Protection Officer is, in particular, to protect the interests of data subjects.
Recipient
A natural or legal person, public authority, agency, or another body to whom personal data is disclosed, whether a third party or not. The recipient has the legal, contractual, or other authority to process personal data. Recipients include other controllers or processors, such as tax, administrative, or regulatory authorities. However, public authorities which may obtain personal data in the context of a specific investigation in accordance with the law of a Member State shall not be regarded as recipients; the processing of such personal data by those public authorities must comply with the applicable data protection rules according to the purposes of the processing.
CEZ Group
The ČEZ Group represents a grouping of several companies around the parent company ČEZ, a.s., primarily operating in the energy sector, connected with the parent company mainly through ownership interests. Further information is available here.
Controller of Personal Data
A legal entity (company ČEZ, a.s.) that determines the purpose and means of the processing of personal data, carries out the processing, and is responsible for it. The controller may authorize or entrust a processor with the processing of personal data.
Data subject (hereinafter referred to as the “DS")
Anatural person to whom the personal data relates. A data subject shall be deemed to be identified or identifiable if their identity is directly or indirectly identifiable on the basis of one or more pieces of personal data.
Proportionality Test
An assessment of a request from the data subject by the Controller, if the request is clearly unfounded or excessive, particularly because it is repetitive. Requests can be considered clearly unfounded, for example, when they are obviously entirely lacking in justification (in cases where justification is necessary) and it is not possible to determine even by interpretation what the data subject is requesting (an example could be an objection to processing under Art. 21(1) GDPR if the DS does not provide information about their situation that would allow the Controller to assess whether the legitimate interest outweighs the interest of the data subject). Requests may be considered clearly excessive, in particular, if they are repeated without justification or are numerous. This cannot be generalized; each case must be assessed in its specific context. The Controller must demonstrate and justify the manifestly unfounded or excessive nature of a request in a communication informing the data subject and the Data Protection Officer of the rejection of the request. The Controller must document and store this justification in case of a possible inspection by the Supervisory Authority.
Data Processing Act
Act No. 110/2019 Coll., on the Processing of Personal Data, as amended.
Personal data processing
Any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Personal data processor
A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller.
Special Categories of Data (Sensitive Data)
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, and data concerning health or data concerning a natural person’s sex life or sexual orientation.
If you have a request or complaint regarding the processing of your personal data or a question for the person responsible for data protection in our company, please contact us via our web form. Alternatively, you can write to us at ČEZ, a. s., Duhová 2/1444, 140 53 Prague 4, password “personal data processing”. We will respond to your requests, questions, or complaints as soon as possible, but no later than within one month of their receipt. If, due to the complexity of handling your request or the high number of other requests, we are unable to process your request on time, we will inform you about the necessary extension of the deadline.
Our Data Protection Officer is Mgr. Petr Brázda, LL.M. He can be contacted via the web form or in writing at the address: Data Protection Officer, ČEZ, a.s., Duhová 2/1444, 140 53, Prague 4, or via the data box ID: yqkcds6. Details about contacting the Data Protection Officer, his mission, and his competencies in handling your rights are available on the website Data Protection Officer.
This document is effective as of the date of publication, May 25, 2018. The last update of the text took place on May 23, 2023.