Business Conduct

CEZ Group Code of Conduct

CEZ Group management promotes ethical values in all business activities and conduct. Management clearly states its objective in two primary documents: the Code of Conduct Policy (Code of Conduct) and the Compliance Management System Policy.

The Code of Conduct sets forth ethical rules for employees and members of CEZ Group’s statutory bodies. The Compliance Management System Policy sets out the responsibilities, conditions, and tools for ensuring compliance with ethics in CEZ Group. Details of practical measures (e.g., training, prevention of conflicts of interest, whistleblowing, investigations) are part of the subsequent internal guidelines.

The Board of Directors of ČEZ, a. s., accepts full responsibility for compliance with the adopted ethical standards. This responsibility includes, among other things, the creation of appropriate conditions, adequate resources, effective governance structures, and control mechanisms.

Published first in 2015, the Code of Conduct exists in two publicly available versions. The basic version, the Decalogue, summarizes the most important principles regarding stakeholder relations. The unabridged version, the Alphabet, supplements the Decalogue with rules for observing the Code of Conduct. Both documents undergo regular reviews to reflect legislative demands and best practices.

The Code of Conduct is binding for all employees. New employees must review the Code upon hiring. Since 2022, subsequent training takes place annually (previously once every two years), with a target of at least 95% of staff participating. In 2022, 97.4% of employees of CEZ Group companies, whose training is provided by the Human Resources Development Department of ČEZ, a. s., received training on the Code of Conduct.

Discrimination and Human Rights

GRI 3-3, 406-1, 408-1, 409-1

Direct or indirect discrimination and harassment have no place in our company culture. The nondiscrimination principles are set out in the Code of Conduct and the Ethical Conduct Policy. Practical anti-discrimination measures, procedures, and guidelines are in place to ensure compliance with these principles. The principles aim to create a culture of cooperation based on diversity, mutual respect, and protection of vulnerable groups.

We strongly advocate diversity, equal opportunities, and a respectful working environment. Under this approach, we create desirable conditions for employees to develop their full potential and career growth. When it comes to new hires, education, expertise, qualifications, and skills are the deciding factors for hiring a candidate.

We have absolute respect for human rights and clearly declare our stance in the Code of Conduct. We operate only in countries with a strong human rights legal framework. Each country in which we operate is a signatory of International Labor Organization conventions, and the respect for human rights is a norm in CEZ Group. As a UN Global Compact participant, we duly subscribe to its principles, which entails rejecting forced or compulsory labor and the prohibition of child labor.

As an employer, we strive to maintain social peace. We recognize the importance of the right to freedom of association and collective bargaining, occupational health and safety, and fair and satisfactory working conditions. Therefore, we monitor employee satisfaction and meet their needs. At the same time, we only work with suppliers who also subscribe to these principles.

Training and Communication

GRI 205-2

Training and communication are two key elements of our CMS, designed to ensure that all our employees are aware of and comply with the principles and rules set out by our internal policies. Training on ethics and anti-bribery rules is mandatory for all employees during on-boarding and at least once a year. The 45-minute training session on preventing corruption and conflicts of interest reflects the complexity of this topic. In addition, individuals in relevant positions are regularly trained in policies and procedures to address other topics, e.g., anti-money laundering and regulatory compliance.

Reinforcing the right values among employees is important to protect the company’s reputation. To maintain the highest level of integrity, business ethics and anti-corruption training takes place annually starting in 2022. Our target is to have a minimum of 95% of employees complete the course each year.

Internal policies, including the Anti-Corruption and CMS Policy, as well as the CEZ Group Code of Conduct, are available on our corporate website and on the employee portal.

In addition, the Audit and Compliance Department communicates compliance-related issues in the company magazine and on the intranet, based on an annual communication plan. The Audit and Compliance Department uses these communication channels to promote awareness, prevent unethical conduct, introduce key compliance topics, and explain their importance to the entire CEZ Group.

Anti-competitive Behavior

GRI 206-1

Competition creates a healthy economic environment and promotes sustainable growth. Being the largest energy group in Czechia, compliance with the rules of competition protection (pursuant to the Act on the Protection of Competition No. 143/2001 Coll. and Articles 101-109 of the Treaty on the Functioning of the European Union) is central to our business conduct. Therefore, preventing violations of these rules is a priority on the CMS agenda.

In practice, all employees must behave properly in business relations and safeguard the company’s reputation as a fair market player. Employees must not only avoid anti-competitive behavior but also prevent it. This also refers to compliance with the unbundling rules. To act appropriately, employees learn about this topic and requirements in ethics training and through internal communication channels.

The Competition Compliance Unit of the Legal Services Department of ČEZ, a. s., provides regular training for responsible employees focusing on specific risks of anti-competitive behavior of CEZ Group companies and consultancy on a continuously growing number of relevant business plans in terms of compliance with competition law. The Unit has also prepared a competition compliance e-learning module for a broad group of employees involved in relevant transactions that will be implemented in 2023.

In 2022, no illicit anti-competitive behavior or other violation of the rules of competition protection occurred on the part of CEZ Group. One competition law litigation is currently pending between a CEZ Group company (Severočeské doly, a. s.) and the Office for the Protection of Competition.

CEZ Group contracts are subject to mandatory legal review aimed, among other things, at compliance with the rules of competition protection (e.g., prohibition of bid rigging). Any findings lead to adequate measures.

Audits and Precautionary Approach

GRI 2-23, 3-3

Regular and systematic internal audits and compliance checks are performed to verify compliance with all the above-specified rules. They assure the governing bodies that the management and control systems are operational and that significant risks are covered.

Internal audits are performed by the Internal Audit Department of ČEZ, a. s., whose independence and efficiency come under the scrutiny of the Audit Committee of ČEZ, a. s.

The Internal Audit Department of ČEZ, a. s., regularly undergoes a comprehensive external quality assessment to evaluate compliance with international internal auditing standards and the Code of Ethics for internal auditors issued by the Institute of Internal Auditors. The assessment repeatedly confirms full compliance of our internal audit activities with the standards and the Code of Ethics and the high efficiency of the Internal Audit Department of ČEZ, a. s.

The Internal Audit Department of ČEZ, a. s., systematically checks all key processes, segments, and risks of CEZ Group. The Board of Directors and the Audit Committee regularly receive a summary of the audit results and corrective actions taken.

In 2022, 34 audit investigations were performed: 12 in ČEZ, a. s., and 22 in its subsidiaries (including 4 audits of foreign holdings).

In addition to internal audits, we apply a precautionary approach. We do not pursue activities with uncertain or potentially hazardous effects. We take a precautionary approach at four levels:

• verification of selected information provided by the new employee/applicant (pre-employment screening)
• verification of selected information provided by the new employee/applicant (pre-employment screening)
• business entity screening before the potential acquisition of a company (due diligence)
• vetting suppliers before entering a contractual relationship
• compliance audit of selected suppliers during the business relationship.

Approach to Tax

CEZ Group is a multinational corporation comprised of over 200 entities operating in many countries, primarily in Central Europe. Despite the differences in tax laws of individual countries, CEZ Group’s tax principles and management closely follow the underlying rules of the Code of Conduct: ethics, integrity, responsibility, and transparency.

The Group’s approach to tax management is incorporated in internal policies and guidelines, which describe a general framework and details of responsibilities related to the tax agenda.

Domiciled in Czechia, CEZ Group does not apply a consolidated corporate income tax because Czech tax laws disallow consolidated tax returns. From a tax perspective, CEZ Group companies are separate entities and independent taxpayers. Hence, the companies pay taxes locally according to valid legislation in each country of operation. The overview of total income tax paid forms a part of the consolidated annual report, which is externally audited.

The main responsibility for tax governance and strategy lies with the Chief Financial Officer (CFO), Martin Novák, who is also a member of the Board of Directors and the Head of the Finance Division. The CFO consequently delegates tax daily operational authority to the Tax Department. The domain of the Tax Department is especially tax administration, tax advisory and opinions, preparation of tax returns, and tax assessment of contracts. Analyses and reports of the Tax Department to the Board of Directors lend support to business investment decisions. The Supervisory Board and the Audit Committee check whether the Board of Directors exercised its powers in compliance with legislation, principles, and good practices.

The Tax Department’s agenda also includes communication with tax authorities. Typically, Czech companies come under the Tax Authority according to their place of operation. Due to its size ČEZ, a. s., comes under the Specialized Tax Authority, which handles tax matters of large companies.

Tax Integrity, Transfer-pricing, and Grievance Mechanism

CEZ Group fully meets tax standards and regulations in all conduct and countries where it operates. CEZ Group’s tax governance and risk management are subject to internal processes and aligned with a responsible, credible, and sustainable approach. The Group does not adopt any tax mechanisms or business structures to alleviate its tax burden deliberately, nor does it participate, directly or indirectly, in tax avoidance schemes or the use of tax havens. Taxation issues are not the primary driver of the Group’s business decisions.

Internal transfer pricing guidelines stipulate tasks, responsibilities, and procedures for transfer pricing in CEZ Group. Applying an arm’s length principle, the Group transfer pricing fulfills the market standard, local tax legislation, and the concepts of the OECD Guidelines.

To mitigate transfer pricing risks and avoid disputes, CEZ Group employs an advance pricing agreement (APA) for the companies situated in Czechia. APA represents a formal agreement with tax authorities to determine and use transfer prices with related parties for a certain period.

The Whistleblowing Hotline serves as a tool for raising concerns or suspicions about illicit tax conduct. The Hotline offers various means to submit a concern (via the Intranet, Internet, email, or phone) and ensures whistleblowers’ anonymity to protect them from repercussions. The Audit and Compliance Department investigates all reports independently and takes remedial measures.

Facts and Figures

In 2022, the CEZ Group’s current corporate income tax amounted to CZK 20.2 billion, of which CZK 20.0 billion in Czechia and CZK 0.2 billion abroad, of which CZK 12 million in Slovakia, CZK 40 million in Germany, CZK 5 million in Italy, CZK 52 million in Poland, CZK 18 million in Hungary, CZK 1 million in Romania, CZK 28 million in Israel, CZK 28 million in Malta.

ČEZ, a. s., regularly ranks among the largest corporate income taxpayers in Czechia. The Czech corporate income tax rate enacted for 2022 was 19%.

In the wake of the energy crisis in Europe in 2022, nation states took special measures to reduce the impact of high commodity prices on end customers. In Czechia, windfall taxes were introduced: a levy on surplus revenues from generation from December 2022 to the end of 2023 and a levy on unexpected profits, which amounts to additional 60% above the normal income tax on the portion of profits gained in excess of the average profits earned by CEZ Group in 2018-2021. For December 2022, CEZ Group paid over CZK 1 billion as a levy on surplus revenues from generation. 

For 2023, CEZ Group expects to pay CZK 30-40 billion to the Czech state due to the windfall taxes and levies. In addition, the regular corporate income tax, which is 19%, will amount to CZK 26-30 billion in 2023, including balance due on advanced tax payments for 2022.

In total, CEZ Group expects to pay more than CZK 100 billion to the Czech state in dividends, income taxes, and levies on revenues from generation. Total government budget revenues of Czechia in 2023 are estimated at CZK 1,928 billion, i.e., CEZ Group companies will pay more than 5% of all planned revenues to the state budget.

Every year, CEZ Group companies rank among the best tax entities based on the amount of corporate income tax paid, as per announcement by the Financial Administration. In 2022, ČEZ Distribuce ranked 6^th, having paid 1,510 million in corporate income tax. ČEZ Prodej ranked 17^th, having paid CZK 840 million in corporate income tax.

In CEZ Group, we pay special attention to processing and protecting personal data and respecting the privacy of our employees, customers, and business partners. Therefore, we duly reflect the provisions of the relevant personal data protection legislation in our internal directives, namely:

• Regulation (EU) 2016/679 of the European Parliament and the Council (GDPR)
• Personal Data Processing Act No. 110/2019 Coll.

We constantly monitor and adjust processes and measures to adapt to the current legislative developments and interpretative trends, mainly those of the courts, supervisory authorities, and the European Data Protection Board. Specifically, this means that we consistently ensure that the processing of personal data is always lawful, fair, and as transparent as possible towards the data subjects concerned. We only collect, store, and process personal data for a strictly necessary period of time, in limited quantities, in accordance with a clearly defined purpose, and on the basis of a predefined legal title. The data subjects are always duly informed of the processing method, of their rights, and of the principles and measures for the protection of personal data before and at any time during the processing of personal data.

Given CEZ Group’s strategic goal to digitize 100% of key customer processes by 2025, we see compliance with strict data protection standards as an imperative.

Pursuant to Article 37 of the GDPR, CEZ Group has appointed a Data Protection Officer who provides his services to the members of the concern of CEZ Group and other selected companies.

The Data Protection Officer (DPO) is an independent monitoring and advisory body. The DPO serves as a contact point for personal data subjects who are in contact with CEZ Group companies. The personal data subjects are mainly employees, customers, and business partners. Data subjects send requests to the DPO to exercise their rights electronically, by mail, or via data mailbox.

In 2022, data subjects submitted 231 requests to exercise rights. All requests were processed on time, 16 were rejected for lack of merit, and 32 were subsequently found not to be an exercise of rights within the scope of the GDPR and were forwarded to the relevant administrators for resolution.

Other tasks of the DPO and his team are, in particular:

• to protect the rights and interests of data subjects
• to monitor compliance of personal data processing with the GDPR
• to cooperate with specialized departments of the concern members in dealing with security incidents and personal data breaches

The DPO’s duties also include communicating with supervisory authorities and raising employee awareness of personal data processing, e.g., through training, e-learning, or newsletters.

In 2021, the DPO reported to the supervisory authority one case of a completed serial external attack on our call centers to gain access to customers’ online accounts. Law enforcement agencies have not closed the case yet, and we are waiting for the outcome of the investigation.

In performing his activities, the DPO received a total of three complaints from the supervisory authority in 2022. Two complaints related to the failure to provide call recordings in accordance with Article 15 of the GDPR, and one complaint related to the incorrect setting of a cookiebot. The DPO ensured that corrective actions were implemented for all three issues within the specified deadline. In none of these cases did the supervisory authority initiate an inspection. In 2022, no financial sanctions were incurred by CEZ Group companies in connection with possible personal data protection breaches.

Beyond the scope of his duties, the DPO is a member of important associations active in the field of law and personal data protection. In particular, the Association for Personal Data Protection, the Association of Industry and Transport, and the Union of Corporate Lawyers, where he exchanges experience and information, deepening his professional knowledge and creating important partnerships.

Cyber Security

SASB IF-EU-550a.1

CEZ Group takes the security of our computer systems very seriously. We are a leader in important infrastructure, and it is crucial that we protect ourselves from any potential dangers. Therefore, in 2017 the Board of Directors approved an Information and Cyber Security Policy, setting goals to achieve the objective. The policy is publicly available on the website of ČEZ, a. s. The Chief Security Officer is responsible for compliance with the policy.

The Chief Security Officer became the President of the Czech Association of Critical Infrastructure (AKI CR) in 2022. AKI CR, established in 2019, is an association of the most important owners and operators of critical information infrastructure in Czechia, especially in the energy, telecommunications, water, petrochemical, and transport sectors. AKI CR helps its members cooperate with government agencies on critical information infrastructure and during emergencies. The goal of cooperation is to ensure that important infrastructure is protected from current and future threats.

We manage critical information infrastructure and information systems of essential services in line with the Cyber Security Act No. 181/2014 Coll. We check compliance with the Act annually by an internal audit. We also responsibly secure the computer systems used for nuclear safety management pursuant to the Atomic Act No. 263/2016 Coll. In 2022, we dealt with two non-conformities under the Cyber Security Act, both of which were administrative issues. We consider a risk management approach, enhanced protection of systems, and promotion of cyber security culture to be priorities of our cyber security strategy. We have not experienced any incidents of non-compliance with cyber security standards or regulations.

In 2022, important developments in cyber security included: (1) We improved Integrated Security Operations Center. (2) International inspectors checked how well we were managing information security at our nuclear power plants. (3) There was an inspection at one of our nuclear power plants of how well we follow the Cyber Security Act. (4) We worked on making changes to follow new European laws about cyber security more easily.

The team of the Security Operations Center (SOC) looks after CEZ Group physical safety, information security, and cyber security. The SOC works hard to detect any potential threats or incidents and prevent them. We work closely with national security forces like the National Cyber and Information Security Agency, Military Intelligence, and the Czech Police.

In September 2022, our nuclear power plants went through an annual check-up called an audit of the information security management system. As per the EN ISO/IEC 27001:2017 standard, the audit assessed the setup of our computer systems, compliance with laws and regulations, and information security awareness among employees. The audit valued highly that nuclear facilities only allow contractors to maintain and configure security control systems using exclusively the nuclear operator’s computers.

We passed the audit successfully and retained our international certification which is valid until October 2024. This makes us one of the first nuclear power plants in the world to get this certification.

In September 2022, the Temelín nuclear power plant went through a planned inspection by the National Office for Cyber and Information Security (NÚKIB) to assess compliance with Act No. 181/2014 Coll., related to cyber security. The inspectors found that our Information Security Management System (ISMS) was working properly, but they found two administrative issues to be corrected. They assessed positively the promotion of cyber security culture and security awareness programs. We take all audit and inspection findings very seriously. Any new information from these inspections is incorporated into our risk management plan so we can take appropriate actions to maintain online safety and security.

At the end of 2022, the EU Directive NIS2 on measures to ensure a high common level of network and information systems security came into force. This directive significantly expands the range of obliged entities and the scope of cybersecurity obligations for existing regulated companies in EU member states. The directive also increases penalties for breaches (2% of worldwide turnover or EUR 10 million).

The directive expands the number of obliged entities within CEZ Group: about 40 more CEZ Group companies in Czechia and many others abroad. To meet these requirements, we are launching a program for NIS2 implementation in CEZ Group. This program will help all our companies understand how to follow the new rules and make sure they are safe from cyber threats.

We take information and cyber security seriously by following a plan-do-check-act principle. Our goal is to balance the cost of protecting assets with their worth. To do this, we made an Information and Cyber Security Action Plan that addresses all aspects related to information security in a comprehensive way throughout our organization. By following this plan, we can keep our business secure while reducing risks from potential threats or breaches.

We regularly test all our assets to make sure there are no weak spots in the system. If we find any issues, we remove them by patching or modifying the application source code. Before making changes to our live systems, we always test them in a separate environment first. Our application development follows strict rules based on Secure Software Development Life Cycle principles.

Every year, we prepare a report summarizing the security of our company and any risks identified by audits or other checks. The report includes details about compliance with industry standards and is submitted to the CEZ Group Protection Committee for further discussion.

The report contains four types of information: (1) status of implementation of security requirements according to the Information and Cyber Security Action Plan in CEZ Group; (2) main changes made in the past year; (3) current performance of measured indicators; and (4) evaluation and recommendations for further development of information and cyber security.

It is essential for our employees to understand safe internet use, and training sessions are provided every two years. Our goal is to train employees to spot suspicious and malicious emails and use phones and websites without any risk. To test their attention, we sometimes send fake phishing emails. In 2022, about 16,000 employees received these emails with an average 4% click-through rate. There was less than 1% of high-risk users after the tests were completed. The Cyber Security Department continues to send out fake phishing emails and also provides special training sessions for certain groups of employees such as purchasing specialists, security managers, and top managers in CEZ Group companies. The Security Awareness Development Plan defines the content and target groups of online safety training  required by information and cyber security regulations.