Information on personal data processing
Information on the Processing of Personal Data of Customers, Business Partners, Job Applicants, and Other External Persons of ČEZ, a. s.
Dear customers, business partners, visitors, users of information systems or applications, we would like to inform you that the protection of personal data is very important to us and forms an integral part of fulfilling all our commitments. Therefore, we pay due attention to it and follow the applicable legal regulations in ensuring the protection of personal data.
This document is effective from the date of publication on 25 May 2018. The text was last updated on 1 September 2023.
ČEZ, a. s., reg. No.: 45274649, having its registered office at Praha 4, Duhová 2/1444, postcode 140 53, registered in the Commercial Register maintained by the Municipal Court in Prague under File B 1581, as the personal data controller (hereinafter referred to as “our company”), hereby informs you of the principles and procedures for processing your personal data and of your rights relating to the protection of personal data, in accordance with Act No. 110/2019 Sb., on the processing of personal data, as amended (hereinafter referred to as “PDPA”) and Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; hereinafter referred to as “GDPR”).
Our company, as the controlling entity within the meaning of Section 79 of Act No. 90/2012 Sb., on commercial companies and cooperatives, as amended (hereinafter referred to as the “BCA”), is the head of CEZ Group. Therefore, the principles and procedures for processing and protecting personal data, their security, and the exercise of your rights as data subjects, including the appointment of a Data Protection Officer, are set uniformly for all companies that are part of CEZ Group.
Mgr. Petr Brázda, LL.M. has been appointed as the Data Protection Officer for CEZ Group companies.
The information provided herein is of a general legally normative nature, and therefore does not form part of any contract and may be updated in our communications with details relating to the specific case of personal data processing.
Our company and its contractual processors in particular process the following categories of your personal data in accordance with the relevant legal title and purpose of processing:
- Identification, authentication and address data: name, surname, academic degree, date of birth, data from identity documents, permanent or temporary residence address, delivery or other contact address, nationality, place and country of birth, registered office, registration number, in rare cases birth number, handwritten signature, and electronic signature;
- Contact details: telephone number, e-mail address, databox ID;
- Electronic data: IP address, cookies, authentication and e-signature certificates, location data of the device used by the user, identifiers in social networks and communication platforms;
- Other personal data related to the contractual relationship: bank account number, customer account number, SIPO connection number, card access ID number (if assigned to you), user personal account access ID and password (if created);
- In specific cases, personal data of special categories;
- Personal data in audio files—audio recordings;
- Personal data in image files—camera recordings, photographs, videos.
Your personal data may be processed by us manually or by automated procedures; however, we do not use automated decision-making, including profiling, which could affect your rights when processing your data automatically.
Our company primarily collects your personal data directly from you, in particular in the context of negotiations for the conclusion of a contract and in the course of its performance, or from third parties who mediate such negotiations. In these cases, we inform you when the provision of personal data is necessary for the performance of a specific service or business cooperation, and when on the contrary it is optional but serves to facilitate mutual communication and make cooperation between you and our company more effective.
We also generate other personal data about you, which are mainly data on consumption and consumer behavior (in the case of supplying commodities such as electricity, etc.).
Furthermore, we may collect your personal data from public registers or from administrative authorities (for example, from the trade register, the land register, the insolvency register, or the central execution register, etc.). Alternatively, in specific cases, we may also collect your personal data from non-public records on the basis of the relevant legislation.
In order to improve service quality, objectivity, verifiability, security, and protection of rights, our company monitors and records communications with you (for example, phone calls with customers). In these cases, we always inform you in advance and you are entitled to refuse this procedure. The only exceptions are special communication lines dedicated exclusively to crisis and emergency situations, which are always recorded.
In order to ensure the protection of property, personal health, and the safety of the services provided, our company has CCTV systems located on buildings owned or managed by our company or one of the CEZ Group companies. We always inform you about the use of CCTV systems by means of information signs placed on the relevant buildings. The CCTV footage may be provided to the administrative and law enforcement authorities if necessary.
The legal title for our processing of the data subject's personal data within the meaning of the GDPR may be the following:
- Consent to the processing of personal data for one or more specified purposes (Article 6(1)(a) of the GDPR); We only seek your consent in specific cases where the processing of personal data in question is not carried out on the basis of another legal title. In these cases, you are always informed about the specific purpose for which your consent will be collected and recorded, for how long, etc., and your consent to the processing of your personal data is optional and may be withdrawn at any time, either by following the procedure defined for the specific case of personal data processing or generally by contacting the CEZ GDPR Data Protection Officer (cez.cz).
- The processing is necessary to perform a contract to which the data subject is a party or to carry out pre-contractual measures taken at the request of the data subject (Article 6(1)(b) of the GDPR); In the context of this processing of personal data, you or your representative are a party to the contract being prepared or concluded, i.e., you are in possession of the content of the contract and, at the same time, of the information related to the processing of personal data. Alternatively, if the contract is concluded electronically via a specific website or web application, for example, information on the processing of personal data for this specific purpose is always provided directly on the website or application.
- The processing is necessary for compliance with a legal obligation to which the controller is subject (Article 6(1)(c) of the GDPR); Our company is subject to many legal obligations under Czech and European law. For the sake of clarity and for your better information, we list the main legal provisions that determine the areas of personal data processing based on the fulfillment of a legal obligation in the overview of specific purposes attached below.
- The processing is necessary for the protection of the vital interests of the data subject or of another natural person (Article 6(1)(d) of the GDPR); We do not normally process your personal data on the basis of this legal title. Thus, the processing in question might only occur in quite exceptional circumstances, of which you would be informed by us, including the provision of further information regarding any such processing of your personal data.
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1)(e) of the GDPR); We do not normally process your personal data on the basis of this legal title. Thus, the processing in question might only occur in quite exceptional circumstances, of which you would be informed by us including the provision of further information regarding any such processing of your personal data.
- The processing is necessary for the purposes of the legitimate interests of the controller or third party concerned, except where those interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data, in particular where the data subject is a child (Article 6(1)(f) of the GDPR). Our company's legitimate interests include in particular ensuring the health and safety of persons and property, maintaining necessary internal records (e.g., lists of qualifications of employees of contractors working on our premises, overviews of donation applications, etc.), verifying the eligibility of key employees, preparing contracts with suppliers, customers, and employees, marketing surveys, etc. We perform a so-called balancing test in all cases of personal data processing that is based on the legal title of the personal data controller's legitimate interest. We will only proceed with the processing of personal data when we have established by a test that our interests outweigh the interests, rights, and freedoms of the data subjects concerned. In the actual processing of personal data, we always ensure that the interests, rights, and freedoms of the data subjects are affected as little as possible.
An overview of the specific purposes, legal titles, and periods for which personal data are retained are provided in the table attached. The legal titles marked A–F are defined above.
PURPOSE OF PERSONAL DATA PROCESSING |
LEGAL TITLE |
RETENTION PERIOD |
LEGAL PROVISIONS |
Compliance verification of contractors and job applicants |
C |
Up to 5 years |
Act No 69/2006 Sb., on the implementation of international sanctions
|
Electromobility |
B |
11 years |
Act No. 235/2004 Sb., on value added tax |
Records of business partners for the conclusion of purchase and sales contracts for materials, services, investments, and software acquisitions |
B |
Up to 1 year after contract termination and expiry of the shredding period |
|
Records of persons provided with accommodation in connection with the armed conflict in Ukraine |
B |
4 years |
Council Decision (EU) 2022/382 of March 4, 2022
|
Records of legal disputes in CEZ Group |
F |
Up to 1 year from the end of the legal dispute |
|
Records of customers purchasing heat from CEZ Group's generating facilities and performance of obligations related to the supply of heat energy |
B |
Up to 11 years from the end of the contractual relationship |
|
Corporate volunteering |
B |
5 years |
|
Physical protection |
C |
For the duration of the employment contract or contractual relationship with the contractor |
Act No. 240/2000 Sb., Crisis Act
|
Innovation of CEZ Group's customer products |
B |
For the duration of the project |
|
CCTV systems |
C |
7 days |
Act No. 181/2014 Sb., on cyber security
|
Marketing research and competitions (Public Relations) |
B |
Up to 1 year |
|
Recruitment and scholarship program for students |
A |
For the duration of the consent or up to 11 years |
|
Recording of integrated security operations center phone line calls |
F |
6 months |
|
Recording of phone calls and audio communications at nuclear power plant sites to meet the safety requirements of the nuclear installation |
C |
1 |
Act No. 263/2016 Sb., Atomic Act
|
Purchase for generation |
B |
Up to 1 year after contract termination and expiry of the shredding period |
|
Commodity trading and compliance with obligations arising from related legislation |
B |
Up to 11 years |
Directive 2009/72/EC concerning common rules for the internal market in electricity
|
Search and analysis/evaluation of data in connected systems |
C |
Up to 1 year |
Decree No. 82/2018 Sb., on cyber security
|
Protection and processing of personal data |
C |
Up to 11 years |
Regulation 2016/679/EU—General Data Protection Regulation
|
Protection of classified information and security eligibility |
C |
10 years |
Act No. 412/2005 Sb., on the protection of classified information and security clearance |
Verification of psychological/personal competence/qualifications |
C |
For the entire life cycle of the nuclear installation and for up to 10 years thereafter |
Decree No. 247/2001 Sb., on the organization and activities of fire protection units
|
Whistleblowing and investigating possible breaches |
C |
5 years from the end of the investigation |
Act No. 171/2023 Sb., on the protection of whistleblowers |
Fulfilling the agenda of the Data Protection Officer |
B |
5 years |
Regulation 2016/679/EU—General Data Protection Regulation
|
Postal and filing service |
F |
According to the shredding period of the relevant document |
|
Obligations of the issuer, in particular maintaining a list of persons with access to inside information |
C |
11 years |
Regulation 596/2014/EU on market abuse
|
Operation of information centers |
A |
Up to 5 years or according to the shredding period |
|
Radiation protection |
C |
30 years |
Decree No. 422/2016 Sb., on radiation protection and radionuclide source security
|
Implementation of information and cyber security |
B |
Up to 11 years |
Act No. 181/2014 Sb., on cyber security
|
Qualification management of contractors' employees in the Nuclear Energy Division |
B |
45 years or up to the lifetime of the nuclear installation |
Act No. 263/2016 Sb., Atomic Energy Act
|
Contractual documentation for financing |
B |
5 years |
|
Investigation of customer complaints from CEZ Group companies by the CEZ Group Ombudsman |
B |
5 years |
|
Closing deals on financial markets—recorded conversation |
B |
6 months |
|
Keeping records of work accidents |
C |
45 years |
Government Regulation No. 201/2010 Sb., on the method of recording, reporting, and sending accident records
|
Keeping a construction diary |
C |
During the lifetime of the facility in question |
Decree No. 499/2006 Sb., on building documentation
|
Handling and recording applications in accordance with the Freedom of Information Act |
C |
5 years from the processing of the application |
Act No. 106/1999 Sb., on freedom of information |
Extract of shareholders from the statutory register of the Central Securities Depository for the purpose of dividend payment and convening a Shareholders' Meeting |
C |
11 years |
Act No. 256/2004 Coll., on capital market undertakings |
Ensuring the convening and conduct of the Shareholders' Meeting of ČEZ, a. s. |
C |
During the existence of ČEZ, a. s. |
Act No. 89/2012 Sb., Civil Code
|
Ensuring access to information and business resources |
B |
11 years |
|
Processing of cookies on websites |
A |
Processing at the user's device by cookie type |
Act No. 127/2005 Sb., on electronic communications
|
Processing of accounting documents |
C |
11 years from the end of the annual accounting period |
Act No. 563/1991 Sb., on accounting
|
In order to ensure the efficiency and competence of the processes, our company may disclose your personal data to its employees or contractual partners as processors of personal data (based on a personal data processing agreement or other legal act) or to contractual partners as joint controllers of personal data (based on a contract on mutual rights and obligations of joint controllers or other legal act) or to another controller of personal data as recipients of personal data in justified cases.
For our contractual processors of personal data, we require a similar organizational and technical standard of personal data protection as we have set uniformly for the entire CEZ Concern, including compliance with the contractual terms and conditions relating to the processing of personal data (e.g., the obligation to use the subject personal data exclusively for the purposes for which it was transferred to them, the prohibition of sharing the transferred personal data with other processors of personal data without our prior consent, etc.).
We verify the fulfillment of our requirements for the processing of the personal data transferred with the contractual processors concerned before the conclusion of the personal data processing agreement (or other legal act), during its term, and after its termination (in particular as regards the deletion of the personal data transferred, etc.).
PERSONAL DATA PROCESSORS
CATEGORIES OF PROCESSORS |
ACTIVITY |
Security agencies |
Ensuring the protection of life, health, and property (through external security agencies). |
Other CEZ Group companies |
ČEZ, a. s., is the parent company of CEZ Group and to ensure quality services it also cooperates with its subsidiaries, which are listed in more detail at www.cez.cz. |
Corporate volunteering |
Implementation of corporate volunteering aimed at helping individuals and specific projects. |
IT services and software suppliers |
Development and maintenance of relevant IT systems, websites, systems for the electronic execution of Shareholders' Meetings, management and operation of electromobility, etc. |
Marketing and communication |
Ensuring communication with the public, including the implementation of promotional events, communication materials and marketing research. |
Personnel agencies |
Providing recruitment and selection of suitable job candidates. |
Postal and courier services |
Postal services, including remittance delivery, as well as parcel and courier services. |
Legal services and consulting |
Providing legal services and consulting. |
Authorized entity |
Representing and acting on behalf of the principal (in this case ČEZ, a. s.) on the basis of a power of attorney or contract. |
PERSONAL DATA RECIPIENTS
Your personal data may also be transferred to third parties who are entitled to receive such personal data. These include, for example, tax, administrative, or regulatory authorities.
In particular, our company transfers personal data to the following recipients:
- Czech National Bank
- Energy Regulatory Office
- National Security Authority
- National Cyber and Security Information Agency
- Law enforcement authorities (courts, prosecutors, and the Czech Police)
- Providers of occupational medical services
- Operators of postal services
- Companies providing insurance and claims handling services
- State Labor Inspection Office
- State Office for Nuclear Safety
- Czech Labor Office
- Office for Personal Data Protection
Our company processes your personal data, either directly or through its contractual processors, primarily in Czechia or in the European Union (hereinafter referred to as the “EU”), where the same conditions of protection and security of personal data processing are set through the GDPR Regulation valid and effective for the entire European Union or the European Economic Area (hereinafter referred to as the “EEA”).
Exceptionally, personal data is transferred to third countries or international organizations. In these cases, prior to the transfer of personal data, we assess whether the selected controller or processor provides appropriate guarantees and conditions, including the enforceability of your rights as a data subject, while assessing the effective legal protection of personal data in that country. Therefore, the transfer of your personal data to third countries or international organizations may only occur if the following conditions are met:
- The selected third country / international organization has been subject to a decision of the European Commission which has found that the third country / international organization ensures an adequate level of protection of personal data;
- The selected processor or sub-processor is able to provide appropriate organizational and technical guarantees and in the country of the processor or sub-processor, enforceability of data subjects' rights and effective legal protection of data subjects is ensured.
SUITABLE GUARANTEES INCLUDE THE FOLLOWING:
- Legally binding and enforceable instruments between public authorities or public entities;
- Binding corporate rules;
- Standard data protection clauses adopted by the European Commission;
- Standard data protection clauses adopted by the relevant supervisory authority and approved by the European Commission;
- Approved code of conduct with binding and enforceable obligations for the processor in the third country to apply appropriate guarantees, including with regard to the rights of data subjects;
- Approved certification mechanism with binding and enforceable obligations for the processor in the third country to apply appropriate guarantees, including with regard to the rights of data subjects.
We use cookies on our company's website. In order to display the website correctly, we need to collect so-called technical cookies. For all other types of cookies, we need your consent and it is entirely at your discretion as to whether or to what extent to grant your consent. You may set the extent of your consent to the collection of cookies by means of the so-called “cookie bot”, which is displayed on the respective website. Detailed information on cookies is also available here.
Depending on whether and to what extent you grant your consent, we may then use cookies to personalize content and advertisements, provide social media features, and analyze traffic on our company's website. We may then share information about how you use our website with our social media, advertising, and analytics partners. Partners may combine this information with other information that you have provided to them or that they have obtained in connection with your use of their services. Detailed information on cookies is available in the Website Information section.
Our company strives to process your personal data in a transparent and fair manner and to ensure that it is properly protected, always in accordance with the relevant legislation. To assure you of our responsible approach to the processing of your data, we are ready to respond quickly and professionally to your legitimate requests.
- If the processing of personal data is based on your consent, you shall be entitled to withdraw your consent for future processing at any time.
- You shall be entitled to request access to your personal data and more detailed information about its processing from us as data controller.
- You shall be entitled to request from us the rectification of inaccurate or incomplete personal data.
- You shall be entitled to request us to provide your personal data in a commonly used and machine-readable format that enables it to be transmitted to another controller, where we have obtained it on the basis of your consent or in connection with the conclusion and performance of a contract and it is processed by automated means.
- You shall be entitled to object to the processing of some or all of your personal data.
- You shall be entitled to request us to erase your personal data if we no longer have any legal basis for further processing.
- You shall be entitled to file a complaint with the Office for Personal Data Protection.
Please be informed that the exercise of the rights of data subjects under Articles 12 through 22 of the GDPR may be restricted in accordance with Article 23(1) of the GDPR. Detailed information regarding your rights, including ways to exercise your rights in the case of data protection, is available here.
Cookies
A short text file that is sent to the browser by the website you visit. It allows the website to record information about your visit, such as your preferred language and other settings. This ensures that your next visit to the site is easier and more productive. Cookies are important. Without them, browsing the web would be much more difficult.
Supervisory Authority
The authority established in Czechia as the Office for Personal Data Protection (hereinafter referred to as the “OPDP") by the Personal Data Processing Act. It is entrusted with the competences of the central administrative authority for the protection of personal data to the extent provided for by this act and other competences provided for by special legislation.
CEZ Group
A business group declared pursuant to Section 79(3) of Act No. 90/2012 Sb., (BCA), managed by the controlling entity, ČEZ, a. s., and including other controlled entities. An overview of the information on personal data processing of all CEZ Group companies is available here: Information Memorandums of CEZ Group Companies.
GDPR
Regulation (EU) 2016/679 of the European Parliament and the Council dated April 27, 2016 on the protection of individuals with regard to the processing of personal data and free movement of such data and repealing Directive 95/46 /EC (General Data Protection Regulation).
Personal data (hereinafter referred to as “PD”)
Any information about an identified or identifiable natural person; an identifiable natural person is a natural person who is directly or indirectly identifiable, in particular by reference to an identifier such as a name, identification number, location data, network identifier, or to one or more specific elements of the physical, physiological, genetic, psychological, economic, cultural, or social identity of that natural person.
Data Protection Officer
A person appointed for the whole CEZ Group pursuant to Article 37 of the GDPR. The Data Protection Officer (hereinafter referred to as the “DPO”) has independent responsibility for a defined area of personal data protection for CEZ Group and is a partner for negotiations with the OPDP and data subjects. In particular, the DPO is responsible for protecting the interests of data subjects.
Recipient
A natural person or legal entity, public authority, agency, or other entity to which personal data are disclosed, whether or not it is a third party. The recipient has the legal, contractual, or other authority to process the personal data. This includes other controllers or processors such as tax, administrative, or regulatory authorities. However, public authorities which may obtain personal data in the context of a specific investigation in accordance with the law of a member state are not considered recipients; the processing of such personal data by those public authorities must comply with the applicable data protection rules for the purposes of the processing.
CEZ Group
CEZ Group comprises several companies grouped around the parent company ČEZ, a. s., operating mainly in the energy sector, linked to the parent company mainly through equity holdings. More information is available here.
Personal data controller
The legal entity (ČEZ, a. s.) that determines the purpose and means of processing personal data, carries out the processing, and is responsible for such processing. The controller may authorize or delegate the processing of personal data to a processor.
Data subject (hereinafter referred to as the “DS")
Anatural person to whom the personal data relates. A data subject shall be deemed to be identified or identifiable if their identity is directly or indirectly identifiable on the basis of one or more pieces of personal data.
Adequacy test
Assessment of the data subject's request by the data controller if the data subject's request is manifestly unfounded or unreasonable, in particular because it is repetitive. Requests may be considered manifestly unfounded if, for example, they are completely devoid of justification on prima facie grounds (in cases where justification is necessary) and it is not possible to assess what the data subject is concerned about, even by interpretation ( e.g., an objection to processing pursuant to Article 21(1) of the GDPR, if the DS fails to provide information in the request about their situation that enables the controller to assess whether a legitimate interest outweighs the interests of the data subject). In particular, requests may be considered manifestly unfounded if they are unreasonably repetitive or large in number. This is not to be generalized and should always be considered in the context of the case. The manifest unfoundedness or disproportionate nature of the request shall be documented and justified by the controller in a communication informing the data subject and the Data Protection Officer of the request's rejection. This justification shall be documented by the Controller and stored for possible inspection by the Supervisory Authority.
PDPA
Act No. 110/2019 Sb., on Personal Data Processing and on Amendments to Certain Acts, as amended.
Personal data processing
Any operation or set of operations with personal data or sets of personal data which is carried out with or without the aid of automated procedures, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other disclosure, alignment or combination, restriction, erasure or destruction.
Personal data processor
A natural person or legal entity, public authority, agency, or other entity that processes personal data for the controller.
Special data categories (sensitive data)
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person and data concerning the health or sex life or sexual orientation of a natural person.
If you have a request or grievance regarding the processing of your personal data or a question about the person responsible for the processing of personal data in our company, please contact us using our web form. Alternatively, you can contact us by writing to ČEZ, a. s., Duhová 2/1444, 140 53 Praha 4, using the subject line “personal data processing”. We will respond to your requests, questions, or grievances as soon as possible, but no later than one month after receipt. If we are unable to deal with your request in a timely manner due to the complexity of your request or the high number of requests from other persons, we will inform you of the necessary time extension.
Our Data Protection Officer is Mgr. Petr Brázda, LL.M. He can be contacted via the web form or in writing at Pověřenec pro ochranu osobních údajů, ČEZ, a. s., Duhová 2/1444, 140 53, Praha 4 or via databox ID: yqkcds6. Details on ways to contact the Data Protection Officer, their mission, and competence in dealing with your rights are available on the Data Protection Officer website.
This document is effective from the date of publication on May 25, 2018. The text was last updated on September 1, 2023.