Information on the processing of personal data

ČEZ Distribuce, a. s., reg. No.: 24729035, having its registered office at Děčín - Děčín IV-Podmokly, Teplická 874/8, postcode 405 02, registered in the Commercial Register maintained by the Regional Court in Ústí nad Labem under File B 2145, as the personal data controller (hereinafter referred to as “our company”), hereby informs you of the principles and procedures for processing your personal data and of your rights relating to the protection of personal data, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; hereinafter referred to as “GDPR”) and Act No. 110/2019 Sb., on the processing of personal data, as amended (hereinafter referred to as “PDPA”).

Our company i also a member of CEZ Group, together with other companies with ČEZ, a. s., as the controlling entity within the meaning of Section 79 of Act No. 90/2012 Sb., on commercial companies and cooperatives, as amended (hereinafter referred to as the “BCA”). Therefore, the principles and procedures for processing and protecting personal data, their security, and the exercise of your rights as data subjects, including the appointment of a Data Protection Officer, are set uniformly for all companies that are part of CEZ Group.

Mgr. Petr Brázda, LL.M. has been appointed as the Data Protection Officer for the CEZ Group’s corporate group companies and selected companies with in the CEZ Group.

The information provided herein is of a general legally normative nature, and therefore does not form part of any contract and may be updated in our communications with details relating to the specific case of personal data processing.

Our company and its contractual processors in particular process the following categories of your personal data in accordance with the relevant legal title and purpose of processing:

Identification, authentication and address data: name, surname, academic degree, date of birth, data from identity documents, permanent or temporary residence address, nationality, place and country of birth, registered office, registration number, in rare cases birth number, handwritten signature, and electronic signature;

1. Contact details: telephone number, e-mail address, , databox ID, delivery or other contact address;
2. Electronic data: IP address, cookies, authentication and e-signature certificates, operational data, location data of the device used by the user, identifiers in social networks and communication platforms;
3. Other personal data related to the contractual relationship: bank account number, customer account number, EAN, Energy Identification Code, Distribution rate, data obtained from meter readings and other technical data related to the customer's point of consumption, card access ID number (if assigned to you), user personal account access ID and password (if created);
4. In specific cases, personal data of special categories;
5. Personal data in audio files—audio recordings;
6. Personal data in image files—camera recordings, photographs, videos.

Your personal data may be processed by us manually or by automated procedures. We do not use automated decision-making in the automated processing of your data that could affect your rights, except as set out below.

We only use automated decision-making for certain connection requests, where the robotics evaluates the completeness of the request made and the actual connectivity according to the parameters specified. These facts are not evaluated by artificial intelligence, but by an "ordinary" computer program according to rules we have clearly set.

Detailed description of operation:

A computer program designed to make automated decisions on received requests evaluates the completeness of the entered values and the customer's connection to the specified point of consumption, if there is an active contractual relationship between them at the time. Furthermore, the program evaluates the connectivity according to the parameters set by us (e.g. main circuit breaker amount, voltage level, new appliance input, required installed and reserved power of the generation source, etc.). If the request meets all the specified conditions, the program creates a draft contract and sends it for signature in the manner you specify in the request. Otherwise, the request is forwarded for manual review and processing. In other words, any rejection of the request is not done by our robotics, but is always the result of our employee's assessment.

The following applications are currently subject to automated decision-making:

-request for a change of an existing connection at LV (low voltage) level - change of the nature of consumption with a circuit breaker up to 3x32 A

-request for change of existing connection at LV (low voltage) level - change of reserved power (circuit breaker) with circuit breaker up to 3x32 A.

-request for standard connection of a micro source to an existing point of consumption at LV (low voltage) level with a circuit breaker up to 3x32 A.

ČEZ Distribuce obtains your personal data primarily directly from you, especially in the context of negotiations on the conclusion of a contract and further in the course of its performance, or from third parties who mediate such negotiations, in order to facilitate your access to our services as much as possible in the latter case. Therefore, we offer you the possibility of arranging, operating, managing and communicating about certain services through companies other than ours. This is the case, for example, when you arrange a connection contract. In this case, part of your data, in particular the basic data necessary for your identification and authentication, is also processed by the company you are dealing with. In many cases, the conclusion of the type of contract in question, which defines the mutual rights and obligations of the parties, takes place through another company that acts on behalf of our company by proxy.

Another possible source is data obtained by our company as part of the aforementioned group processing of personal data by selected CEZ Group companies.

We also generate other personal data about you, which are mainly data on consumption and consumer behavior (in the case of distribution of electricity).

Furthermore, we may collect your personal data from public registers or from administrative authorities (for example, from the trade register, the land register, the insolvency register, or the central execution register, etc.). Alternatively, in specific cases, we may also collect your personal data from non-public records on the basis of the relevant legislation. We only use data obtained from such sources for the puroses for which they were originally published.

Our company monitors and records communications with you because of its legitimate interest in the safe operation of the distribution system and the safety of persons and property (for example, recorded calls with customers on our call center). In these cases, we will always inform you in advance and you have the right to refuse the use of this procedure. However, there are also special communication lines dedicated exclusively to dealing with crisis and emergency situations, which are always recorded.

Our company has installed and operates camera systems with recording to ensure the safety of the buildings and construction sites where it carries out its activities, as well as to ensure the safety of the services provided. In places where CCTV systems are used, we warn with information signs and pictograms about the possibility of processing personal data when entering such areas, with our company as the controller. And also with a link to the website where more detailed information on the processing of the footage taken is available. For some objects, our company is a joint controller of the camera recordings with ČEZ, a. s. Detailed information can also be found on their website www.cez.cz (we have concluded a contract with ČEZ, a. s. on mutual rights and obligations of joint controllers).

Specific examples of the use of cameras include monitoring of non-public areas and company grounds against unauthorized entry (for persons without electrical qualifications, movement in such areas can be life-threatening), recording work procedures and documenting the safe operation of technologies and equipment. Monitoring of selected strategic constructions is carried out to supervise the construction and its progress, compliance with technological procedures, quality of delivery, etc. (with the primary purpose of checking the construction progress and compliance with technological procedures with emphasis on minimizing the interception of individuals). Furthermore, we may use the record in defined cases for the purpose of ensuring OSH on construction sites, or for the use of the obtained material for presentation purposes of our company (again with emphasis on minimizing personal data disclosed in the materials).

If these activities result in the accidental capture of a data subject, the data shall not be evaluated or stored. The analysis of CCTV footage, personal data and identification of persons only occurs in the context of an investigation of an emergency, security incident or unusual or unlawful behaviour of an individual.

We also use mobile cameras, whose recordings are used to document the detection, prevention and elimination of unauthorised electricity consumption in accordance with the provisions of Section 51 of Act No. 458/2000 Coll, on the conditions of doing business and on the exercise of state administration in the energy sectors and on amendments to certain acts, as amended (hereinafter referred to as the "Energy Act" or "EA"), to document the detection and avoidance of distribution system losses and as evidence for the purposes of recovering compensation for damages caused by unauthorised consumption of electricity, in accordance with the requirements of legislation and case law. The records made shall be archived for a certain predetermined period of time only and shall be deleted at the end of that period if no decision is taken to hand them over. The purpose of taking video footage is not primarily to collect information about individuals, but to document processes and activities that may be the source of unlawful or otherwise harmful conduct.

CCTV footage may be provided to administrative and law enforcement authorities if necessary.

Our company processes your personal data mainly for the purpose of fulfilling the obligations set out in specific legal regulations. The Energy Act imposes on our company, as the operator of the electricity distribution system, the obligation to ensure the reliable operation, renewal and development of this distribution system, as well as the obligation to provide distribution system services.

A

consent to the processing of personal data for one or more specific purposes (Article 6(1)(a) of the GDPR);

We only collect your consent in specific cases where the processing of personal data in question is not carried out on the basis of another legal title. In these cases, you are always informed for which specific purpose, for how long, etc. your consent will be collected and recorded, and your consent to the processing of personal data is voluntary and can be withdrawn at any time, either according to the procedure defined for the specific case of personal data processing or according to the procedure defined for the specific case of personal data processing, or in general through a request to the CEZ GDPR Data Protection Officer (cez.cz).

B

The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of measures taken prior to the conclusion of the contract at the request of the data subject (Article 6(1)(b) of the GDPR);

In the context of this processing of personal data, you or your representative are a party to the contract being prepared or concluded, i.e. you are in possession of the content of the contract in question and, at the same time, of information related to the processing of personal data. Alternatively, if the contract is concluded e.g. electronically via a specific website or web application, information on the processing of personal data for this specific purpose is always provided directly on the website or application.

C

the processing is necessary for compliance with a legal obligation to which the controller is subject (Article 6(1)(c) of the GDPR);

Our company is subject to many legal obligations under Czech and European law. For greater clarity and for your better information, in the overview of specific purposes attached below, we list the basic legal provisions that determine the areas of processing of personal data based on the fulfilment of a legal obligation.

D

processing is necessary for the protection of the vital interests of the data subject or of another natural person (Article 6(1)(d) of the GDPR);

We do not normally process your personal data on the basis of this legal basis. Thus, the processing in question could only occur in quite exceptional circumstances, of which you would be informed by us, including the provision of further information regarding any such processing of your personal data.

E

the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1)(e) GDPR);

We do not normally process your personal data on the basis of this legal basis. The processing of your personal data in question could only take place in quite exceptional circumstances, of which you would be informed by us, including the provision of further information regarding any such processing of your personal data.

F

processing is necessary for the purposes of the legitimate interests of the controller or third party concerned, except where those interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data, in particular where the data subject is a child (Article 6(1)(f) of the GDPR);

The legitimate interests of our company are, in particular, to ensure the safety and health protection of persons and property, to keep the necessary internal records (e.g. lists of qualifications of employees of contractors working on our premises, etc.), to verify the competence of key employees, to prepare contracts with suppliers, customers and employees, marketing surveys, etc.

In all cases of processing of personal data that is based on the legal title of legitimate interest of the data controller, we perform a so-called balance test. We will only proceed with the processing of personal data when we have verified by a test that our interests outweigh the interests, rights and freedoms of the data subjects concerned. In the actual processing of personal data, we always ensure that the interests, rights and freedoms of data subjects are affected to the least possible extent.

An overview of the specific purposes, legal titles, and periods for which personal data are retained are provided in the table attached. The legal titles marked A–F are defined above.

PURPOSE OF PERSONAL DATA PROCESSING	LEGAL FRAMEWORK	RETREAT HUNT	LEGISLATION
Fulfilling the agenda of the Personal Data Protection Officer by ČEZ, a. s.	B C	5 years	Regulation 2016/679/EU General Data Protection Regulation
Investigation of information security events/incidents	C F	5 years/10 years for Critical Information Infrastructure	Act No. 181/2014 Coll., on Cyber Security
Protection and processing of personal data in ČEZd	C F	up to 11 years	Regulation 2016/679/EU General Data Protection Regulation Act No. 110/2019 Coll., on the processing of personal data
Evidence of assessment and management of findings	F	up to 11 years
Implementation of information and cyber security	B C F	up to 11 years	Act No. 181/2014 Coll., on Cyber Security Decree No. 82/2018 Coll., on Cyber Security
Whistleblowing and investigating possible infringements	C	5 years from the end of the investigation	Act No. 171/2023 Coll., on the protection of whistleblowers
Compliance agenda	C F	up to 5 years	Act No. 69/2006 Coll., on the implementation of international sanctions Act No. 253/2008 Coll., on certain measures against the legalization of the proceeds of crime and the financing of terrorism
Handling requests for information and related obligations under Act No. 106/1999 Coll.	C F	5 years from the processing of the application	Act No. 106/1999 Coll., on free access to information
Protection of classified information	C	for the period of validity of the certificate of the natural person	Act No. 412/2005 Coll., on the Protection of Classified Information and Security Clearance
Protection of persons and property - camera systems	C F	up to 30 days	Act No. 412/2005 Coll., on the Protection of Classified Information and Security Clearance Act No. 181/2014 Coll., on Cyber Security
Protection of persons and property - physical protection	C F	for the duration of the employment contract or contractual relationship with the supplier	Act No. 240/2000 Coll., Crisis Act Act No. 412/2005 Coll., on the Protection of Classified Information and Security Clearance
Fulfilling the obligations arising from Occupational Health and Safety	B C F	up to 45 years	Government Regulation No. 201/2010 Coll., on the manner of recording, reporting and sending accident records Act No. 262/2006 Coll., Labour Code
Fulfilling the obligations arising from the Fire Protection Act	C	for the period of archiving in accordance with the shredding regulations	Act No. 133/1985 Coll., on fire protection
Compliance with Environmental Protection obligations	B C		Act No. 541/2020 Coll., on waste and other environmental legislation Act No. 89/1995 Coll., on the State Statistical Service
Crisis Management - Crisis Communication	C	permanently / for the duration of the preventive and emergency measure	Act No. 240/2000 Coll., Crisis Act
Processing of personal data in epidemics and other humanitarian emergencies	C D E	for the duration of the emergency preventive (protective) measures and for the time necessary for their evaluation	Act No. 240/2000 Coll., Crisis Act
Ensuring the operation of critical information infrastructure	C D E	for the duration of the validity of a measure of a general nature on the designation of a critical infrastructure element OR up to 10 years	Act No. 181/2014 Coll., on Cyber Security Act No. 458/2000 Coll., the Energy Act Decree No. 79/2010 Coll., on dispatch control of the electricity system and on the transmission of data for dispatch control
Recording of dispatcher communications using the unified dispatcher radio system (dispatcher terminals) and associated management	B C	5 years	Decree No 79/2010 Coll., on dispatching control of the electricity system and transmission of data for dispatching control
Unified remote access system - monitoring (recording) activities of administrators and other users	C F	5 years	Act No. 181/2014 Coll., on Cyber Security Decree No. 82/2018 Coll., on Cyber Security
Technical records of distribution system equipment	B C	for the duration of the contract or 2 years from the date of application	Act No. 458/2000 Coll., the Energy Act
Legislative discussion of construction in relation to the fulfilment of electricity distribution obligations	B C	for the duration of the existence/operation of the facility in question	Act No. 183/2006 Coll., Building Act Act No. 256/2013 Coll., Cadastral Act Act No. 458/2000 Coll., Energy Act
Property relations related to the operation of the distribution system	B C	for as long as the building exists (until the building is removed) or the property is owned	Act No. 256/2013 Coll., Cadastral Act Act No. 458/2000 Coll., Energy Act Act No. 89/2012 Coll., Civil Code Act No. 183/2006 Coll., Building Act
Operation and maintenance of the distribution system	B C	5 years	Act No. 458/2000 Coll., Energy Act Decree No. 408/2015 Coll., on Electricity Market Rules Decree No. 540/2005 Coll., on the Quality of Electricity Supply and Related Services in the Electricity Sector
Distributor customer service	B C F	up to 10 years after termination of contract, recordings 1 year	Act No. 458/2000 Coll., Energy Act Decree No. 16/2016 Coll., on Conditions of Connection to the Electricity Systém Decree No. 408/2015 Coll., on Electricity Market Rules Decree No. 540/2005 Coll., on Quality of Electricity Supply and Related Services in the Electricity Sector
Provision of service activities to authorised market participants in connection with electricity metering	B C F	up to 10 years after the end of the contract	Decree No. 359/2020 Coll., on electricity metering Decree No. 408/2015 Coll., on Electricity Market Rules Decree No. 540/2005 Coll., on the quality of electricity supply and related services in the electricity sector Act No. 458/2000 Coll., Energy Act
Ensuring readings and transmission of data to authorised market participants in connection with electricity metering	B C	up to 10 years after the end of the contract	Decree No. 359/2020 Coll., on electricity metering Decree No. 408/2015 Coll., on Electricity Market Rules Decree No. 540/2005 Coll., on the quality of electricity supply and related services in the electricity sector Act No. 458/2000 Coll., Energy Act
Securing measurement data Automated Meter Management - pilot project	F	up to 10 years after the end of the contract
Ensuring detection, prevention and elimination of unauthorized consumption, prevention of distribution system losses, protection of property, provision of evidence	C F	10 years after the end of the accounting period in which the invoice was issued or 5 years after the recovery of the debt, where the total period may not be less than 10 years after the invoice was issued	Act No. 458/2000 Coll., the Energy Act Decree No. 82/2011 Coll., on electricity metering and on the method of determining compensation for damages in the event of unauthorised consumption, unauthorised supply, unauthorised transmission or unauthorised distribution of electricity Decree No. 540/2005 Coll., on the quality of electricity supply and related services in the electricity sector Decree No. 359/2020 Coll., on electricity metering
Ensuring financial settlement of contractual relations	B C	up to 11 years	Act No. 235/2004 Coll., on Value Added Tax Decree No. 70/2016 Coll., on billing for supplies and related services in energy sectors Act No. 458/2000 Coll., Energy Act Act No. 586/1992 Coll., on Income Taxes Act No. 563/1991 Coll., on Accounting Act No. 280/2009 Coll., Tax Code Act No. 89/2012 Coll., Civil Code
Ensuring the company's debt management processes in the out-of-court and court part	B C F	10 years after the end of the legal recovery	Act No. 120/2001 Coll., Enforcement Code Act No. 141/1961 Coll., Criminal Code Act No. 262/2006 Coll., Labour Code Act No. 89/2012 Coll., Civil Code Act No. 99/1963 Coll., Civil Procedure Code
Customer satisfaction	B F	up to 2 years
Complaints, claims and other suggestions	B C	5 years from the conclusion of the complaint	Decree No. 540/2005 Coll., on the quality of electricity supply and related services in the electricity sector Act No. 458/2000 Coll., Energy Act Act No. 89/2012 Coll., Civil Code
Ombudsman - resolving customer complaints	B F	5 years from closure
Public relations	A B F	up to two years or for the duration of the consent
Damage management	C F	5 years from the conclusion of the case	Act No. 89/2012 Coll., Civil Code
Ensuring the processing of requirements to meet legislative and operational obligations (creation of forecasts, balances and technical analyses in the distribution system).	C	10 years after termination of the contract	Act No. 458/2000 Coll., Energy Act Decree No. 408/2015 Coll., on Electricity Market Rules
Processing of the application for Consent for the activity and location of the construction in the protection zone of the distribution system equipment and the application for comments on the project documentation (for foreign constructions)	C	up to 10 years	Act No. 458/2000 Coll., Energy Act Act No. 183/2006 Coll., Building Act
Register of verified contractors - contractors and subcontractors of ČEZ Distribuce	B C	up to 5 years after the end of the contract	Act No. 458/2000 Coll., the Energy Act Act No. 455/1991 Coll., the Trade Licensing Act Government Regulation No. 361/2007 Coll., laying down conditions for occupational health protection Government Regulation No. 378/2001 Coll., laying down more detailed requirements for the safe operation and use of machinery, technical equipment, devices and tools Government Regulation No. 362/2005 Coll., laying down more detailed requirements for occupational safety and health protection at workplaces with a risk of falling from height or to depth
Legal services	B C F	For the duration of the legal dispute + 1 year; for the duration of the power of attorney/power of attorney, or up to 5 years	Act No. 340/2015 Coll., on the Register of Contracts
Records of trade secrets	F	5 years
Providing access to information and business resources	B	11 years
Conclusion of purchase and sales contracts	B C	up to one year after the end of the contract and the expiry of the shredding period for that type of document	Act No. 89/2012 Coll., Civil Code Decree No. 16/2016 Coll., on conditions of connection to the electricity grid Decree No. 540/2005 Coll., on the quality of electricity supply and related services in the electricity sector
Registration and management of contracts	B C	up to 10 years from the date of termination of the contract, or from the expiry of the guarantee period; in the case of court or similar proceedings, until their conclusion, or archival material - without a shrinking period (purchase contracts, easements....)	Act No. 458/2000 Coll., Energy Act                       Act No. 89/2012 Coll., Civil Code
Records of requirements related to the management of real estate assets (repairs, cleaning, servicing, maintenance, revisions, expert opinions, etc.)	B C	5 years from the implementation of the request	Act No. 89/2012 Coll., Civil Code
Processing of cookies on the website	A C F	processing on the user's device according to the type of cookie	Act No. 127/2005 Coll., on electronic communications
Advanced analytics and reporting	F	up to 10 years
Recruitment and student programmes	A B F	For the duration of the consent or up to 11 years
Selection of staff for verification of mental/personal competence/qualifications	C F	retention managed by ČEZ, a.s.	Decree No 79/2010 Coll., on dispatching control of the electricity system and transmission of data for dispatching control
Training of internal and external staff	C F	usually for the duration of the employment relationship	Act No. 262/2006 Coll., Labour Code
Processing accounting documents, sending and receiving documents	C	11 years from the end of the annual accounting period	Act No. 563/1991 Coll., on Accounting Act No. 280/2009 Coll., Tax Code
Postal and filing service	F	According to the shredding period of the relevant document
National Platform Network Semaphore	C	up to 5 years	Act No. 458/2000 Coll., Energy Act
Direct marketing (offering products and services to customers)	C F	for the duration of the contract	Act No. 480/2004 Coll., on Certain Information Society Services and on Amendments to Certain Acts
Conducting (marketing) research	B F	up to 1 year
Electromobility	B C	11 years	Act No. 235/2004 Coll., on value added tax
Storage	C	5 years from the issue of the document	Act No. 563/1991 Coll., on Accounting
Operation of the IT system for the Electric Power Data Centre	B C	Controlled by the data controller	Act No. 458/2000 Coll., Energy Act
Intelligent measuring systems	C	up to 10 years after the end of the contract	Act No. 458/2000 Coll., Energy Act Decree No. 359/2020 Coll., on electricity metering

In order to ensure the efficiency and professionalism of the processes, our company may disclose your personal data to its employees or contractual partners as processors of personal data (based on a contract for the processing of personal data or other legal act) or to contractual partners as joint controllers of personal data (based on a contract on the mutual rights and obligations of joint controllers or other legal act) or to another data controller as recipients of personal data in justified cases.

For our contractual processors of personal data, we require a similar organizational and technical standard of personal data protection as we have set uniformly for the entire CEZ Group, including compliance with the contractual terms and conditions relating to the processing of personal data (e.g. the obligation to use the personal data in question exclusively for the purposes for which it was transferred to them, the prohibition of sharing the transferred personal data with other processors of personal data without our prior consent, etc.).

We verify compliance with our requirements for the processing of the personal data transferred with the contractual processors concerned before entering into a contract for the processing of personal data (or other legal act), during the term of the contract, and after its termination (in particular as regards the deletion of the personal data transferred, etc.).

Personal data processors

CATEGORIES OF PROCESSORS	ACTIVITY
Security agencies	Ensuring the protection of life, health and property (through external security agencies).
Other CEZ Group companies	ČEZ Distribuce, a. s., is one of the companies of the ČEZ Group and to ensure quality services, it also uses cooperation with its parent company and other subsidiaries, which are listed in more detail on the website Skupina CEZ.
Suppliers or service providers	E.g. contractors of project documentation or implementation of energy structures including related measures, suppliers of CCTV systems, persons carrying out control of consumption points, companies providing management and archiving of contracts and related documents.
Holders of electricity trading licences	Exercise of the licensed activity of electricity trader.
Marketing and communication	Provision of public communication, including the implementation of promotional events, communication materials and marketing research.
Recruitment agencies	Providing recruitment and selection of suitable job applicants.
IT services and software suppliers	Development and maintenance of relevant IT systems, websites, etc.
Postal and courier services	Postal services including remittance delivery, as well as parcel post and courier services.
Legal services and consultancy	Provision of legal services and advice.
Experts and appraisers	Provision of expert and valuation services.
Authorised body	Acting on behalf of the principal (in this case ČEZ, a. s.) on the basis of a proxy or contract.

 

Recipients of personal data

Your personal data may be transferred to third parties who are entitled to receive such personal data. These include, for example, tax, administrative or regulatory authorities. In such cases, we transfer data on the initiative of the requesting institutions, which are entitled to request information about you and we only provide your data if we are obliged to do so by the relevant legislation. However, our company may also provide your personal data to these authorities at its own discretion if it suspects that a crime or offence has been committed (e.g. in the case of detected unauthorised consumption of electricity).

In particular, our company transfers personal data to the following recipients:

• Energy Regulatory Office
• Market operator OTE, a.s.
• Labour Office of the Czech Republic
• Law enforcement authorities (courts, prosecutors and the Police of the Czech Republic)
• Providers of occupational health services
• Companies providing insurance and claims handling services
• State Labour Inspection Office
• National Security Authority
• National Cyber and Security Information Agency

Our company processes your personal data, either directly or through its contractual processors, primarily in Czechia or in the European Union (hereinafter referred to as the “EU”), where the same conditions of protection and security of personal data processing are set through the GDPR Regulation valid and effective for the entire European Union or the European Economic Area (hereinafter referred to as the “EEA”).

Exceptionally, personal data is transferred to third countries or international organizations. In these cases, prior to the transfer of personal data, we assess whether the selected controller or processor provides appropriate guarantees and conditions, including the enforceability of your rights as a data subject, while assessing the effective legal protection of personal data in that country. Therefore, the transfer of your personal data to third countries or international organizations may only occur if the following conditions are met:

• The selected third country / international organization has been subject to a decision of the European Commission which has found that the third country / international organization ensures an adequate level of protection of personal data;
• The selected processor or sub-processor is able to provide appropriate organizational and technical guarantees and in the country of the processor or sub-processor, enforceability of data subjects' rights and effective legal protection of data subjects is ensured.

SUITABLE GUARANTEES INCLUDE THE FOLLOWING:

1. Legally binding and enforceable instruments between public authorities or public entities;
2. Binding corporate rules;
3. Standard data protection clauses adopted by the European Commission;
4. Standard data protection clauses adopted by the relevant supervisory authority and approved by the European Commission;
5. Approved code of conduct with binding and enforceable obligations for the processor in the third country to apply appropriate guarantees, including with regard to the rights of data subjects;
6. Approved certification mechanism with binding and enforceable obligations for the processor in the third country to apply appropriate guarantees, including with regard to the rights of data subjects.

Like most websites, our site uses cookies. You can change or withdraw your consent to the processing of cookies. Detailed information, including current settings and how to change or withdraw your consent to cookies, is available at the footer of www.cezdistribuce.cz under the Site Information link.

Our company also offers you the possibility to use various portal solutions, e.g. Distribution Portal, Geoportal, Measured Data Portal, Supplier Standards Portal, etc.

We display basic information about you and the services you provide on the electronic portals you use to operate our services, and we manage this information to make it easier for you to operate these services. We work with you to keep specific information up-to-date.

We also provide a service to send you service reports and information about planned outages and breakdowns in an easily accessible manner and in accordance with legislative requirements.

We use cloud service providers to provide some services (e.g. the Juice Free portal at www.bezstavy.cz and the Proud mobile app available for download on the App Store and Google Play), always complying with all safety rules and regulations. In particular, we ensure that the data is stored in the European Union or the EEC.

The information system Network Semaphore is also available to the PpS SVR providers to inform them about the availability of the distribution system for the provision of ancillary services - power balance services (PpS SVR).

Our company strives to process your personal data in a transparent and fair manner and to ensure that it is properly protected, always in accordance with the relevant legislation. To assure you of our responsible approach to processing your data, we are ready to respond quickly and professionally to your legitimate requests to verify our responsibility in processing your data and to help us correct any deficiencies.

• If the processing of personal data is based on your consent, you have the right to withdraw your consent for future processing at any time.
• As a data controller, you have the right to request access to your personal data and more detailed information about its processing from us.
• You have the right to request us to correct inaccurate or incomplete personal data.
• You have the right to ask us to provide your personal data in a commonly used and machine-readable format that allows it to be transmitted to another controller, if we have obtained it on the basis of your consent or in connection with the conclusion and performance of a contract and it is processed by automated means.
• You have the right to object to the processing of some or all of your personal data.
• You have the right to ask us to erase your personal data. We will delete your personal data if we determine that we no longer have a legal basis for further processing.
• In the case of automated decision-making, you have the following rights:
• to human intervention - we will arrange for our employee to evaluate the request.
• to express your views - we will take into account all your relevant views
• the right to challenge the decision
• You have the right to complain to the Data Protection Authority.

Please be informed that the exercise of the rights of the subjects pursuant to Art. 12 to 22 of the GDPR may be restricted in accordance with Article 23(1) of the GDPR. Detailed information regarding your rights, including how to exercise your rights in data protection case can be found here.

Cookies

A short text file that is sent to the browser by the website visited. It allows a website to record information about your visit, such as your preferred language and other settings. This can make your next visit to the site easier and more productive. Cookies are important. Without them, browsing the web would be much more difficult.

Supervisory Authority

The authority in the Czech Republic is established as the Office for Personal Data Protection ("OPPD") by the Personal Data Processing Act. It is entrusted with the competences of the central administrative authority for the protection of personal data to the extent provided for by this Act and other competences provided for by special legislation.

Energy Act ('EA')

Act No. 458/2000 Coll., on the conditions of business and the exercise of state administration in the energy sectors and on amendments to certain acts, as amended.

CEZ Concern

A business group declared pursuant to Section 79(3) of Act No. 90/2012 Coll., (the "EA"), headed by the controlling person, ČEZ, a. s., and including other controlled persons. An overview of the Information on personal data processing of all CEZ Group companies is available here.

GDPR Regulation

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Personal data (hereinafter referred to as "PII")

Any information about an identified or identifiable natural person; an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, a network identifier or to one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data Protection Officer

The person appointed for the entire CEZ Group and selected companies of the CEZ Group pursuant to Article 37 of the GDPR. The Data Protection Officer ("DPO") has independent responsibility for a defined area of personal data protection for CEZ Group and selected companies of the CEZ Group and is a partner in dealing with the DPO and data subjects. In particular, the DPO is responsible for protecting the interests of data subjects.

Recipient

The natural or legal person, public authority, agency or other entity to whom personal data is disclosed, whether or not it is a third party. The recipient has the legal, contractual or other authority to process the personal data. This includes other controllers or processors such as tax, administrative or regulatory authorities. However, public authorities which may obtain personal data in the context of a specific investigation in accordance with the law of a Member State are not considered recipients; the processing of such personal data by those public authorities must comply with the applicable data protection rules for the purposes of the processing.

CEZ Group

The ČEZ Group is a grouping of several companies around the parent company ČEZ, a. s., operating primarily in the energy sector, linked to this parent company mainly through equity holdings. Further information is available here.

Personal data controller

The legal entity (ČEZ Distribuce, a. s.) which determines the purpose and means of processing personal data, carries out the processing and is responsible for it. The Controller may authorize or entrust the processing of personal data to a Processor.

Data Subject (hereinafter referred to as "DSP")

The natural person to whom the personal data relates. A data subject shall be deemed to be identified or identifiable if his or her identity can be established, directly or indirectly, on the basis of one or more personal data.

Adequacy test

An assessment of a data subject's request by the Data Controller where the data subject's request is manifestly unfounded or unreasonable, in particular because it is repetitive. Requests may be considered manifestly unfounded if, for example, they are completely lacking in justification at first sight (where justification is necessary) and it is not possible to assess even by interpretation what the data subject is concerned about (an example would be an objection to processing pursuant to Article 21(1)(a) of Directive 95/46/EC). In particular, requests may be considered manifestly disproportionate if they are unreasonably repetitive or numerous. This cannot be generalised and must always be considered in the context of the case. The manifest unreasonableness or disproportionality of the request shall be documented and justified by the Controller in a communication informing the data subject and the Data Protection Officer of the refusal of the request. This justification shall be documented by the Controller and stored for possible inspection by the Supervisory Authority.

ZZOÚ

Act No. 110/2019 Coll., on the processing of personal data, as amended.

Processing of personal data

Any operation or set of operations with personal data or sets of personal data which is carried out with or without the aid of automated procedures, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other disclosure, alignment or combination, restriction, erasure or destruction.

Processor of personal data

A natural or legal person, public authority, agency or other entity that processes personal data for the Controller.

Special categories of data (sensitive data)

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person and data concerning the health or sex life or sexual orientation of a natural person.

If you have a request or complaint regarding the processing of your personal data or a question about the person responsible for the processing of personal data in our company, please contact us using the web form or by correspondence to ČEZ Distribuce, a. s., Guldenerova 2577/19, 326 00 Plzeň. We will respond to your requests, questions or complaints as soon as possible, but no later than within one month of receipt. If, due to the complexity of your request or the high number of requests from other persons, we are unable to deal with your request in time, we will inform you of the necessary extension of time.

Our Data Protection Officer is Mgr. Petr Brázda, LL.M. He can be contacted via the web form or in writing at Personal Data Protection Officer, ČEZ, a. s., Duhová 2/1444, 140 53, Prague 4 or via mailbox ID: yqkcds6. Details on how to contact the Data Protection Officer, his mission and his competence in dealing with your rights are available on the website of the Data Protection Officer.

This Information Memorandum is effective from the date of publication on 25 May 2018. The text was last updated on September 1, 2025.

Information on the processing of personal data of customers, business partners and other external persons of ČEZ Distribuce, a. s. ( Download archive – only in czech)

Over time, there may be changes to the legal regulations governing the rules and conditions for processing and protecting your personal data, or changes to our terms, procedures and methods for processing and protecting your personal data. We will always inform you of these changes by updating this Information, unless the change in question requires us to also notify you by individual communication (by letter or electronic message).