Our company processes your personal data mainly for the purpose of fulfilling the obligations set out in specific legal regulations. The Energy Act imposes on our company, as the operator of the electricity distribution system, the obligation to ensure the reliable operation, renewal and development of this distribution system, as well as the obligation to provide distribution system services.

consent to the processing of personal data for one or more specific purposes (Article 6(1)(a) of the GDPR);

We only collect your consent in specific cases where the processing of personal data in question is not carried out on the basis of another legal title. In these cases, you are always informed for which specific purpose, for how long, etc. your consent will be collected and recorded, and your consent to the processing of personal data is voluntary and can be withdrawn at any time, either according to the procedure defined for the specific case of personal data processing or according to the procedure defined for the specific case of personal data processing, or in general through a request to the CEZ GDPR Data Protection Officer (cez.cz).

The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of measures taken prior to the conclusion of the contract at the request of the data subject (Article 6(1)(b) of the GDPR);

In the context of this processing of personal data, you or your representative are a party to the contract being prepared or concluded, i.e. you are in possession of the content of the contract in question and, at the same time, of information related to the processing of personal data. Alternatively, if the contract is concluded e.g. electronically via a specific website or web application, information on the processing of personal data for this specific purpose is always provided directly on the website or application.

the processing is necessary for compliance with a legal obligation to which the controller is subject (Article 6(1)(c) of the GDPR);

Our company is subject to many legal obligations under Czech and European law. For greater clarity and for your better information, in the overview of specific purposes attached below, we list the basic legal provisions that determine the areas of processing of personal data based on the fulfilment of a legal obligation.

processing is necessary for the protection of the vital interests of the data subject or of another natural person (Article 6(1)(d) of the GDPR);

We do not normally process your personal data on the basis of this legal basis. Thus, the processing in question could only occur in quite exceptional circumstances, of which you would be informed by us, including the provision of further information regarding any such processing of your personal data.

the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1)(e) GDPR);

We do not normally process your personal data on the basis of this legal basis. The processing of your personal data in question could only take place in quite exceptional circumstances, of which you would be informed by us, including the provision of further information regarding any such processing of your personal data.

processing is necessary for the purposes of the legitimate interests of the controller or third party concerned, except where those interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data, in particular where the data subject is a child (Article 6(1)(f) of the GDPR);

The legitimate interests of our company are, in particular, to ensure the safety and health protection of persons and property, to keep the necessary internal records (e.g. lists of qualifications of employees of contractors working on our premises, etc.), to verify the competence of key employees, to prepare contracts with suppliers, customers and employees, marketing surveys, etc.

In all cases of processing of personal data that is based on the legal title of legitimate interest of the data controller, we perform a so-called balance test. We will only proceed with the processing of personal data when we have verified by a test that our interests outweigh the interests, rights and freedoms of the data subjects concerned. In the actual processing of personal data, we always ensure that the interests, rights and freedoms of data subjects are affected to the least possible extent.

An overview of the specific purposes, legal titles, and periods for which personal data are retained are provided in the table attached. The legal titles marked A–F are defined above.

PURPOSE OF PERSONAL DATA PROCESSING	LEGAL FRAMEWORK	RETREAT HUNT	LEGISLATION
Fulfilling the agenda of the Personal Data Protection Officer by ČEZ, a. s.	B C	5 years	Regulation 2016/679/EU General Data Protection Regulation
Investigation of information security events/incidents	C F	5 years/10 years for Critical Information Infrastructure	Act No. 181/2014 Coll., on Cyber Security
Protection and processing of personal data in ČEZd	C F	up to 11 years	Regulation 2016/679/EU General Data Protection Regulation Act No. 110/2019 Coll., on the processing of personal data
Evidence of assessment and management of findings	F	up to 11 years
Implementation of information and cyber security	B C F	up to 11 years	Act No. 181/2014 Coll., on Cyber Security Decree No. 82/2018 Coll., on Cyber Security
Whistleblowing and investigating possible infringements	C	5 years from the end of the investigation	Act No. 171/2023 Coll., on the protection of whistleblowers
Compliance agenda	C F	up to 5 years	Act No. 69/2006 Coll., on the implementation of international sanctions Act No. 253/2008 Coll., on certain measures against the legalization of the proceeds of crime and the financing of terrorism
Handling requests for information and related obligations under Act No. 106/1999 Coll.	C F	5 years from the processing of the application	Act No. 106/1999 Coll., on free access to information
Protection of classified information	C	for the period of validity of the certificate of the natural person	Act No. 412/2005 Coll., on the Protection of Classified Information and Security Clearance
Protection of persons and property - camera systems	C F	up to 30 days	Act No. 412/2005 Coll., on the Protection of Classified Information and Security Clearance Act No. 181/2014 Coll., on Cyber Security
Protection of persons and property - physical protection	C F	for the duration of the employment contract or contractual relationship with the supplier	Act No. 240/2000 Coll., Crisis Act Act No. 412/2005 Coll., on the Protection of Classified Information and Security Clearance
Fulfilling the obligations arising from Occupational Health and Safety	B C F	up to 45 years	Government Regulation No. 201/2010 Coll., on the manner of recording, reporting and sending accident records Act No. 262/2006 Coll., Labour Code
Fulfilling the obligations arising from the Fire Protection Act	C	for the period of archiving in accordance with the shredding regulations	Act No. 133/1985 Coll., on fire protection
Compliance with Environmental Protection obligations	B C		Act No. 541/2020 Coll., on waste and other environmental legislation Act No. 89/1995 Coll., on the State Statistical Service
Crisis Management - Crisis Communication	C	permanently / for the duration of the preventive and emergency measure	Act No. 240/2000 Coll., Crisis Act
Processing of personal data in epidemics and other humanitarian emergencies	C D E	for the duration of the emergency preventive (protective) measures and for the time necessary for their evaluation	Act No. 240/2000 Coll., Crisis Act
Ensuring the operation of critical information infrastructure	C D E	for the duration of the validity of a measure of a general nature on the designation of a critical infrastructure element OR up to 10 years	Act No. 181/2014 Coll., on Cyber Security Act No. 458/2000 Coll., the Energy Act Decree No. 79/2010 Coll., on dispatch control of the electricity system and on the transmission of data for dispatch control
Recording of dispatcher communications using the unified dispatcher radio system (dispatcher terminals) and associated management	B C	5 years	Decree No 79/2010 Coll., on dispatching control of the electricity system and transmission of data for dispatching control
Unified remote access system - monitoring (recording) activities of administrators and other users	C F	5 years	Act No. 181/2014 Coll., on Cyber Security Decree No. 82/2018 Coll., on Cyber Security
Technical records of distribution system equipment	B C	for the duration of the contract or 2 years from the date of application	Act No. 458/2000 Coll., the Energy Act
Legislative discussion of construction in relation to the fulfilment of electricity distribution obligations	B C	for the duration of the existence/operation of the facility in question	Act No. 183/2006 Coll., Building Act Act No. 256/2013 Coll., Cadastral Act Act No. 458/2000 Coll., Energy Act
Property relations related to the operation of the distribution system	B C	for as long as the building exists (until the building is removed) or the property is owned	Act No. 256/2013 Coll., Cadastral Act Act No. 458/2000 Coll., Energy Act Act No. 89/2012 Coll., Civil Code Act No. 183/2006 Coll., Building Act
Operation and maintenance of the distribution system	B C	5 years	Act No. 458/2000 Coll., Energy Act Decree No. 408/2015 Coll., on Electricity Market Rules Decree No. 540/2005 Coll., on the Quality of Electricity Supply and Related Services in the Electricity Sector
Distributor customer service	B C F	up to 10 years after termination of contract, recordings 1 year	Act No. 458/2000 Coll., Energy Act Decree No. 16/2016 Coll., on Conditions of Connection to the Electricity Systém Decree No. 408/2015 Coll., on Electricity Market Rules Decree No. 540/2005 Coll., on Quality of Electricity Supply and Related Services in the Electricity Sector
Provision of service activities to authorised market participants in connection with electricity metering	B C F	up to 10 years after the end of the contract	Decree No. 359/2020 Coll., on electricity metering Decree No. 408/2015 Coll., on Electricity Market Rules Decree No. 540/2005 Coll., on the quality of electricity supply and related services in the electricity sector Act No. 458/2000 Coll., Energy Act
Ensuring readings and transmission of data to authorised market participants in connection with electricity metering	B C	up to 10 years after the end of the contract	Decree No. 359/2020 Coll., on electricity metering Decree No. 408/2015 Coll., on Electricity Market Rules Decree No. 540/2005 Coll., on the quality of electricity supply and related services in the electricity sector Act No. 458/2000 Coll., Energy Act
Securing measurement data Automated Meter Management - pilot project	F	up to 10 years after the end of the contract
Ensuring detection, prevention and elimination of unauthorized consumption, prevention of distribution system losses, protection of property, provision of evidence	C F	10 years after the end of the accounting period in which the invoice was issued or 5 years after the recovery of the debt, where the total period may not be less than 10 years after the invoice was issued	Act No. 458/2000 Coll., the Energy Act Decree No. 82/2011 Coll., on electricity metering and on the method of determining compensation for damages in the event of unauthorised consumption, unauthorised supply, unauthorised transmission or unauthorised distribution of electricity Decree No. 540/2005 Coll., on the quality of electricity supply and related services in the electricity sector Decree No. 359/2020 Coll., on electricity metering
Ensuring financial settlement of contractual relations	B C	up to 11 years	Act No. 235/2004 Coll., on Value Added Tax Decree No. 70/2016 Coll., on billing for supplies and related services in energy sectors Act No. 458/2000 Coll., Energy Act Act No. 586/1992 Coll., on Income Taxes Act No. 563/1991 Coll., on Accounting Act No. 280/2009 Coll., Tax Code Act No. 89/2012 Coll., Civil Code
Ensuring the company's debt management processes in the out-of-court and court part	B C F	10 years after the end of the legal recovery	Act No. 120/2001 Coll., Enforcement Code Act No. 141/1961 Coll., Criminal Code Act No. 262/2006 Coll., Labour Code Act No. 89/2012 Coll., Civil Code Act No. 99/1963 Coll., Civil Procedure Code
Customer satisfaction	B F	up to 2 years
Complaints, claims and other suggestions	B C	5 years from the conclusion of the complaint	Decree No. 540/2005 Coll., on the quality of electricity supply and related services in the electricity sector Act No. 458/2000 Coll., Energy Act Act No. 89/2012 Coll., Civil Code
Ombudsman - resolving customer complaints	B F	5 years from closure
Public relations	A B F	up to two years or for the duration of the consent
Damage management	C F	5 years from the conclusion of the case	Act No. 89/2012 Coll., Civil Code
Ensuring the processing of requirements to meet legislative and operational obligations (creation of forecasts, balances and technical analyses in the distribution system).	C	10 years after termination of the contract	Act No. 458/2000 Coll., Energy Act Decree No. 408/2015 Coll., on Electricity Market Rules
Processing of the application for Consent for the activity and location of the construction in the protection zone of the distribution system equipment and the application for comments on the project documentation (for foreign constructions)	C	up to 10 years	Act No. 458/2000 Coll., Energy Act Act No. 183/2006 Coll., Building Act
Register of verified contractors - contractors and subcontractors of ČEZ Distribuce	B C	up to 5 years after the end of the contract	Act No. 458/2000 Coll., the Energy Act Act No. 455/1991 Coll., the Trade Licensing Act Government Regulation No. 361/2007 Coll., laying down conditions for occupational health protection Government Regulation No. 378/2001 Coll., laying down more detailed requirements for the safe operation and use of machinery, technical equipment, devices and tools Government Regulation No. 362/2005 Coll., laying down more detailed requirements for occupational safety and health protection at workplaces with a risk of falling from height or to depth
Legal services	B C F	For the duration of the legal dispute + 1 year; for the duration of the power of attorney/power of attorney, or up to 5 years	Act No. 340/2015 Coll., on the Register of Contracts
Records of trade secrets	F	5 years
Providing access to information and business resources	B	11 years
Conclusion of purchase and sales contracts	B C	up to one year after the end of the contract and the expiry of the shredding period for that type of document	Act No. 89/2012 Coll., Civil Code Decree No. 16/2016 Coll., on conditions of connection to the electricity grid Decree No. 540/2005 Coll., on the quality of electricity supply and related services in the electricity sector
Registration and management of contracts	B C	up to 10 years from the date of termination of the contract, or from the expiry of the guarantee period; in the case of court or similar proceedings, until their conclusion, or archival material - without a shrinking period (purchase contracts, easements....)	Act No. 458/2000 Coll., Energy Act Act No. 89/2012 Coll., Civil Code
Records of requirements related to the management of real estate assets (repairs, cleaning, servicing, maintenance, revisions, expert opinions, etc.)	B C	5 years from the implementation of the request	Act No. 89/2012 Coll., Civil Code
Processing of cookies on the website	A C F	processing on the user's device according to the type of cookie	Act No. 127/2005 Coll., on electronic communications
Advanced analytics and reporting	F	up to 10 years
Recruitment and student programmes	A B F	For the duration of the consent or up to 11 years
Selection of staff for verification of mental/personal competence/qualifications	C F	retention managed by ČEZ, a.s.	Decree No 79/2010 Coll., on dispatching control of the electricity system and transmission of data for dispatching control
Training of internal and external staff	C F	usually for the duration of the employment relationship	Act No. 262/2006 Coll., Labour Code
Processing accounting documents, sending and receiving documents	C	11 years from the end of the annual accounting period	Act No. 563/1991 Coll., on Accounting Act No. 280/2009 Coll., Tax Code
Postal and filing service	F	According to the shredding period of the relevant document
National Platform Network Semaphore	C	up to 5 years	Act No. 458/2000 Coll., Energy Act
Direct marketing (offering products and services to customers)	C F	for the duration of the contract	Act No. 480/2004 Coll., on Certain Information Society Services and on Amendments to Certain Acts
Conducting (marketing) research	B F	up to 1 year
Electromobility	B C	11 years	Act No. 235/2004 Coll., on value added tax
Storage	C	5 years from the issue of the document	Act No. 563/1991 Coll., on Accounting
Operation of the IT system for the Electric Power Data Centre	B C	Controlled by the data controller	Act No. 458/2000 Coll., Energy Act
Intelligent measuring systems	C	up to 10 years after the end of the contract	Act No. 458/2000 Coll., Energy Act Decree No. 359/2020 Coll., on electricity metering