Purposes, legal titles, and duration of the processing of personal data
Our company processes your personal data mainly for the purpose of fulfilling the obligations set out in specific legal regulations. The Energy Act imposes on our company, as the operator of the electricity distribution system, the obligation to ensure the reliable operation, renewal and development of this distribution system, as well as the obligation to provide distribution system services.
A
consent to the processing of personal data for one or more specific purposes (Article 6(1)(a) of the GDPR);
We only collect your consent in specific cases where the processing of personal data in question is not carried out on the basis of another legal title. In these cases, you are always informed for which specific purpose, for how long, etc. your consent will be collected and recorded, and your consent to the processing of personal data is voluntary and can be withdrawn at any time, either according to the procedure defined for the specific case of personal data processing or according to the procedure defined for the specific case of personal data processing, or in general through a request to the CEZ GDPR Data Protection Officer (cez.cz).
B
The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of measures taken prior to the conclusion of the contract at the request of the data subject (Article 6(1)(b) of the GDPR);
In the context of this processing of personal data, you or your representative are a party to the contract being prepared or concluded, i.e. you are in possession of the content of the contract in question and, at the same time, of information related to the processing of personal data. Alternatively, if the contract is concluded e.g. electronically via a specific website or web application, information on the processing of personal data for this specific purpose is always provided directly on the website or application.
C
the processing is necessary for compliance with a legal obligation to which the controller is subject (Article 6(1)(c) of the GDPR);
Our company is subject to many legal obligations under Czech and European law. For greater clarity and for your better information, in the overview of specific purposes attached below, we list the basic legal provisions that determine the areas of processing of personal data based on the fulfilment of a legal obligation.
D
processing is necessary for the protection of the vital interests of the data subject or of another natural person (Article 6(1)(d) of the GDPR);
We do not normally process your personal data on the basis of this legal basis. Thus, the processing in question could only occur in quite exceptional circumstances, of which you would be informed by us, including the provision of further information regarding any such processing of your personal data.
E
the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1)(e) GDPR);
We do not normally process your personal data on the basis of this legal basis. The processing of your personal data in question could only take place in quite exceptional circumstances, of which you would be informed by us, including the provision of further information regarding any such processing of your personal data.
F
processing is necessary for the purposes of the legitimate interests of the controller or third party concerned, except where those interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data, in particular where the data subject is a child (Article 6(1)(f) of the GDPR);
The legitimate interests of our company are, in particular, to ensure the safety and health protection of persons and property, to keep the necessary internal records (e.g. lists of qualifications of employees of contractors working on our premises, etc.), to verify the competence of key employees, to prepare contracts with suppliers, customers and employees, marketing surveys, etc.
In all cases of processing of personal data that is based on the legal title of legitimate interest of the data controller, we perform a so-called balance test. We will only proceed with the processing of personal data when we have verified by a test that our interests outweigh the interests, rights and freedoms of the data subjects concerned. In the actual processing of personal data, we always ensure that the interests, rights and freedoms of data subjects are affected to the least possible extent.
An overview of the specific purposes, legal titles, and periods for which personal data are retained are provided in the table attached. The legal titles marked A–F are defined above.
| PURPOSE OF PERSONAL DATA PROCESSING | LEGAL FRAMEWORK | RETREAT HUNT | LEGISLATION |
| Fulfilling the agenda of the Personal Data Protection Officer by ČEZ, a. s. | B C |
5 years | Regulation 2016/679/EU General Data Protection Regulation |
| Investigation of information security events/incidents | C F |
5 years/10 years for Critical Information Infrastructure | Act No. 181/2014 Coll., on Cyber Security |
| Protection and processing of personal data in ČEZd | C F |
up to 11 years | Regulation 2016/679/EU General Data Protection Regulation Act No. 110/2019 Coll., on the processing of personal data |
| Evidence of assessment and management of findings | F | up to 11 years | |
| Implementation of information and cyber security | B C F |
up to 11 years | Act No. 181/2014 Coll., on Cyber Security Decree No. 82/2018 Coll., on Cyber Security |
| Whistleblowing and investigating possible infringements | C | 5 years from the end of the investigation | Act No. 171/2023 Coll., on the protection of whistleblowers |
| Compliance agenda | C F |
up to 5 years | Act No. 69/2006 Coll., on the implementation of international sanctions Act No. 253/2008 Coll., on certain measures against the legalization of the proceeds of crime and the financing of terrorism |
| Handling requests for information and related obligations under Act No. 106/1999 Coll. | C F |
5 years from the processing of the application | Act No. 106/1999 Coll., on free access to information |
| Protection of classified information | C | for the period of validity of the certificate of the natural person | Act No. 412/2005 Coll., on the Protection of Classified Information and Security Clearance |
| Protection of persons and property - camera systems | C F |
up to 30 days | Act No. 412/2005 Coll., on the Protection of Classified Information and Security Clearance Act No. 181/2014 Coll., on Cyber Security |
| Protection of persons and property - physical protection | C F |
for the duration of the employment contract or contractual relationship with the supplier | Act No. 240/2000 Coll., Crisis Act Act No. 412/2005 Coll., on the Protection of Classified Information and Security Clearance |
| Fulfilling the obligations arising from Occupational Health and Safety | B C F |
up to 45 years | Government Regulation No. 201/2010 Coll., on the manner of recording, reporting and sending accident records Act No. 262/2006 Coll., Labour Code |
| Fulfilling the obligations arising from the Fire Protection Act | C | for the period of archiving in accordance with the shredding regulations | Act No. 133/1985 Coll., on fire protection |
| Compliance with Environmental Protection obligations | B C |
Act No. 541/2020 Coll., on waste and other environmental legislation Act No. 89/1995 Coll., on the State Statistical Service |
|
| Crisis Management - Crisis Communication | C | permanently / for the duration of the preventive and emergency measure | Act No. 240/2000 Coll., Crisis Act |
| Processing of personal data in epidemics and other humanitarian emergencies | C D E |
for the duration of the emergency preventive (protective) measures and for the time necessary for their evaluation | Act No. 240/2000 Coll., Crisis Act |
| Ensuring the operation of critical information infrastructure | C D E |
for the duration of the validity of a measure of a general nature on the designation of a critical infrastructure element OR up to 10 years | Act No. 181/2014 Coll., on Cyber Security Act No. 458/2000 Coll., the Energy Act Decree No. 79/2010 Coll., on dispatch control of the electricity system and on the transmission of data for dispatch control |
| Recording of dispatcher communications using the unified dispatcher radio system (dispatcher terminals) and associated management | B C |
5 years | Decree No 79/2010 Coll., on dispatching control of the electricity system and transmission of data for dispatching control |
| Unified remote access system - monitoring (recording) activities of administrators and other users | C F |
5 years | Act No. 181/2014 Coll., on Cyber Security Decree No. 82/2018 Coll., on Cyber Security |
| Technical records of distribution system equipment | B C |
for the duration of the contract or 2 years from the date of application | Act No. 458/2000 Coll., the Energy Act |
| Legislative discussion of construction in relation to the fulfilment of electricity distribution obligations | B C |
for the duration of the existence/operation of the facility in question | Act No. 183/2006 Coll., Building Act Act No. 256/2013 Coll., Cadastral Act Act No. 458/2000 Coll., Energy Act |
| Property relations related to the operation of the distribution system | B C |
for as long as the building exists (until the building is removed) or the property is owned | Act No. 256/2013 Coll., Cadastral Act Act No. 458/2000 Coll., Energy Act Act No. 89/2012 Coll., Civil Code Act No. 183/2006 Coll., Building Act |
| Operation and maintenance of the distribution system | B C |
5 years | Act No. 458/2000 Coll., Energy Act Decree No. 408/2015 Coll., on Electricity Market Rules Decree No. 540/2005 Coll., on the Quality of Electricity Supply and Related Services in the Electricity Sector |
| Distributor customer service | B C F |
up to 10 years after termination of contract, recordings 1 year | Act No. 458/2000 Coll., Energy Act Decree No. 16/2016 Coll., on Conditions of Connection to the Electricity Systém Decree No. 408/2015 Coll., on Electricity Market Rules Decree No. 540/2005 Coll., on Quality of Electricity Supply and Related Services in the Electricity Sector |
| Provision of service activities to authorised market participants in connection with electricity metering | B C F |
up to 10 years after the end of the contract | Decree No. 359/2020 Coll., on electricity metering Decree No. 408/2015 Coll., on Electricity Market Rules Decree No. 540/2005 Coll., on the quality of electricity supply and related services in the electricity sector Act No. 458/2000 Coll., Energy Act |
| Ensuring readings and transmission of data to authorised market participants in connection with electricity metering | B C |
up to 10 years after the end of the contract | Decree No. 359/2020 Coll., on electricity metering Decree No. 408/2015 Coll., on Electricity Market Rules Decree No. 540/2005 Coll., on the quality of electricity supply and related services in the electricity sector Act No. 458/2000 Coll., Energy Act |
| Securing measurement data Automated Meter Management - pilot project | F | up to 10 years after the end of the contract | |
| Ensuring detection, prevention and elimination of unauthorized consumption, prevention of distribution system losses, protection of property, provision of evidence | C F |
10 years after the end of the accounting period in which the invoice was issued or 5 years after the recovery of the debt, where the total period may not be less than 10 years after the invoice was issued | Act No. 458/2000 Coll., the Energy Act Decree No. 82/2011 Coll., on electricity metering and on the method of determining compensation for damages in the event of unauthorised consumption, unauthorised supply, unauthorised transmission or unauthorised distribution of electricity Decree No. 540/2005 Coll., on the quality of electricity supply and related services in the electricity sector Decree No. 359/2020 Coll., on electricity metering |
| Ensuring financial settlement of contractual relations | B C |
up to 11 years | Act No. 235/2004 Coll., on Value Added Tax Decree No. 70/2016 Coll., on billing for supplies and related services in energy sectors Act No. 458/2000 Coll., Energy Act Act No. 586/1992 Coll., on Income Taxes Act No. 563/1991 Coll., on Accounting Act No. 280/2009 Coll., Tax Code Act No. 89/2012 Coll., Civil Code |
| Ensuring the company's debt management processes in the out-of-court and court part | B C F |
10 years after the end of the legal recovery | Act No. 120/2001 Coll., Enforcement Code Act No. 141/1961 Coll., Criminal Code Act No. 262/2006 Coll., Labour Code Act No. 89/2012 Coll., Civil Code Act No. 99/1963 Coll., Civil Procedure Code |
| Customer satisfaction | B F |
up to 2 years | |
| Complaints, claims and other suggestions | B C |
5 years from the conclusion of the complaint | Decree No. 540/2005 Coll., on the quality of electricity supply and related services in the electricity sector Act No. 458/2000 Coll., Energy Act Act No. 89/2012 Coll., Civil Code |
| Ombudsman - resolving customer complaints | B F |
5 years from closure | |
| Public relations | A B F |
up to two years or for the duration of the consent | |
| Damage management | C F |
5 years from the conclusion of the case | Act No. 89/2012 Coll., Civil Code |
| Ensuring the processing of requirements to meet legislative and operational obligations (creation of forecasts, balances and technical analyses in the distribution system). | C | 10 years after termination of the contract | Act No. 458/2000 Coll., Energy Act Decree No. 408/2015 Coll., on Electricity Market Rules |
| Processing of the application for Consent for the activity and location of the construction in the protection zone of the distribution system equipment and the application for comments on the project documentation (for foreign constructions) | C | up to 10 years | Act No. 458/2000 Coll., Energy Act Act No. 183/2006 Coll., Building Act |
| Register of verified contractors - contractors and subcontractors of ČEZ Distribuce | B C |
up to 5 years after the end of the contract | Act No. 458/2000 Coll., the Energy Act Act No. 455/1991 Coll., the Trade Licensing Act Government Regulation No. 361/2007 Coll., laying down conditions for occupational health protection Government Regulation No. 378/2001 Coll., laying down more detailed requirements for the safe operation and use of machinery, technical equipment, devices and tools Government Regulation No. 362/2005 Coll., laying down more detailed requirements for occupational safety and health protection at workplaces with a risk of falling from height or to depth |
| Legal services | B C F |
For the duration of the legal dispute + 1 year; for the duration of the power of attorney/power of attorney, or up to 5 years | Act No. 340/2015 Coll., on the Register of Contracts |
| Records of trade secrets | F | 5 years | |
| Providing access to information and business resources | B | 11 years | |
| Conclusion of purchase and sales contracts | B C |
up to one year after the end of the contract and the expiry of the shredding period for that type of document | Act No. 89/2012 Coll., Civil Code Decree No. 16/2016 Coll., on conditions of connection to the electricity grid Decree No. 540/2005 Coll., on the quality of electricity supply and related services in the electricity sector |
| Registration and management of contracts | B C |
up to 10 years from the date of termination of the contract, or from the expiry of the guarantee period; in the case of court or similar proceedings, until their conclusion, or archival material - without a shrinking period (purchase contracts, easements....) | Act No. 458/2000 Coll., Energy Act Act No. 89/2012 Coll., Civil Code |
| Records of requirements related to the management of real estate assets (repairs, cleaning, servicing, maintenance, revisions, expert opinions, etc.) | B C |
5 years from the implementation of the request | Act No. 89/2012 Coll., Civil Code |
| Processing of cookies on the website | A C F |
processing on the user's device according to the type of cookie | Act No. 127/2005 Coll., on electronic communications |
| Advanced analytics and reporting | F | up to 10 years | |
| Recruitment and student programmes | A B F |
For the duration of the consent or up to 11 years | |
| Selection of staff for verification of mental/personal competence/qualifications | C F |
retention managed by ČEZ, a.s. | Decree No 79/2010 Coll., on dispatching control of the electricity system and transmission of data for dispatching control |
| Training of internal and external staff | C F |
usually for the duration of the employment relationship | Act No. 262/2006 Coll., Labour Code |
| Processing accounting documents, sending and receiving documents | C | 11 years from the end of the annual accounting period | Act No. 563/1991 Coll., on Accounting Act No. 280/2009 Coll., Tax Code |
| Postal and filing service | F | According to the shredding period of the relevant document | |
| National Platform Network Semaphore | C | up to 5 years | Act No. 458/2000 Coll., Energy Act |
| Direct marketing (offering products and services to customers) | C F |
for the duration of the contract | Act No. 480/2004 Coll., on Certain Information Society Services and on Amendments to Certain Acts |
| Conducting (marketing) research | B F |
up to 1 year | |
| Electromobility | B C |
11 years | Act No. 235/2004 Coll., on value added tax |
| Storage | C | 5 years from the issue of the document | Act No. 563/1991 Coll., on Accounting |
| Operation of the IT system for the Electric Power Data Centre | B C |
Controlled by the data controller | Act No. 458/2000 Coll., Energy Act |
| Intelligent measuring systems | C | up to 10 years after the end of the contract | Act No. 458/2000 Coll., Energy Act Decree No. 359/2020 Coll., on electricity metering |