Information on personal data processing and protection

INFORMATION ON THE PROCESSING AND PROTECTION OF PERSONAL DATA

The ČEPS, a.s. Company, residing at Prague 10, Elektrárenská 774/2, postal code 101 52, Company ID: 257 02 556, registered in the commercial register kept by the municipal court
in Prague, file number B 5597 (hereinafter referred to as the “Administrator”), hereby notifies you about the processing of personal data of third parties – in particular, contractors of
the Administrator and their governing body members and employees including governing body members and employees of their subsidiaries, as well as all other individuals otherwise related to the Administrator, who for the purposes given below shall transmit their personal information to the Administrator (hereinafter referred to as “Data Subjects”), – specifically about the extent and the purpose of processing the personal data, who and how processes the personal data and to whom the personal data may be made available, as well as on the right of access to
the personal data, the right to correction, the right to explanation and other related rights of Data Subjects.

1. THE SCOPE AND PURPOSE OF PERSONAL DATA PROCESSING

      • The Administrator obtains from Data Subjects their address, identification and descriptive personal information for the following purposes and in the following scope:

a) Use of the ČEPS catering facility, to the following extent: first name, last name, title, personal number of the Data Subject;

b) Promotion and advertising, if it involves the processing of personal data of third-party employees who play their role in securing safe and reliable operation, maintenance, and construction of the transmission system, for the purpose of promotion and advertising of ČEPS in print and electronic media, to the following extent: first name, last name, title, an ID photo;

c) Control of access to the ČEPS premises to protect the ČEPS property, to the following extent: first name, last name, title, personal number, an ID photo of the Data Subject, a digital template generated from the hand imprint, which does not allow biometric reconstruction of the imprint [1];

d) Record of telephone communication (telephone conversations) with the staff of the control room and technical surveillance centers of ČEPS for the purposes of archiving of operational, dispatching and other instructions and the obtained information essential for securing safe and reliable operation of the Czech transmission system, as well as other transmission systems of the synchronously interconnected area Continental Europe, to the following extent: a voice recording of the call made to a telephone landline of the Administrator's control center and technical surveillance centers;

e) Video surveillance system - ensuring of the physical protection and security of persons and property of ČEPS and documentation of the status of selected transmission system equipment in order to clarify the causes leading to a state of emergency or a state preceding the state of emergency pursuant to the Energy Act, to the following extent: visual recording of persons moving within the premises;

f) Improvement of the internal and external communication – communication with third-party employees who are involved in securing safe and reliable operation and maintenance of
the transmission system (e.g. the personal data processed in the system of crisis communication, emergency plan, telephone books and other ČEPS lists of contacts)
, to
the following extent: first name, last name, title, an ID photo, phone number and e-mail address, job position;

g) Record of delivered packages - processing of personal data of persons (senders, couriers) for the purpose of physical protection and security of persons and property in connection with
the delivery of letters, parcels or other mailings to the ČEPS premises
, to the following extent: first name, last name, personal ID number;

h) Donation Program - processing of personal data of persons who have applied for a donation under the ČEPS donation program and persons whose applications for a donation under
the ČEPS donation program have been approved
, to the following extent: first name, last name, postal address, e-mail address, bank account number and bank name;

i) e-Utility report - processing of personal data of applicants for information about the ČEPS technical infrastructure and for the response of the owner of the technical infrastructure, for
the purposes of processing such applications
, to the following extent: first name, last name, postal address, e-mail address, mobile phone number, phone number, fax number;

j) Record of property, services, and other performances - processing of personal data of persons who use services, property, or other performances provided by ČEPS, or who are in any way involved in the acquisition or disposal of these performances of ČEPS, for the purpose of control and registration of use of these services, property, or other performances as well as for the purpose of ensuring the fulfilment of legal obligations, damage compensations, or other rights of ČEPS, to the following extent: first name, last name, title, username, telephone number, e-mail address, date of birth, residential address, GPS information about the location of the vehicle owned by ČEPS, a.s., a copy of the driving license, an operational data communication log,
a log of visited IP addresses, IMEI of the device, MAC address of the device, IP address of
the device [2];

[1] only the selected workplaces (e.g. control center) and persons accessing the workplace regularly 

[2] in particular, the data provided in the information system Operational Documentation, use of guest wireless network connections, the data provided in the context of contracting between ČEPS and an employer or customer of the Data Subject, etc.

2. WAYS AND MEANS OF THE PROCESSING

  • The Administrator collects and processes personal data collected from Data Subjects mainly through forms of the Administrator or agreements with Data Subjects or their employers. The Administrator collects and processes personal data collected from Data Subjects on
    the basis of their given consent and a particular processing instance.

a) Provision of the personal data referred to in Chapter 1, item (d) to the Administrators is mandatory, as it is necessary for the fulfilment of the obligations of the Administrator pursuant to Act No. 458/2000 Coll., on Business Conditions and Public Administration in the Energy Sectors and on Amendments to Other Laws (the “Energy Act”), as amended, specifically § 8 of
the Decree No. 79/2010 Coll. on Dispatch Control of the Power System and the Transmission of Data for Dispatch Control Purposes, as amended. Phone lines of the control center are not public — for security reasons, their numbers are disclosed only to authorized employees of
the contractors, whose job is to follow the dispatchers’ instructions. Failure to provide such data would make it impossible to perform the essential obligations of the Administrator as
a transmission system operator and, therefore, the provision of such data is a necessary condition for the proper performance of the Administrator’s licensed activity. This personal data is processed during the period of the Administrator’s duty to archive or document the obligations resulting from the above regulations.

b) Provision of the personal data referred to in Chapter 1, point (a), (c), (e), (g), (h), (i), (j) is necessary to ensure the security of the transmission system and the protection of rights and legitimate interests of the Administrator in the ordinary conduct of its activities, while fully respecting the right of Data Subjects to the protection of private and personal life. Provision of such data is mandatory (without the consent of Data Subjects). Failure to provide such data would lead to the breach of contractual obligations by the Data Subjects, prohibition of their entry into the Administrator’s premises, factual impossibility to deal with the emergency status, inability to provide the applicant with the information necessary for the design and implementation of the applicant’s projects or disruption of the safe and reliable operation of
the Czech transmission system. The mentioned personal data is stored for a period of validity of a written agreement (including the claim period) concluded between the Administrator or
the persons with whom it forms a group for one part and the company, organization or state authority whose employee, statutory body, subcontractor or a subcontractor’s employee is
a Data Subject, for the other part. In case of doubt or if there is no written agreement made with the Data Subject or with a person who is the employer or customer of the Data Subject,
the personal data are processed during a maximum period set out in the public registry of
the personal data processing on the website of the Office for Personal Data Protection (http://www.uoou.cz) for the relevant purpose of personal data processing by the Administrator. 

c) Provision of the personal data referred to in Chapter 1, point (b), (f) is voluntary and it is carried out with the consent of the Data Subject. The purpose of the processing of such data is in the case of purpose (g) to provide a safe wireless Internet access in the Administrator’s premises for devices in the possession of the Data Subjects and in the case of purpose (h) to provide discounted meals in the cafeteria for former employees of the Administrator receiving
a retirement pension. In the case of withholding or withdrawal of consent, these services cannot be provided.

  • The personal data referred to in Chapter 1 are processed in both paper and electronic formats for manual and automatic processing. The personal data is stored in electronic form in an electronic database of the Administrator, specifically on hard disks of the servers located in the premises of the Administrator and it is treated with professional care, while respecting common ICT security policies; the data is protected against unauthorized access both from the outside and by an employee who is not authorized to perform any of
    the above activities using the mentioned data. The personal data referred to in Chapter 1 item (c) are processed in paper format by storing in a folder kept by the staff of
    the respective premises’ reception.
  • The Administrator has adopted and implemented technical and organizational measures preventing the unauthorized or inadvertent access to personal data, their alteration, destruction or loss, unauthorized transfer or other unauthorized processing or misuse.
  • In the area of automated processing, the Administrator has adopted measures to ensure that systems for the automated processing of personal data are used only by the authorized persons and that these persons have access only to the personal data corresponding to their permission level (through the user permission settings and passwords).
    The Administrator also ensured the possibility to make electronic records allowing for verification who, when, and for what reason processed the personal data.

 

3. TRANSFER AND DISCLOSURE OF PERSONAL DATA

  • The personal data is collected and processed by the Administrator and the following processors:

a) SECURITAS ČR, s.r.o., residing at Prague 9, Pod Pekárnami 878/2, Company ID 43872026;
b) EBIS, s.r.o., residing at Brno, Křižíkova 2962/70a, Company ID 45477388;
c) N-GASTRO CZ, a.s., residing at Prague 4, 5. května 1640/65, Company ID 25754572;
d) HRDLIČKA spol. s r.o., se sídlem Tetín, nám. 9. května 45, IČO 18601227;
e) TTC MARCONI s. r. o., se sídlem Praha 10, Třebohostická 987/5, IČO 48591254;
f) COM PLUS CZ a.s., se sídlem Praha 9, Nad Krocínkou 317/48, IČO 25772104.

  • The personal data will only be disclosed to competent employees of the Administrator or
    the above processors who are required to maintain the confidentiality of the personal data and the measures for their protection. The employees are entitled to treat the personal data based only on specific instructions from the Administrator. The confidentiality obligation shall survive termination of the employment of the employees of the Administrator, recipient, and the above processors.

 

4. RIGHT TO INFORMATION

  • A Data Subject has the right to request from the Administrator information regarding
    the processing of their personal data by contacting the Administrator at bilek@ceps.cz.
    The content of this information is always a communication on:

a) the purpose of the processing of personal data,
b) the personal data or categories of personal data which are being processed, including any available information as to their source,
c) the nature of automated processing in the context of its use for decision-making, provided that the processed data acts as the basis for operations or decisions interfering with the rights and legitimate interests of Data Subjects,
d) recipients or categories of recipients.

  • For providing this information, the Administrator has the right to demand adequate compensation not exceeding the necessary costs of providing the information.

 

5. RIGHT TO CORRECTION

  • In the case the Data Subject finds or believes that the Administrator or processor processes the personal data in conflict with the protection of private and personal life of the Data Subject or the law, in particular if the personal data is inaccurate with regard to the purpose of their processing, the Data Subject is entitled to:

a) ask the Administrator or processor for an explanation,
b) require the Administrator to remedy this condition, in particular by means of blocking, correction, completion or removal of the personal data.

  • If the request of the Data Subject is found to be justified, the Administrator or the processor shall remedy the defective condition immediately. If the Administrator fails to comply with
    the request of the Data Subject, the Data Subject has the right to apply directly to the Office for Personal Data Protection.