The principles for processing personal data for customers and users of the České Radiokomunikace Company services

Table of Contents

General provisions
Personal data controller
Representative for protection of personal data
Personal data categories
Purposes, legal basis for processing and periods for which personal data is processed
Sharing and disclosing personal data (to recipients of personal data)
Method of processing personal data and securing data
Information about the rights of data subjects
Updating the Principles for protection of personal data

<h2 id="gdpr-11. General provisions

These Principles for processing personal data of the České Radiokomunikace Company customers and users (hereinafter the “Principles for protection of personal data“ or also the “Principles“), provide information about the processing of personal data by the České Radiokomunikace a.s. Company, with registered office at Prague 6 – Břevnov, Skokanská 2117/1, postcode 16900, Company Registration Number 247 38 875 (hereinafter the “CRA“ or also “we“).

The Principles for protection of personal data apply to the processing of personal data of (i) customers and users of services and electronic communications networks provided according to Act No. 127/2005 Sb., on electronic communications, if this concerns natural persons, (ii) customers who are natural persons and contact persons or representatives of customers who are legal persons, during provision of all other services (serverhousing, cloud services, OTT services, IOT services and other CRA services), and (iii) parties interested in services and products offered by CRA (hereinafter “You“).

These Principles for protection of personal data provide information about the processing of your personal data and we inform you of your rights in relation to the processing of your personal data, how you can apply these rights and what we have done to help you apply them.

As a renowned provider of highly secure electronic communication and data centre services, we place great emphasis on protection of personal data and the transparency of the processing of this data. We therefore ask that you carefully read these Principles for protection of personal data, and if you have any questions, please contact the contact persons given in these Principles.

These Principles for protection of personal data are effective from 25 May 2018 and are issued in compliance with Regulation (EU) 2016/679 on protection of natural persons in relation to the processing of personal data (the “Regulation“ or “GDPR“).

The Principles for processing personal data may be modified in the future. The current Principles for protection of personal data are always given on the Company’s website at the following address: https://www.cra.cz/gdpr

The České Radiokomunikace a.s. Company, with registered office in Prague 6 – Břevnov, Skokanská 2117/1 postcode 169 00, registered in the Commercial Register administered by the Municipal Court in Prague, File No. B 16505, Company Reg No.: 24738875, is the controller of your personal data.

Company website: www.cra.cz

The CRA Company has appointed a representative for protection of personal data. The contact information of the representative for protection of personal data is:

telephone: +420 242 411 111
email: gdpr@cra.cz

Please be aware that the representative for protection of personal data may change in the future. You can always find the current representative for protection of personal data in the Principles for protection of personal data on the Company’s website by following this link: https://www.cra.cz/gdpr

Personal data is any information that applies to a natural person who the CRA Company is capable of identifying. In relation to provision of services, the CRA Company may process the following categories of personal data in particular:

4.1.1 Key personal identification data and address information

i. academic title

ii. name and surname

iii. company name

iv. birth registration number or date of birth

v. Company Registration Number, Tax Registration Number

vi. permanent address

vii. registered office or address of place of business

viii. invoicing address

ix. employer’s address

x. identification of the customer’s representative or the contact person the customer determines

xi. job position

xii. identification data of payers of accounts

xiii. banking information

xiv. signature

xv. name and surname, date of birth, permanent address, correspondence address, telephone, e-mail address, employer’s address.

4.1.2 Contact data

i. contact telephone number
ii. contact e-mail

4.1.3 Information about the services purchased, use of services, purchase of services and payment discipline

i. type and specification of provision of services or goods
ii. volume of the provided services and their price
iii. information about payment discipline
iv. credit rating

4.1.4 Operating and localisation data

Operating and localisation data is data processed for the requirements of transfer of messages through electronic communication networks, for billing these services (about telephone calls, data transfer, transferred messages and other services provided by CRA), settlement of potential disputes arising from the provided services and fulfilment of the statutory duties of CRA. This particularly concerns the following data:

i. calling number
ii. called number
iii. data connection address (e.g. IP address or URL address)
iv. date and time of the call
v. hardware address of the end device
vi. number of provided units
vii. duration of the connection
viii. number, name and location of the terminal network point
ix. type of access to the network

4.1.5 Other data generated in relation to provision of services

This data originates during provision of services that are not electronic communication services, or during provision of electronic communication services, in excess of the framework of data necessary for transfer of messages according to item 4.1.4 above.

The data generated by networks during provision of electronic communications services, in excess of the framework of operating and localisation costs, is essential for settling disputes concerning the quality of services, evaluating and increasing the quality of networks and services and maintenance of networks.

4.1.6 Data from communication between the CRA and the customer

This data originates during communication related to provision of services and goods by CRA, between the CRA Company and the customer or user of the network, possibly the customer’s contact person. This concerns records of personal communication with the customer and also written and electronic communication with the customer, including records of telephone calls (records are obtained on the basis of consent granted when the call begins), the history of communication using chat or video-chat applications (video-chat records are obtained on the basis of consent granted when the call begins).

In relation to data subjects who have granted their consent to the monitoring and recording of telephone calls with employees of the CRA Company or its contractual partners, this data may be monitored and recorded exclusively for the purpose of in-house inspection of the provided services, improving their quality and protection of the legitimate interests of the CRA Company.

Potential records of telephone calls will be backed-up for the essential period, for up to 5 (five) years after provision of services has ended or until the time the data subject withdraws its consent. In the event that the specific telephone call between the data subject and the CRA Company employees or its contractual partner is monitored and recorded, the data subject will always be informed of this fact in advance and will be permitted to refrain from granting its consent.

4.1.7 Camera recordings of the CRA’s premises

The CRA Company installs camera systems at the CRA’s premises for the purpose of protecting the company’s legitimate interests consisting of protection of property. The areas in which the cameras are located are always identified by warning signs. Information about the processing of personal data within the terms of camera recordings is available at the site the cameras are installed.

4.1.8 Data processed on the basis of consent

Processing of this data is not essential for performance of the contract between the customer and CRA, for performance of statutory duties or for protection of the legitimate interests of CRA, but processing of this data allows the CRA Company to improve services, focus on what customers are really interested in and to inform potential customers about offers that are suitable for them. This data is only processed in the event that consent is granted and may be processed throughout the duration of the validity specified in the granted consent. This particularly concerns:

i. data acquired on the basis of satisfaction surveys (these are processed in regard to customers purchasing CRA services, on the basis of consent to processing of personal data for marketing and business purposes);
ii. data about use of services, products, advantages and bonuses and standard behaviour during use of services (this data is processed in relation to customers purchasing CRA services, on the basis of consent to the processing of personal data for marketing and business purposes);
iii. contact data in the event that this does not concern CRA customers (this data is processed on the basis of consent to contact for marketing purposes).

The biometric data of customers (natural persons) or the employees of customers (legal persons) is also processed on the basis of consent, for the purpose of entry into secured areas, in which networks, equipment or other assets important for provision of CRA services are located.

All personal data is always processed on the grounds of the relevant legal basis according to the GDPR and in the scope essential for the purpose of processing this data. We give which personal data we process below, on the grounds of which legal basis, for what purpose and for what period.

5.1 Processing on the basis of performance of a contract, performance of duties stipulated by legal regulations and on the basis of the CRA’s legitimate interests.

The CRA Company services cannot be provided to customers and users without processing personal data for the purposes set out in items 5.1.1 and 5.1.2 of this document. CRA does not require your consent to process personal data for these purposes, because this data is processed on the basis of (i) performance of a contract with the customer, (ii) performance of duties arising from legal regulations and (iii) on the basis of the legitimate interests of CRA consisting of provision of services and protection of property, possibly the legitimate interests of the customer in relation to provision of high-quality services. The relevant legal basis is given for individual purposes.

In relation to the purposes set out below, CRA may process key personal identification data and address data according to item 4.1.1, contact data according to item 4.1.2, data about the purchased services, use of services, purchased services and payment discipline according to item 4.1.3, operating and localisation services according to item 4.1.4, other data generated in relation to provision of services according to item 4.1.5 and data from communication between CRA and the customer according to item 4.1.6.

5.1.1 Individual purposes for processing the personal data of customers and user of CRA services and networks, if this concerns natural persons, during provision of electronic communication services according to Act No. 127/2005 Sb., on electronic communications:

i. assurance of operation and protection of the electronic communications network (performance of a contract in relation to customers and for legitimate interests in relation to users who are not in a contractual relationship with the CRA Company)
ii. provision of electronic communications services, provision of other services (performance of a contract in relation to customers and for legitimate interests in relation to users, who are not in a contractual relationship with the CRA Company)
iii. billing services (performance of a contract in relation to customers and for legitimate interests in relation to users who are not in a contractual relationship with the CRA Company, e.g. telephone numbers and information about the accounts of individual users)
iv. exchange of data between operators of networks and providers of electronic communications networks, for assurance of interconnection and access to networks, for mutual billing (performance of a contract in relation to customers and for legitimate interests in relation to users who are not in a contractual relationship with the CRA Company)
v. storage of localisation and operating data and its provision to the authorised bodies, and also assurance of monitoring of messages at the request of authorised bodies according to Section 97 of Act No. 127/2005 Sb., on electronic communications (performance of duties stipulated by legal regulations), records of abuse of networks and electronic communications services (the legitimate interests of the CRA Company ).

Personal data is processed for these activities in the scope essential for realisation of these activities and for the period necessary to achieve these activities, or for the period directly stipulated by the legal regulations. The personal data is then deleted or anonymised.

5.1.2 Individual purposes for processing personal data of customers who are natural persons, personal data of users and personal data of the contact persons of customers who are legal persons, during provision of services other than electronic communications services (e.g. serverhousing, cloud services, OTT services IOT services and others):

i. identification of the customer and communication with the customer for the purpose of performance of a contract (performance of a contract in relation to customers and for legitimate interests in relation to the contact persons of customers)
ii. performance of statutory tax duties (performance of duties stipulated by the legal regulations)
iii. purposes stipulated by special laws, for the requirements of criminal proceedings and for performance of the duty of assistance of the Czech Police and other government bodies, (performance of the duties stipulated by the legal regulations)
iv. evaluation of the behaviour of customers during use of credit rating services and the payment discipline of customers for the purpose of preventing origin of receivables, which affect the decisions made by the CRA Company concerning conclusion of other contracts with the customer, whereas decisions about whether or not to conclude additional contracts do not take place by automated means (the CRA Company’s legitimate interests)
v. recovery of receivables against customers and other customer disputes (the CRA Company’s legitimate interests)
vi. assurance of evidence in cases when it is necessary to defend the CRA Company’s rights (the CRA Company’s legitimate interests).

5.1.3 Periods for which the personal data is processed

Personal data specified and processed on the grounds of a legal basis and for the purposes specified in this chapter 5.1, is processed by the CRA Company for the following periods:

i. In relation to customers purchasing CRA’s services, the company is authorised, in the event that these customers have fulfilled all their obligations towards it, to process in the customer database their key personal identification and address data, contact data, data about services and data about their communication with the CRA Company for a period of 4 years from the date the last contract with the CRA Company is terminated, or possibly for the arranged period concerning the statute of limitations applying to the rights of the CRA Company, which will not be longer than 10 years from the date the last contract with the CRA Company is terminated.
ii. In the case of purchase of goods from the CRA Company, the CRA Company is authorised to process key personal identification and address data, contact data, data about the goods and data from communication between the customer and the CRA Company for a period of 4 years from the date the warranty period for the goods elapses, or possibly for the period arranged in relation to the statute of limitations applying to the CRA Company’s rights, which will not be longer than 10 years from the date the last contract with the CRA Company is terminated,
iii. In the case of negotiations between the CRA Company and a potential customer in relation to conclusion of a contract, which do not culminate in conclusion of the contract, the CRA Company is authorised to process the provided personal data for a period of 24 months after termination of the relevant negotiations;
iv. Invoices issued by the CRA Company are archived for a period of 10 years from the date of issue in compliance with Section 35 of Act No. 235/2004 Sb., on value added taxes. Customer contracts are also archived for a period of 10 years from the date of termination of the contract, for the requirement of demonstrating the legal basis for issue of the invoices;
v. According to Section 90(3) and (4) of Act No. 127/2005 Sb., on electronic communications, the CRA Company is required to store operating data about services until the end of the period during which the bill of the price or provision of the electronic communications services can be contested by claim. For this purpose the CRA Company processes the service operating data for a period of 6 months from the time it was provided. The CRA Company is also authorised to process the service operating data until the time a dispute concerning an objection against settlement of a claim is judged or for the period during which a receivable can be legally recovered.
vi. According to Section 97(3) of Act No. 127/2005 Sb., on electronic communications, the CRA Company is required to keep operating and localisation data, which is created or processed during assurance of its public communications network and during provision of publically available electronic communications services, for a period of 6 months, and it is also required to immediately provide this data to subjects specified in Section 97(3) of Act No. 127/2005 Sb., on electronic communications.

5.2 Processing the data of CRA service customers with consent for marketing and business purposes

In relation to (a) a customer purchasing any CRA service, who is a natural person and (b) the contact persons and users of a customer purchasing any CRA service, who is a legal person, we process personal data for marketing and business purposes with the consent of this person. The scope of the processed data is given directly in the text of the consent, which the customer grants CRA.

With consent for marketing and business purposes, the CRA Company processes personal data primarily for creating suitable offers of CRA Company products and services, or those of third parties, and in relation to addressing the customer by telephone, in writing or by electronic communication, by means of the customer’s contact data or service numbers. This is why the CRA Company will also create and keep data about standard behaviour during use of CRA Company services and products and create and store anonymised analyses of behaviour during use of the CRA Company’s services and products about these customers or users who grant this consent. All these activities are essential for contacting customers with suitable marketing offers.

Provision of consent for marketing and business purposes is voluntary and the customer, contact person or user may withdraw this consent at any time. This consent remains valid throughout the duration of use of CRA products and services and for 3 years after the time it is granted, or until the data subject withdraws this consent. All categories of data set out under chapter 4 of this document may be processed for marketing and business purposes, for the period for which CRA is authorised to keep this data for the purpose of providing services, performance of statutory duties and protection of its legitimate interests.

5.3 Processing of the data of subjects who granted their consent to being contacted for marketing purposes

In relation to natural persons who are not a customer or a contact person of a customer and who have granted their consent to be contacted for marketing purposes, the CRA Company processes, with their consent, the contact data that the subject provides it for the purpose of contact for marketing purposes, with an offer of CRA services and products for the period specified in the consent. The scope of the processed data is given in the text of the consent that the customer grants CRA. If this consent is granted by means of a website operated by the CRA Company, data from the CRA Company’s cookies, which are located on the website on which this consent was granted, are also processed along with this contact data, only in cases when the subject permits cookies in its web browser.

5.4 Processing of the biometric data of customers or their contact persons with consent

The biometric data of customers or their contact persons is processed on the basis of consent, for the period specified in this consent, for the purpose of providing access to selected equipment or to selected buildings.

The CRA Company uses professional and specialised services provided by other subjects during performance of its obligations and duties arising from contract. If these suppliers process personal data provided by the CRA Company, they are in the position of processors, or possibly other processors of personal data and they process personal data only within the scope of instructions from the CRA Company and must not use this data otherwise. This particularly concerns recovery of owed receivables, the activities of experts, solicitors, auditors, IT system administrators, internet advertising or sales representation.

We carefully choose each such subject and conclude a contract to process personal data according to Article 28 of the GDPR with each such subject, in which the processor’s duties to protect and secure the personal data are strictly stipulated.

6.1 The personal data we compile by means of services is shared as follows:

6.1.1 Sharing with third parties.

We may disclose your personal data to the following recipients, who are in the position of processors of your personal data:

with our subsidiary companies from the CRA Group (a list is appended here);
with subjects administering our IT systems and providing IT services and telematics for the purpose of using in-house software;
with our other suppliers who have concluded a contract to process personal data with us, the list of processors is available here:

We may also disclose your personal data to the following recipients, who are in the position of independent controllers of your personal data:

to government bodies or other third parties, during performance of duties according to legal regulations.

6.1.2 Your personal data is protected even when it is transferred to a foreign country

Personal data is always transferred to and processed in countries outside the European Union in compliance with the valid legislation, particularly Articles 45 to 49 of the GDPR.

6.1.3 Guarantees

We have concluded contracts for processing personal data with processors of personal data (with the exception of cases when conclusion of such contracts is not obligatory, for instance when submitting personal data to government bodies), who guarantee at the least the same level of protection as these Principles for protection of personal data. We have also concluded a legal action with processors outside the European Union, if this is required by Articles 45 to 49 of the GDPR.

The CRA Company processes personal data manually and using automated means. The CRA Company keeps records of all activities, manual and automated, during which personal data is processed.

We implement appropriate security measures (particularly technical and organisational) in order to protect your personal data against any accidental loss, destruction, abuse, damage and unauthorised or illegal access. The implemented technical and organisational measures for securing personal data are described in the contractual documentation to individual products provided by the CRA Company.

However, we inform you that it is not possible to guarantee 100% security in relation to any transfer of data by means of the internet or technologies for storing data.

According to the Regulation, each data subject, i.e. each natural person, has the following rights. The data subject is authorised to apply these rights against the CRA under the condition that it proves its identity to the CRA.

If you wish to apply these rights and/or obtain the relevant information, please contact us by means of the GDPR form, which is available at www.cra.cz:

During application of your request you will be asked to provide some identification information on the basis of which we are capable of identifying you. Provision of such data is essential for verification whether the relevant request was sent by you and whether we are capable of identifying you on the basis of the information you provide. We will respond to your query within one month after receiving your request at the latest, whereas we reserve the right to extend this time limit by two months according to Article 12 of the GDPR.

8.1 The right to access to personal data

In compliance with Article 15 of the Regulation, the data subject is entitled to demand access to its personal data, which we process as the Controller of the personal data. This right includes the right to obtain the following from the company:

If the data subject makes unjustified or unreasonable requests (e.g. unreasonable repetition), the CRA Company is entitled to charge the appropriate fee for a copy of the personal data, to cover the expended administrative costs, or to refuse to satisfy the request.

8.2 The right to correction of inaccurate data

According to Article 16 of the Regulation the data subject is entitled to correct inaccurate personal data, which the CRA Company processes about this data subject.

We implement the appropriate measures to assure that you are able to keep your personal data accurate and current. You may always contact us to query whether we are still processing your personal data.

If you find that your personal data, which we process, is inaccurate or incomplete and you are not capable of updating your personal data according to this Article 8.2, you may ask us to update your personal data. We will verify your identity and update your personal data.

8.3 The right to deletion of personal data

According to Article 17 of the Regulation, the data subject is entitled to have its personal data deleted. The CRA Company is not required to delete personal data if there are legitimate reasons for processing this personal data.

You may request that we delete your personal data at any time. If you contact us with such a request, we will immediately delete all the personal data that we have concerning you, if we do not need your personal data (e.g. to provide services, perform a contract, etc.). We will also delete (and assure deletion by our authorised processors) of all your personal data in the event that you withdraw your consent or if this is required by the law.

8.4 The right to withdraw your consent to processing of your personal data

You may withdraw the consent you granted at any time without a reason being required. Please contact the data Controller or the representative responsible for protection of personal data using the contact information given in the consent, in chapter 3 or chapter 8.

Please be aware that withdrawal of your consent has no effect on the legality of any processing performed on the basis of your previously granted consent.

8.5 The right to restrict processing

According to Article 18 of the Article, the data subject is entitled to demand that the data Controller restrict processing of its personal data. This right to restrict processing only applies in the specified cases, which are:

If you ask us to restrict processing of your personal data, e.g. in cases when you doubt the accuracy, legality or our need to process your personal data, we will restrict processing of your personal data to the essential minimum (storage) and will potentially only process it for determination, execution or defence of legal claims, or for reasons of protection of the rights of another natural or legal person, or for other limited reasons prescribed by the valid legal regulations. If this restriction is cancelled and we continue processing your personal data, we will immediately inform you of fact.

8.6 Notification of correction, deletion or restriction of processing

According to Article 19 of the Regulation, the Controller notifies all recipients, to whom the personal data was disclosed, of all corrections, deletions or restrictions to the processing of data.

If a correction or deletion is made or processing of data is restricted, the CRA Company will notify the individual recipients, with the exception of cases when this is shown to be impossible or requires unreasonable effort. We will provide you with information about these recipients if you require.

8.7 The right to transferability of data

According to Article 20 of the Regulation the data subject is entitled to acquire its personal data, which it provided to the Controller, in a structured, normally used and machine readable format, and is entitled to demand that the CRA Company pass this data on to another Controller. The data subject may only apply this right in the specified cases. Personal data is processed automatically and this is simultaneously based on:

a. the data subject’s consent according to Article 6(1) of the Regulation or, in cases of sensitive data, on the consent granted in compliance with Article 9(2) letter a) of the Regulation, or
b. performance of ta contract, to which the data subject is a contracting party according to Article 6(1) letter b) of the Regulation.

If you require we will send your personal data to a third party (another data controller), who you specify in your request, if such a request has no negative impact on the rights and freedoms of other persons, and if it is technical possible.

8.8 The right to raise objections against the processing of personal data

According to Article 21 of the Regulation the data subject is entitled to raise an objection again the processing of its personal data, which the CRA Company processes, for reasons of legitimate interest.

If it is not demonstrated that there is a serious justified reason for processing, which has precedence over the interests or rights and freedoms of the data subject, the CRA Company will terminate processing of the affected personal data on the basis of an objection without undue delay.

8.9 Complaints to the Personal Data Protection Office

Your are entitled to submit a complaint concerning our processing of data to the Personal Data Protection Office, Pplk. Sochora 27, 170 00 Prague 7, Website: www.uoou.cz.

We may regularly modify or update the Principles for protection of personal data. Any changes to these Principles for protection of personal data come into effect after the updated Principles for protection of personal data are published on the company’s website at the following address: https://www.cra.cz/gdpr.