PERSONAL DATA PROCESSING RULES

CETIN a.s. with registered office at Českomoravská 2510/16, Libeň, 190 00 Prague 9, reg. no.: 04084063, registered in the commercial register maintained by Prague City Court under file no. B 20623, (hereinafter “CETIN”), contact details: email: dpo@cetin.cz, tel.: +420 238 461 111, www.cetin.cz, issues the following personal data protection rules (hereinafter the “Rules”), based on Article 12 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation) (hereinafter “GDPR”).

The primary purpose of the Rules is to provide information about what personal data CETIN processes about individuals in the provision of its services,  when visiting the CETIN website and during contacts with potential customers, for what purposes and for what period of time it processes such personal data, to whom and for what reason it may pass them on as well as to provide information about the rights of persons with regard to the processing of their personal data.

A. Categories of personal data

Personal Data is any information relating to a natural person that is identified or identifiable in connection with CETIN’s business activities and services. This may include the following categories of personal data:

1. Basic personal identification data and address information

Such data are necessary in order to conclude and perform a contract. They include:

  • academic title
  • name and surname
  • company name
  • birth ID number; if not allocated, then date of birth
  • reg. no., tax reg. no.
  • permanent address
  • company address or place of business
  • invoice address
  • numbers of submitted identification documents and their copies (all data that are needed to provide a service are made illegible on the copies of the documents)
  • identification data of the customer’s representative or contact person designated by the customer
  • bill payer’s identification data
  • bank details
  • signature

2. Contact information

  • contact phone number
  • contact e-mail
  • social network addresses

3. Information about services used

  • type and specifications of the service provided
  • volume of services provided and their price
  • customer segment

4. Operational and location data

These data are processed for the purposes of data transmission through electronic communications networks, for their billing, for solving any discrepancies and complaints regarding services and for fulfilling CETIN’s legal obligations. They include:

  • the calling number
  • the called number
  • data link address (for example, IP address or URL address)
  • the date and time of the connection
  • IMEI terminal equipment
  • number of units provided
  • the duration of the connection
  • the number, name and location of the network endpoint
  • the type of internet access

5. Other data generated in connection with the provision of services

These data are generated when providing services that are not electronic communications services or when providing electronic communications services beyond the data needed for data transmission. Data generated by networks in the provision of electronic communications services beyond operational and location data are necessary for maintaining and improving the quality of networks and services provided, solving any technical problems, complaints about the quality of the service, etc.

6. Data from communication with customers

These data are generated during communication related to the provision of services between CETIN and the customer. These are records of personal communication with the customer in direct contact, written and electronic communication and records of telephone calls, chat and other similar communications, etc.

7. Processing data with your consent

The processing of such data is not necessary for the performance of the contract, CETIN’s legal obligations or the protection of its legitimate interests. However, it makes it possible to improve services and meet the interests and needs of customers in line with the development of IT technologies. These data are processed only if consent is given and may be processed for as long as the consent is valid. They include:

  • data obtained from market research (processed based on consent to the processing of personal data for marketing and business purposes)
  • data on the use of services, products, benefits and bonuses and type behaviour when using the services (also processed with consent)
  • contact information for someone who is not a CETIN customer (processed based on consent to being contacted for marketing purposes)
  • records of behaviour on the CETIN website obtained from cookies when they are enabled in a web browser (they are processed to improve the operation of the CETIN website, internet advertising, and when consenting to the processing of personal data for marketing and business purposes, these data are processed together with other personal information for the relevant purpose).

B. Purposes, legal reasons and duration of the processing of personal data

The extent of the processed data depends on the purpose of the processing. In CETIN terms, it is possible to process data for some purposes without the consent of the data subject, in particular based on a contract, for fulfilling CETIN’s legal obligations or if necessary for the legitimate interests of the controller or a third party; for other purposes processing is possible with the consent of the data subject.

1. Processing for the performance of the contract, the fulfilment of legal obligations and for legitimate reasons

Providing personal data necessary for the performance of the contract, the fulfilment of CETIN’s legal obligations and the protection of legitimate interests is mandatory. Without the provision of personal data for these purposes, it would not be possible to provide services. CETIN does not need the data subject’s consent for the processing of personal data for these purposes. Processing due to the performance of the contract and the fulfilment of legal obligations cannot be refused.

This applies mainly to the following basic purposes:

  • ensuring the operation and protection of electronic communications networks (contract performance)
  • providing electronic communications services, payment transactions, providing other services (contract performance)
  • billing for services (contract performance)
  • information on requests for statements on the existence of networks, opinions on project documentation under discussion, questions on the issued statements on the existence of networks (fulfilment of legal obligations)
  • compliance with statutory tax obligations (fulfilment of legal obligations)
  • purposes stipulated by special laws for the purpose of criminal proceedings and for fulfilling the duty of cooperation with the Czech Police and other state authorities (fulfilment of legal obligations)
  • data exchange between network operators and providers of electronic communications services to ensure interconnection and access to the network, for mutual billing (contract performance)
  • operation of CCTV and monitoring systems on CETIN premises for the purpose of damage prevention (CETIN’s legitimate interest)
  • evaluating the customer’s behaviour in using the services and his/her payment discipline for the purpose of preventing debts occurring, which may influence CETIN’s decision on the conditions of concluding further contracts with the customer, where the decision on whether or not to conclude another contract is not automated (CETIN’s legitimate interest)
  • recovery of outstanding debts from the customer and other customer disputes (legitimate interest)
  • recording and monitoring calls to the customer line (contract performance)
  • customer identification processes (contract performance)
  • providing evidence to assert CETIN rights (legitimate interest)
  • records of debtors (legitimate interest)
  • records of misuse of the electronic communications network and services (legitimate interest)
  • CETIN commercial communication (legitimate interest)
  • ensuring the possibility of auditing the entry of individual persons into an operationally important building in order to protect the property of the data centre administrator and customers (legitimate interest)
  • records of persons authorised to enter an operationally important building by means of a bloodstream scan. Protection of the property of the data centre administrator and customers. Ensuring appropriate levels of physical protection of the administrator’s central system and customers (legitimate interest).

Personal data are processed for these activities to the extent necessary to carry out these activities and for the time necessary to achieve them or for a period directly determined by legal regulations. The personal data are then deleted or anonymised. The basic periods for processing personal data are given below.

CETIN is entitled to process basic personal, identification, contact, service data and communication data with CETIN for customers with fulfilled obligations for a period of 3 years from the date of termination of the last contract.

If the negotiations between CETIN and a prospective customer were not completed with the conclusion of a contract, CETIN is entitled to process the provided personal data for a period of 3 months from the end of the negotiations.

Invoices issued by CETIN are archived for a period of 10 years from their date of issue [Section 35 of the VAT Act No. 235/2004 Coll.].

Customer contracts are archived for a period of 10 years from the date they are terminated in order to substantiate the legal right to invoicing.

CETIN processes the identification data from the customer’s identity card required in order to provide the service for a period of 10 years from the date the relevant contract is terminated [Section 16 of Act No. 253/2008 Coll., On Certain Measures against legitimisation of Proceeds of Crime and Financing of Terrorism]. In order to comply with this legal obligation, CETIN shall retain copies of the identity card with the necessary data in order to provide the service for the specified period; other data that is not necessary in order to provide the service is made illegible.

CETIN is required to store the service’s operational data until the end of the period during which the billing of the price or provision of the electronic communications service may be legally challenged by a complaint or a payment claimed [Section 90 (3) and (4) of the Electronic Communications Act No. 127/2005 Coll.]. For this purpose, CETIN processes operational data for a period of 3 to 6 months from when it is provided, unless longer periods are required [Section 64 (8) - (10) and Section 129 (3) of the Electronic Communications Act No. 127/2005 Coll.]. CETIN is also entitled to process the service’s operational data pending resolution of the dispute on the objection against the settlement of a complaint or until a debt can be legally enforced.

CETIN is required to store the operational and location data generated or processed in the provision of its public communications networks and in the provision of publicly available electronic communications services for 6 months, and to provide them on request and without delay to the criminal authorities, to the Czech Police for the purposes of an initiated search for a wanted or missing person, to identify an unknown person or to identity a corpse, to prevent or detect specific terrorist threats or to screen a protected person, to the Security Information Service for the purposes of and subject to conditions stipulated by special legislation, to the Military Intelligence for the purposes of and subject to conditions stipulated by special legislation and to the Czech National Bank for the purposes of and subject to conditions stipulated by special legislation [§ 97 of the Electronic Communications Act No. 127/2005 Coll.].

We may send commercial communications to our customers based on CETIN’s legitimate interest until they withdraw their consent or based on explicit consent to the processing of personal data for marketing and business purposes. The commercial communications sent also include a contact for refusing them.

2. Data processing with the consent of CETIN customers for marketing and business purposes

CETIN processes the customer’s personal data for marketing and business purposes with his/her consent. For the period since GDPR came into effect on 25 May 2018, CETIN obtains new consent for marketing and business purposes.

With this consent, CETIN processes personal data primarily to create a suitable offer of its products or services or third parties and with regard to contacting the customer, by phone, in writing (including billing supplements), by means of internet advertising and electronic communication via contact details or service numbers.

Providing consent for marketing and business purposes is voluntary and can be withdrawn at any time by the customer.

All categories of data listed in Section A of these Rules Policy may be processed for marketing and business purposes (except for signature and copies of identification documents), subject to the scope of the consent provided.

If the data subject withdraws his/her consent, this shall not affect the processing of his/her personal data by CETIN for other purposes and under other legal titles in accordance with these Rules.

3. Processing the data of subjects that have granted their consent to marketing via electronic contact

For data subjects that have given their consent to marketing via electronic contact, CETIN shall, with their consent, process the contacts provided by the subject for marketing purposes with the offer of CETIN services and products for the period specified in the consent. If this consent is granted via the CETIN website, CETIN cookies data are processed together with these contacts if the subject has cookies enabled in the web browser.

4. Processing cookies from the CETIN website

If the data subject has cookies enabled in his/her web browser [point 30 of GDPR], CETIN shall process records of his/her behaviour from the cookies placed on the CETIN website. This is done to improve the functionality of our website (for example, by distinguishing individual users, saving user preferences, etc.) to better understand how our visitors use the website, tools and services, or to improve the customer experience with our website the next time they visit it.

C. Sharing personal data with other controllers

In accordance with the granted consent to the processing of personal data for marketing purposes, CETIN is entitled in these cases to transfer the specified personal data to other controllers, companies:

  • 365internet s.r.o., reg. no.: 05111137,
  • AIRWAYNET a.s. reg. no.: 61058068,
  • AVONET, s.r.o., reg. no.: 25322478,
  • Český bezdrát s.r.o., reg. no.: 25902415,
  • DIGI CZ s.r.o., reg. no.: 046 68 529,
  • Eldata pražská s.r.o., reg. no.: 27447995,
  • FIXnet s.r.o. reg. no.: 26357739,
  • GiTy, a.s., reg. no.: 25302400,
  • GTT a.s., reg. no.: 63080605,
  • Nordic Telecom s.r.o., reg. no.: 04001281,
  • O2 Czech Republic a.s., reg. no.: 60193336,
  • Planet A, a.s., reg. no.: 00537012,
  • T-Mobile Czech Republic a.s., reg. no.: 64949681,
  • VIRIDIUM.CZ s.r.o., reg. no.: 27498506,
  • Vodafone Czech Republic a.s., reg. no.: 25788001, and
  • WIA spol. s r.o., reg. no.: 26703297.

D. Categories of recipient of personal data

CETIN uses the professional and specialised services of other entities in fulfilling its commitments and contractual obligations. When these suppliers process personal data transmitted to them by CETIN, they have the status of processors working only according to CETIN’s instructions. The processed personal data may not be used for other purposes. These include, in particular, IT systems management, internet advertising and sales representation. We carefully select each of our suppliers and enter into a personal data processing agreement with them that sets strict obligations to protect and safeguard personal data.

The processors are companies with a registered office in the Czech Republic, so with a registered office in a member state of the European Union or in a safe state. The transfer and processing of personal data in countries outside the European Union always takes place in accordance with applicable legislation.

CETIN may transmit personal data to the administrative authorities and authorities established by the applicable legislation as part of the fulfilment of the legal obligations imposed upon it.

E. Method of processing personal data

Personal data is processed by CETIN on its premises, in its branches and at the registered address of the controller by individual authorised employees of the controller, or by the processor.

Processing is carried out using computer technology, or also manually in the case of personal data in paper form, in compliance with all security principles for the management and processing of personal data.

For this purpose, the controller has taken technical and organisational measures to ensure the protection of personal data, in particular measures to prevent unauthorised or accidental access to, or the alteration, destruction or loss of personal data, unauthorised transmission, unauthorised processing and other misuse of personal data. All entities to whom personal data may be disclosed respect the right of data subjects to privacy and are required to comply with applicable data protection legislation.

F. Information on data subjects’ rights regarding the processing of personal data

A data subject that is an identifiable natural person and that proves his/her identity has the following rights:

1. Right of access to personal data

A data subject has the right of access to his/her personal data [Article 15 of GDPR], which includes the right to obtain from CETIN:

  • confirmation as to whether or not it is processing personal data,
  • information about
    • the purposes of the processing,
    • the categories of personal data concerned,
    • the recipients or categories of recipient to whom personal data have been or shall be disclosed,
    • the envisaged period for which the personal data shall be stored, and the criteria used to determine that period,
    • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing,
    • the right to lodge a complaint with the supervisory authority,
    • where the personal data are not collected from the subject data, any available information as to their source,
    • the existence of automated decision-making, including profiling, in connection with its use for decision-making if acts or decisions involving the interference with the Client’s rights and legitimate interests are carried out based on such processing,
    • appropriate safeguards during the transfer of data outside the EU,
  • a copy of personal data, unless the rights and freedoms of other persons are adversely affected. Upon repeated request, CETIN may charge a reasonable fee for making a copy of the personal data.

The right to confirmation of the processing of personal data and to information may be exercised on dpo@cetin.cz.

2. Right to rectification of inaccurate data

A data subject that discovers or believes that CETIN, as the controller or processor, or any other person who carries out for CETIN the processing of his/her personal data that is contrary to the protection of private and personal life or contrary to the law, may request clarification or rectification of personal data or for incomplete personal data to be completed [Article 16 of GDPR].

The Customer is required to notify CETIN of changes to his/her personal data to the contact address: dpo@cetin.cz, and to substantiate them. He/she is also required to cooperate if the processed personal data are inaccurate.

If the customer’s request is found to be justified, CETIN shall carry out the rectification without undue delay according to the particular technical options. If the request is not granted, the Client may contact the supervisory authority, while the right to contact the authority directly is not affected.

3. Right to erasure

The data subject has the right to the erasure of his/her personal data [Article 17 of GDPR], provided that legal conditions have been met, for example, the personal data are no longer needed in relation to the purposes for which they were collected or otherwise processed.

CETIN has mechanisms in place to ensure automatic anonymisation or erasure of personal data when they are no longer needed for the purpose for which they were processed.

If the data subject believes that his/her personal data have not been erased, he/she may write to dpo@cetin.cz.

4. Right to restriction of processing

Pending a decision on his/her suggestion, the data subject shall have the right to the restriction of processing [Article 18 of GDPR] if he/she disputes the accuracy of personal data, the reasons for their processing or if he/she objects to their processing.

5. Right to notification of rectification or erasure of personal data or restriction of processing

The data subject shall have the right to notification [Article 19 of GDPR] in case of rectification, erasure or restriction of processing of personal data. If rectification or erasure occurs, we shall inform the individual data recipients, unless this proves impossible or involves disproportionate effort. We can inform the data subject about these recipients if the data subject requests it on dpo@cetin.cz.

6. Right to data portability

The data subject has the right to obtain personal data [Article 20 of GDPR], the processing of which is carried out automatically and which has been provided to the controller in connection with a service contract or with his/her consent, and the right to transmit them to another controller.

If technically feasible, the data may be transmitted directly by the customer to the designated controller, provided that the person acting on behalf of such controller is duly identified and authorises such transfer.

Data shall be provided in a structured, commonly used and machine-readable format.

If exercising the right to portability of personal data could adversely affect the rights and freedoms of third parties, the request cannot be accepted.

7. Right to object to the processing of personal data

The data subject has the right to object at any time because of his/her particular situation [Article 21 of GDPR] to the processing of his/her personal data in the case of processing due to the legitimate interest of CETIN [Article 6 (1f) of GDPR].

Unless CETIN has a valid legitimate reason for the processing that outweighs the interests or rights and freedoms of the data subjects, CETIN shall terminate the processing without undue delay.

You can lodge an objection at dpo@cetin.cz.

8. Right to withdraw consent to the processing of personal data

Consent to the processing of personal data can be withdrawn at any time. A withdrawal must be made in an explicit, comprehensible and certain expression of will, at dpo@cetin.cz.

The consent to be contacted for marketing purposes granted for a specific electronic contact can be withdrawn at any time at dpo@cetin.cz.

The processing of cookies data can be prevented by setting the web browser on your computer.

9. Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which would produce legal effects concerning him/her or would similarly significantly affect him/her [Article 22 of GDPR].

CETIN states that it does not carry out automated decision-making without a human impact assessment of the legal effects for data subjects.

10. Right to contact the Office for Personal Data Protection

The data subject has the right to contact the supervisory authority, which is the Office for Personal Data Protection, at any time, see www.uoou.cz.

G. Data protection officer

Mr. Ľubomír Bubelíny has been appointed as data protection officer, tel.: +420 238 465 123, e-mail: dpo@cetin.cz.

H. Questions and information

The data subject can obtain answers to other questions about rights and obligations in the protection of personal data, explanations and current information in this area on the CETIN website www.cetin.cz, on the information line +420 238 461 111 or via e-mail at dpo@cetin.cz.