Privacy Policy

The protection of personal data of natural persons in ČD - Telematika a.s., ID No: 61459445, headquarters: Pernerova 2819/2a, Prague 3, Post Code 13000, (hereinafter as the “Controller“, “ČD - Telematika”), provided in compliance with the law of the Czech Republic, specifically the Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “GDPR”) and Act No 110/2019 Coll., on the protection of personal data, as amended (hereinafter referred to as “Personal Data Protection Act”), or other regulations governing this matter. With this document, we would like to provide the necessary information on the protection of personal data in accordance with the above-mentioned legal regulations.

What is personal data and who handles it?

ČD - Telematika handles the personal data of its customers and suppliers, including you. In this document we will explain what personal data is, what personal data we collect about you, for what purpose, how we use it, what we do to keep it safe and what rights you can exercise against us in relation to personal data.

Your personal data is any information by which you can be identified, whether this can be done by a single piece of information or indirectly by other information and data. Your personal data includes, for example, your name and surname, your likeness, residence, birth number, but also your IP address, identity card number and more.

This document ensures compliance with the information obligation of ČD - Telematika pursuant to Articles 13 and 14 and in accordance with Article 12 of the GDPR.

Definition of basic terms

Personal data: any information about an identified or identifiable natural person, i.e. you. An identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, a network identifier or to one or more specific elements of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

Data subject: any natural person to whom the personal data relates.

Controller: the entity which determines the purpose and means of processing personal data, carries out the processing and is responsible for it.

Processor: an entity that processes personal data on the basis of a specific law or on the basis of a mandate from the controller.

Recipient: any entity to which the personal data is disclosed; the recipient is not considered to be the entity that processes the personal data.

Processing of personal data: any operation or set of operations which the controller or processor carries out on personal data or on sets of personal data, whether or not by automated means; processing of personal data means, in particular, the collection, storage on a storage medium, disclosure, adaptation or alteration, retrieval, use, transmission, dissemination, disclosure, storage, exchange, classification or combination, blocking and disposal.

 

ČD - Telematika as a personal data controller

Within the meaning of Article 4(7) of the GDPR, ČD - Telematika is the controller of the personal data of its customers and suppliers. This means that it is our company that determines what personal data we will process, i.e. collect, store or use it or otherwise deal with it, by what means and for what reasons, within the meaning of processing pursuant to Article 4(2) of the GDPR.

We can assure you that we place great importance on the protection of your personal data.

You are entitled to contact our company in relation to your personal data and the rights you are entitled to in order to exercise these rights. Article 10 describes how you can do this.

Categories of personal data processed or what personal data do we process and to what extent?

Even without your consent

  1. Identification data - personal data used to uniquely and unmistakably identify you, especially your name, surname, title, birth number, date of birth, address of residence, signature.
  2. Contact details - data enabling us to contact you, in particular telephone number, e-mail address, contact address.
  3. In the case of suppliers and business partners, we also process data on the history of business cooperation, purchases and payments, payment behaviour, data on services and products provided and payment data, bank details, etc.
  4. Data from communication between the customer and ČD-Telematika, data from communication between the supplier and ČD-Telematika, data related to the negotiation and performance of contracts for the provision of services (or sale of goods).
  5. CCTV footage.
  6. Data collected about devices in connection with the use of web services and applications - we use Google Analytics technology to collect and store information when you use our website.
  7. Data on the use of your legal rights and records of their exercise against ČD - Telematika.
  8. Other data, the processing of which is imposed on ČD - Telematika by a legal regulation of the Czech Republic or the European Union.

With your consent

With your consent, ČD - Telematika may also process other personal data than those mentioned above. In such cases, the exact scope of the personal data processed is specified in the consent you have signed/given. You can withdraw this consent at any time (see Right to withdraw consent below).

Purpose and legal basis for processing personal data

In accordance with the applicable legislation, your personal data is processed only to the extent necessary to achieve and fulfil the predetermined purpose of processing. Each processing takes place pursuant to an identified legal basis.

Even without your consent

  1. Provision of services on the basis of a concluded contract of cooperation or provision of services between you and ČD - Telematika, i.e. in particular for the purposes of concluding the contract, managing the mutual contractual relationship and communicating with you. In this case, the legal basis that allows us to process your personal data is that the processing of your personal data is necessary for the purposes of concluding or performing a contract with you. This purpose and legal ground for processing also applies to the preparation of the contract and the negotiation of the terms of the contract.
  2. For the purposes of fulfilling our legal obligations (e.g. the Accounting Act, the Tax Code, the Labour Code, the VAT Act, the Records and Archive Service Act, the Consumer Protection Act). We are required by law to process some of your personal data in order to be able to comply with our legal obligations. In such a case, the processing of your personal data is necessary to comply with a legal obligation to which ČD - Telematika is subject.
  3. For the purpose of meeting the requirements of supervisory and other state authorities and fulfilling legal obligations arising from special legislation. In such a case, the processing of your personal data is necessary for the fulfilment of a legal obligation to which ČD - Telematika is subject.
  4. For the purpose of protecting our legitimate interests, i.e. in particular for the purpose of assessing, exercising and enforcing our legal claims, protecting the rights, property or safety of ČD-Telematika and its employees, ČD-Telematika's customers or other persons (including, but not limited to, the purpose of the camera system). In this case, the legal basis that allows us to process your personal data is that the processing of your personal data is necessary for the purposes of our legitimate interests as a data controller.

With your consent

For such other purposes as you have agreed. The other purpose is always described in detail in the written text of the consent to processing and you can familiarize yourself with it before signing/granting consent. You can withdraw your consent at any time.

Related processing purposes (without consent)

In some cases, ČD-Telematika may process personal data for a purpose other than the purpose for which the personal data was collected. This is particularly the case if we collect your data for the purpose of performing a contract or providing a service and 

  • the legal regulation subsequently imposes on us how long we have to keep the data (e.g. according to the Accounting Act we have to keep invoices for the price of products or services provided for 10 years, even if we no longer need the data for the purposes of contract performance) - the legal basis is the compliance with a legal obligation by ČD - Telematika;
  • a dispute subsequently arises and ČD - Telematika must enforce its legal claims or defend its rights - the legal basis for processing for this related purpose is the necessity for the legitimate interests of ČD - Telematika.

How do we protect your personal data?

In accordance with the applicable legislation, ČD-Telematika secures the personal data it handles using all appropriate technical and organisational measures to ensure the highest possible level of protection, taking into account the nature, scope and purposes of the processing and the likely risks. We have security and control mechanisms in place in an effort to prevent unauthorized access or transmission of data, its loss, destruction or other possible misuse.

Our employees are bound by a duty of confidentiality. If we transfer data to third parties, these parties are also bound by a legal or contractual obligation of confidentiality.

Processors and recipients or who do we transfer your personal data to?

In addition to ČD-Telematika and its employees, personal data may also be processed by ČD-Telematika processors for the purposes described above and to ensure the proper provision of services and products by ČD-Telematika in the provision of its services and the fulfilment of its contractual obligations, on the basis of personal data processing contracts concluded in accordance with the GDPR and the Personal Data Protection Act, where such processors are providers of professional and specialised services, e.g. providers of non-cash payments, IT services, accountants, auditors and other entities that provide their services to us. Insofar as these entities process your personal data provided to them by ČD-Telematika, they have the status of personal data processors and process it only within the framework of our instructions and cannot use it otherwise. At the same time, ČD - Telematika requires the same technical and organisational security of personal data from personal data processors that it itself guarantees and carefully selects these entities.

As of the effective date of this Policy, ČD - Telematika records the following personal data processors:

  • WDF, s.r.o., ID No: 24836974 and ČD – Informační Systémy, a.s., ID No: 248 29 871, for the purpose of ensuring the operation of the service;
  • Possible other processors; we will be happy to inform you of the specific processor for the purpose of processing your personal data, if any.

ČD - Telematika informs that personal data may be transferred to third parties who have the legal authority to require the transfer of the personal data in question, as well as to the following parties, upon a lawful request:

  1. to state authorities and other institutions in the performance of their legal duties, in particular to state administration authorities, supervisory authorities, law enforcement authorities, courts, bailiffs, notaries, insolvency administrators, or other entities in cases where ČD-Telematika is required to do so by law;
  2. to our business partners - if we instruct someone else to carry out an activity that forms part of our services, the transfer of personal data may be necessary. Such entities themselves become the controller of your personal data (in particular the carrier or Česká pošta, s. p.);
  3. processors who provide services to us in connection with the performance of legal and contractual rights and obligations;
  4. to other entities, if it is necessary to protect the rights and interests of ČD - Telematika, we transfer personal data to other persons (e.g. legal counsel, insurance companies or insurance brokers, banks, courts, bailiffs, auctioneers) to the extent necessary to successfully assert a claim or defend our rights;
  5. with your consent or on your instructions, your personal data may be disclosed to other entities.

Your personal data will not be transferred to countries outside the EU. The processor and its computer technology (servers, clouds, etc.) are located in EU countries

Duration of processing and storage of personal data

We process and retain your personal data for as long as it is necessary to fulfil the purpose for which it was collected or a related other purpose or as long as you wish to resolve your enquiry. Once it is no longer necessary for us to retain your personal data, we will dispose of it securely in accordance with our data retention and deletion policy.

In most cases, the law directly stipulates how long certain personal data must be processed. Unless a specific period of time for which personal data must be processed is directly stipulated by law, we assume that the purpose of the processing continues, and we will therefore process personal data for the period during which there is a risk of legal claims against our company (usually a 10-year limitation period) and for one calendar year after the termination of all impending legal claims (usually 11 years after the termination of the contractual relationship).  In other cases, the time limits are regulated in the Filing and Shredding Rules.

The camera footage is kept for several days or weeks, depending on how often and regularly the location is visited to detect a harmful event or how much risk the location poses to our company. If an event is recorded that should serve as evidence for our company, the record will be kept longer.

If we process personal data on the basis of your consent, we will process it for the period specified in the consent or until the consent is withdrawn.

Your rights

ČD - Telematika informs you that GDPR, in addition to the above described right to withdraw your consent to the processing of personal data at any time, guarantees you other rights, namely:

  • Right to information and explanation

ČD - Telematika is obliged to provide you with the information contained in this document in a concise, transparent and comprehensible manner. If any provision of this policy is unclear or not fully understood by you, please do not hesitate to contact us, preferably our DPO.

  • Right of access to personal data (Article 15 GDPR)

You have the right to obtain confirmation from our company as to whether or not your personal data is processed by our company, as well as to be provided with copies of your personal data and to be informed of the details of its processing. If your personal data is processed, you have the right to access and be informed about this personal data to the extent provided for in Article 17 of the GDPR.

If your personal data is processed, you have the right to be provided with one copy of the personal data processed.

  • Right to rectification or completion of personal data (Article 16 GDPR)

If you believe that we are processing inaccurate data about you, you have the right to notify us and request a correction. If you believe that we are processing incomplete data about you, you can request that we complete the data.

  • Right to erasure of personal data - the so-called "right to be forgotten" (Article 17 GDPR)

If any of the following conditions are met, you have the right to request that we delete the personal data relating to you:

  1. your personal data is no longer necessary for the purposes for which it was processed and there is no other legal basis for further processing,
  2. we processed your personal data on the basis of your consent, which has been withdrawn, and there is no other legal basis for further processing,
  3. where your personal data has been processed on the basis of a legitimate interest of our company, you have objected to the processing and our company has assessed that the legitimate interest of our company does not outweigh your interest in terminating the processing,
  4. your personal data has been unlawfully processed,
  5. we will be legally obliged to erase your personal data.

Please note that in certain situations you do not have the right to erasure, as there may be reasons why the processing of personal data may continue. In particular, this may be the case where the personal data is necessary for the exercise of the right to freedom of expression and information, for the performance of our legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority, for reasons of public interest in the field of public health, for archiving purposes in the public interest, for scientific or historical research, for statistical purposes, or for the purpose of teaching, exercising or defending legal claims.

  • Right to restriction of processing (Article 18 GDPR)

If at least one of the conditions under Article 18 of the GDPR is met, you have the right to have us restrict the processing of your data.

In the event that you legitimately exercise this right, your personal data concerned will be marked (e.g. temporarily removed from the website, made inaccessible, etc.) in order to limit its processing in the future. Our company will not be entitled to process it further, except in situations where you give your consent, and we will be entitled to continue to process it for the establishment, exercise or defence of legal claims, for the protection of the rights of another natural or legal person, or for an important public interest of the EU or one of its Member States. Once the reasons for the restriction of processing no longer apply, our company will immediately lift the restriction, of which you will be informed in advance.

  • The right to be informed about the rectification, erasure or restriction of the processing of personal data (Article 19 GDPR)

If your personal data has been provided to another natural or legal person, public authority or other entity, our company is obliged to notify these entities of any corrections, erasure and limitations that have occurred. Therefore, if you exercise any of these rights, our company will be obliged to inform these entities of the action taken (for example, correction or erasure of your personal data). Our company is obliged to act to this effect without you having to expressly exercise this right.

  • Right to data portability (Article 20 GDPR)

You have the right to "take" your personal data from us to another data controller. All personal data that we process automatically, on the basis of your consent or the performance of a contract, can be transferred in this way. We will make all data available to you or the new administrator in a structured, commonly used and machine-readable format. However, it is up to your new controller to complete the process of transferring the personal data and to have the technical equipment to read and handle the transferred personal data. We may also transfer your personal data only to you.

  • Right to object (Article 21 GDPR)

If we process personal data for the purposes of the legitimate interests of ČD-Telematika or a third party, you have the right to object to such processing in cases where your specific situation justifies it, i.e. in cases where the processing itself is permissible but there are specific reasons on your side why you do not want the processing to take place.

If you object to the processing of your personal data, ČD-Telematika will have to review the processing carried out. We will not further process such personal data unless there are compelling legitimate grounds for the processing which override your privacy interests or other interests, rights and freedoms, or unless the processing is carried out for the establishment, exercise or defence of legal claims of ČD-Telematika.

If you exercise this right, please always indicate the specific situation that leads you to conclude that ČD-Telematika should not process your data.

However, the possibility to object does not apply to all cases of processing, it is not possible to use it in the case where we process your data pursuant to a legal basis other than the necessity for a legitimate purpose - for example, because it is necessary for the performance of a contract or the fulfilment of legal obligations.

  • Right not to be subject to automated decision-making (Article 22 GDPR)

In accordance with Article 22 of the GDPR, you have the right not to be subject to any decision based solely on automated processing, including profiling, which has legal effects on you or significantly affects you in a similar way.

You do not have this right if the automated decision is necessary for the conclusion or performance of a contract between you and our company, if you have given your explicit consent, or if it is expressly permitted by EU or national law.

  • Right to withdraw consent (Article 7 of the GDPR)

Where we collect and process data on the basis of your consent, you have the right to withdraw this consent at any time. Providing consent is completely voluntary. If you withdraw your consent, this does not affect those processing activities that have already taken place at the time when the consent was validly given, nor those processing activities that our company is obliged to carry out because of the previously given consent and the processing activities already carried out (in order to comply with legal obligations or to protect our legitimate interests).

Withdrawal of consent is completely free of charge and you may do so by any of the methods set out in Article 9. However, you can also withdraw your consent in the same way it was granted. This means that, for example, if you have given your consent by telephone, you can also withdraw it by telephone.

  • Right to lodge a complaint with a supervisory authority (Article 77 GDPR)

If you disagree with the way in which we process your personal data or disagree with our company's approach, you can lodge your complaint with the Data Protection Authority at any time - address: Pplk. Sochora 27, Prague 7, Post Code 170 00, phone: 234 665 111, e-mail: posta@uoou.cz, web: www.uoou.cz.

 

How can you exercise your rights and where can you ask questions?

Please address all questions, doubts and requests to the DPO.

The exercise of any of your rights must not affect the rights of others.

If you contact ČD-Telematika with an objection or a request to exercise one of your legal rights, we will inform you of the measures taken. If we do not take any measure, we will also inform you and explain the reasons for our action. You will receive a reply in the same way you submitted your request, free of charge and without delay, but no later than 30 days after receipt of your request. This deadline may be extended by a maximum of two months, which you will be informed of in advance, for example due to the complexity and number of requests.

ČD - Telematika is entitled to refuse your request or charge you for the administrative costs involved if your request is manifestly unfounded or unreasonable.

At the same time, ČD-Telematika would like to point out that it can only grant your request or objection if it has no doubts about the identity of the person making the request or objection.

 

 

Contact details for exercising your rights: postal address:
Data Protection Officer ČD - Telematika a.s., Pod Táborem 369/8a, Prague 9, Post Code 190 00
e-mail: dpo@cdt.cz

 

Identity verification when contacting ČD - Telematics

It is a top priority for our company to prevent your personal data from being disclosed to a third (unauthorised) party, from being lost, irreversibly altered, misused or otherwise mishandled.

Therefore, in the event that our company has reasonable doubt as to the identity of the person exercising his/her rights on the basis of the foregoing, you may be asked to provide additional information necessary to prove your identity, with the help of which your identity can be reliably established. If necessary, our company may also require that the form or application be accompanied by your certified signature.

 

Conclusion

This Privacy Policy takes effect on 25 May 2018. This document will be updated and supplemented on a continuous basis.