The aim of these Principles of Processing Personal Data for O2 Customers Based on GDPR published by O2 Czech Republic a.s. IČ (Company Identification Number) 601 93 336, DIČ (Company Taxation Identification Number) CZ60193336, seated at Za Brumlovkou 266/2, 140 22 Prague 4 – Michle (“Principles” and “O2”), is to provide information about what personal data O2 (as an administrator) processes about natural persons when providing services, selling goods at brand shops and O2 e-shops and when visiting internet sites provided by O2, and about contacts with potential customers, for what purposes and for how long O2 can process this personal data in accordance with valid legal regulations, and to whom and for what reason this data can be handed over, and at the same time to inform what rights natural persons have as far as processing their personal data is concerned.
These Principles concern processing of personal data of O2 customers and appropriately their representatives or contact people, O2 services users, people interested in O2 services and goods and visitors of O2 run internet sites, and it is always done in the extent of personal data corresponding to their role towards O2.
These Principles are valid as of May 25, 2018, and they have been published in accordance with Regulation (EU) 2016/679 about the protection of natural persons in connection with personal data processing (“regulation” or “GDPR”).
A. Personal data categories
Personal data is any piece of information connected to a natural person that can be identified by O2. In connection with providing services and selling goods, O2 can process the following categories of personal data.
1. Basic personal identification data and address
This data is needed to sign and fulfil a contract. It includes especially:
- academic degree
- name and surname
- business name
- birth certificate number (if a birth certificate number has not been issued for any reason then a birth date)
- IČO (company identification number), DIČ (company taxation identification number)
- permanent address
- seat or business address
- invoicing address
- numbers of presented identification documents and their copies (all data that is not needed for providing of the service is blacked out on the copies of documents)
- identification data of a customer’s representative or the contact person specified by the customer
- identification data of the payer of the billing
- bank details
The extent is limited to basic identification data in case of contracts for a one-off sale of goods.
2. Contact details
- contact phone number
- contact e-mail
- social networks addresses
3. Data about purchased goods, subscribed services, use of services and payment moral
- type and specification of provided services or goods
- volume of provided services and their price
- customers’ segment
- information about payment moral
4. Operating data and localization data
This is data processed for the needs of a messages transfer via the electronic communications networks, for their billing (about phone calls, data transmissions, text messages and other services provided by O2), solution of eventual disputes arising from the providing of services and fulfilment of legal duties by O2. This includes especially:
- the calling number
- the called number
- data connection address (e.g. IP address or URL address)
- date and time of the carried out connection
- IMEI of the end device
- number of provided units
- time of carried out connection
- number, name and connection of the final point of the network
- internet connection type
5. Other data generated in connection with providing of services
This data appears when providing services, which are not electronic communications services, or when providing electronic communications services above the framework of data needed for transfer of messages. Data generated by networks when providing electronic communications services above the framework of operational and operational localization services is necessary to settle disputes concerning the quality of services, evaluation and increase of quality of networks and services, and the maintenance of networks.
6. Data from communication between O2 and a customer
This data originates during communication connected with providing of O2 services and goods between O2 and the customer. This includes records of personal communication with the customer at shops or in a direct contact with the customer; written or electronic communication with the customer, and records of phone calls, chat and video chat communications between the customer and O2.
7. Camera records from O2 brand shops and O2 premises
O2 places cameras in O2 brand shops and on O2 premises to protect its rightful interests. Premises, where cameras are located, are always labeled with a notification.
8. Data processed based on your approval
Processing of this data is not necessarily needed to fulfil the contract or legal obligations or to protect rightful interests of O2 but its processing makes it possible for O2 to improve its services, to focus on what the customers are really interested in and to inform customers about offers that are suitable for them. This data is processed only if the customer gives their approval and they can be processed only for the period when the approval is valid. This concerns especially:
- data gained from marketing researches (they are processed for O2 services customers based on the approval with the processing of personal data for marketing and business purposes)
- data about the use of services, products, benefits and bonuses and about typical behaviour when using services (they are processed for O2 services customers based on the approval with the processing of personal data for marketing and business purposes)
- contact details in case of somebody who is not an O2 customer (they are processes based on the approval with a marketing address)
- records about behaviour on internet sites maintained by O2 and received via cookies if cookies in the web browser are enabled (they are processed to improve the operations of internet pages operated by O2 and in case of an approval this data is processed together with personal data for purposes concerning the approval)
B. Purposes, legal reason and time for processing of personal data
The extent of processed data depends on the purpose of processing. For some purposes it is possible to process data directly on the basis of the contract, rightful interests of O2 or based on the law (without an approval), for others it can be done only based on the approval.
1. Processing of data for the purposes of fulfilling the contract, fulfilling of legal duties, and purposes of rightful interests of O2
Providing of personal data needed to fulfil the contract, fulfilling of legal duties of O2 and the protection of rightful interests of O2 is compulsory. It would not be possible to provide services without providing personal data for these purposes. We do not need an approval to processes personal data for these purposes. Processing for the purposes of contract fulfilment and the fulfilling of legal regulations cannot be refused.
It concerns especially these basic partial purposes:
- ensuring and protection of electronic communications networks (contract fulfilment
- providing services of electronic communications, payment transactions, providing of other services (contract fulfilment)
- billing for services (contract fulfilment)
- fulfilment of legal taxation duties (fulfilling of legal obligations)
- purposes set by special laws for the needs of criminal procedures and to fulfil obligation in cooperation with Police of the Czech Republic and with other state authorities (fulfilling of legal obligations)
- exchange of data among network providers and providers of electronic communications services to ensure connection and access to networks and for joined billing (contract fulfilment)
- running of camera and monitoring systems on O2 premises in order to prevent appearance of damages (rightful interest of O2)
- evaluation of customers’ behaviour when using services (telcoscoring) and their payment moral in order to prevent the appearance of debts that can influence the decision making of O2 about signing of further contracts with a customer; the decision about signing or not signing of another contract does not take place automatically (rightful interest of O2)
- collecting debts from customers and other disputes with customers (contract fulfilment)
- recording and monitoring of calls with a customers’ care line (contract fulfilment)
- processes connected with customers’ identification (contract fulfilment)
- getting evidence in case O2 rights need to be defended (rightful interest of O2)
- register of debtors (rightful interest of O2)
- register of misuse of a network and electronic communications services (rightful interest of O2)
Personal data for these activities is processed in an extent needed to fulfil these activities for the period of time needed for their completion or for the period of time set by legal regulations. Afterwards personal data is deleted or made anonymous. Basic periods of personal data processing are specified below.
In case of customers of O2 services who have fulfilled all the commitments towards O2, O2 can process their basic personal, identification and contact data and data about services and data from communication with O2 for a period of 4 years after they terminate their last contract with O2.
In case of a purchase of goods from O2, O2 is entitled to process basic personal, identification and contact data of a customer, data about the goods and data from communication between the customer and O2 for a period of 4 years after the warranty period of the goods runs out.
If O2 deals with a potential customer about signing a contract that has not been completed with a signature of that contract, O2 is entitled to process the provided personal data for a period of 3 months from the corresponding negotiations.
In accordance with paragraph 35 of the Act no. 235/2004 of the Collective, about a value added tax, invoices issued by O2 are archived for the period of 10 years after their issuance. Since a legal reason for issuing of invoices needs to be given as evidence, customers’ contracts are also issued for the period of 10 years after a contract is cancelled.
Identification data needed for providing of services from customers identification card are processed by O2 in accordance with paragraph 16 of Act no. 253/2008 of the Collective, about some arrangements against legalizing revenue from criminal activities and financing of terrorism, processed for the period of 10 years from the day you terminate your contract with O2. To meet this legal obligation O2 keeps a copy of customers’ identification documents with data needed for providing of O2 services for the period of 10 years since the last contract is terminated; additional data which is not needed for the providing of the service is blacked out on the copy of the identification document.
Personal data needed to provide special ZTP or ZTP/P discounts (discounts for disabled citizens) according to paragraph 3 of Act no. 127/2005 of the Collective, about electronic communications, are processed for the period of 5 years since the corresponding discount is provided, or until the time when it is no longer possible to legally contest the height of the state contribution to these discounts, if this period is longer.
In case of debtors O2 keeps personal data corresponding with the debt for a period of 4 years after the debtor is deleted form the SOLUS Register in order to defend the claims connected with handing over the debtor to the SOLUS Register for rightful interest.
Camera recordings from brand shops and from O2 premises and from the surroundings of O2 buildings are processed for a maximum of 90 days from the day the camera recording was taken.
According to paragraph 90 articles 3 and 4 of Act no. 127/2005 of the Collective, about electronic communications, O2 is requested to keep operational data of the service until the end of the period, when the billing of fees or providing of electronic communications services can be legally contested by a complaint. For this reason O2 processes operational data of the service for the period of 6 months since it is provided. O2 is furthermore entitled to process operational data of the service until a dispute about the decision about an objection to dealing with a complaint is settled, or until the period, for which a claim can be legally demanded.
According to paragraph 97, article 3 of the Act no. 127/2005 of the Collective about electronic communications O2 is requested to keep operational and localization data for a period of 6 months; these are created or processed when ensuring public communications networks and when providing publically available electronic communications services; upon request O2 is obliged to immediately provide them to authorities acting in criminal proceedings, to Police of the Czech Republic for the purposes of an initiated search for a specific wanted or missing person, to provide identity of an unknown person or identity of a discovered corpse, to avoid or identify specific threats in the area of terrorism or to check a protected person; to BIS (Security Information Service) for the purposes and when fulfilling conditions set up by a specific legal decree, to the Army Intelligence for the purposes and when fulfilling conditions set up by a specific legal decree and to the Czech National bank for the purposes and when fulfilling conditions set up by a specific legal decree.
2. Processing of data of O2 services customers with an approval for marketing and business purposes valid as of May 25, 2018
We process personal data of an O2 service customer for marketing and business purposes with their approval. For the period after May 25, 2018, O2 collects a new approval for marketing and business purposes that is valid after this date. The date with the beginning of the approval for processing personal data for marketing and business purposes is in the text of the approval.
As of May 25, 2018, O2 will process customer’s personal data with the approval for marketing and business purposes primarily to create a suitable offer of products and services of O2 or third parties and in connection with approaching the customer via phone, in writing (including attachments to billings), via all internet advertisement means and via electronic communication using contact data or service numbers. That is why O2 will save data about customers, who grant this approval, to collect data about their typical behaviour when using O2 services and products and save anonymous behaviour analysis.
All these activities are essential to approach customers with suitable marketing offers.
Providing an approval for marketing and business purposes is voluntary and the customer may call it off any time after May 25, 2018. This approval remains valid whilst O2 products and services are used and for the following 4 years or until such time, when the customer calls it off. All data categories specified in section A of this document (with the exception of a signature and a copy of identification documents) may be used for marketing and commercial purposes in case of an approval; they can be used for a period of time, for which O2 is entitled to keep this data for the purposes of providing services, fulfilling legal obligations and protecting its rightful interests, nevertheless for up to 4 years since the termination of a contract for services provided by O2 at the latest, unless the customer recalls their approval earlier.
3. Processing of data of data subjects that have given their approval for a marketing address via an electronic contact
In case of subjects that have given their approval for a marketing address via an electronic contact, O2 processes contacts that the subjects made available for the purposes of a marketing address with the offer of O2 services and products for the period specified in the approval. If this approval is given via internet sites run by O2, data from O2 cookies placed on internet sites where this approval was given are stored with the contacts, only in case that subject allows cookies on their web browser.
4. Processing of cookies from internet sites run by O2
If the subject allowed cookies on their end device we process records of their behaviour from O2 cookies placed on internet sites run by O2. At the same time we make it possible for selected subjects to place their cookies on internet sites run by O2.
C. Sharing personal data with other administrators
Unless the law specifies otherwise, as an administrator of personal data, we can pass this personal data to other data administrators only in case that we have an approval to do so from the data subject. Granting this approval is voluntary.
According to paragraphs 20z and 20za of the Act no. 634/1992 of the Collective, about the protection of customers, and for the purposes of protecting rights and legally protected interests of sellers and consumers O2 is entitled to pass identification data, data informing about solvency, payment moral and trustworthiness of the Data Subject to registers that serve for mutual informing of sellers about the ability and willingness of consumers to fulfil their commitments. This passing concerns also relationships created within business making or other individual profit making activities of data subjects. O2 participates in the Register of Natural Persons and the Register of Business Making Natural Persons (IČ) of the SOLUS association (“Registers”) and it passes on data about debtors. The registers include a database of data subjects that infringed their contractual commitment to properly pay for a provided service, and O2 is entitled to check them out even without the approval of data subjects with the intention to check and evaluate the payment moral of a data subject when a contractual relationship is initiated as well as at any time when the contract is valid. Detailed information is included in the document “INFORMATION about registers of the SOLUS association”, which is available at www.o2.cz and at www.solus.cz.
D. Personal data receivers’ category
When fulfilling its commitments and obligations based on the contract O2 uses expert and specialized services of other subjects. If these providers process personal data handed over from O2, they have the role of personal data processors and they process personal data only within the framework of tasks from O2 and they cannot use them in any other way. This includes especially collecting amounts owed, activities of experts, lawyers, auditors, IT system maintenance, internet advertisements or business representation. We choose each such subject carefully and we sign a contract about processing of personal data with each of them; this contact determines the processor’s strict duties when protecting and securing personal data.
Processors are companies seated in the Czech Republic, in a European Union member state or in so called safe states. Transferring and processing of personal data in countries outside the European Union always takes place in accordance with valid legislation.
When fulfilling its legal obligations O2 hands over personal data to state authorities and administrations determined by valid legislation.
E. Method of processing personal data
O2 processes personal data manually and in an automatized way. O2 keeps records of all its activities, both manual and automated ones as well, when personal data is processed.
F. Commercial notifications
For O2 commercial notifications or commercial notifications of third parties O2 uses the OS abbreviation or another suitable marking that makes it obvious that this notification is a commercial notification based on valid legal regulations. O2 commercial notifications clearly state that O2 is their sender. We can send commercial notifications either to our customers’ contacts based on a rightful interest of O2 only until such time when you express your disapproval or based on an expressed approval with processing of personal data for marketing and commercial purposes. Sent commercial notifications also include a contact to refuse the sending of these notifications.
G. Phone book
If the customer approves it, we make their contact data public in our own information service or in an information service or a printed phone book of other providers if we are asked by these providers to pass on contact data. The approval can be given when signing a participating contract or later at an O2 brand shop or via other channels specified for this. A correction of a printed phone book can be done only at the nearest time when it is reprinted. It is possible to state in the printed phone book that there is a ban on contacting the customer with commercial offers and offers of services.
H. Information about the rights of data subjects in connection with processing personal data after May 25, 2018
If the data subject is an identifiable natural person for O2 and they prove their identity to O2 then according to the regulation as of May 25, 2018, they will have the following rights.
1. The right to access personal data
According to paragraph 15 the data subject will have access to their personal data that includes the right to get from O2:
- a confirmation if it processes personal data,
- information about the purposes of processing, categories of concerned personal data, recipients that had or will have access to personal data, planned period of processing, about the right to ask the administrator to modify or delete personal data concerning the data subject or the limitation of their processing or to raise an objection to this processing, the right to submit a complaint to the monitoring authority, about all available information about the source of personal data, if they are not received from the data subject, about the fact that automatized decision-making takes place including profiling, about suitable guarantees when passing on data outside of EU,
- in case that rights and freedoms of other persons are not unfavourably touched then even copies of personal data.
If the request is repeated, O2 is entitled to charge an adequate fee for the copy of personal data.
The right to a confirmation of processing personal data and information can be submitted in writing to the seat of O2.
The right to a copy of personal data can be submitted at an O2 brand shop if the legitimacy of submitting the given request is proven.
2. The right to modify inaccurate data
According to paragraph 16 of the regulation the data subject will be entitled to the right to have inaccurate data that O2 will process about them modified. An O2 customer also has the duty to inform about the change of their personal data and to prove that such a change took place. At the same time they are obliged to cooperate with us in case we find out that personal data that we process about them are inaccurate. We will carry out the modification without any unnecessary delays based on given technical possibilities. The request to modify personal data can be submitted at an O2 brand shop if the legitimacy of submitting the given request is proven.
3. The right for erasure
According to article 17 of the regulation the data subject will be entitled to have personal data concerning them erased if O2 does not prove rightful reason for processing such personal data. O2 has set up mechanisms to ensure the anonymity is made automatically or personal data is deleted in case they are not needed for the purpose for which they were processed. If the data subject assumes that their personal data was not erased they can contact us in writing at the seat of O2.
4. The right to limit the processing
According to article 18 of the regulation the data subject will be entitled to have the processing limited until the motion is solved, if they deny the accuracy of personal data, the reasons for their processing or if they submit and objection to the processing in writing to the seat of O2.
5. The right to report a correction, erasure or limitation to processing
According to article 19 of the regulation the data subject will have the right to be notified by O2 in case of a correction, erasure or limitation to processing of personal data. If there is a correction or an erasure of personal data, we will inform individual recipients with the exception of cases when it is impossible or it requires undue efforts. Upon a request form the data subject we can provide information about the recipients. The request can be submitted in writing to the seat of O2.
6. The right to transfer personal data
According to article 20 of the regulation the data subject will have the right to transfer data concerning them and that they provided to the administrator in a structured, regularly used and machine-read format, and the right to ask O2 to transfer this data to a different administrator.
If the data subject provides us with their personal data based on an approval or in accordance with the contract for providing of services and their processing is done automatically, they have the right to get such data from us in a structured, regularly used and machine-readable format. If it is technically feasible, data can be given to a specified administrator if a person dealing for the corresponding administrator can be properly determined and they can be authorized.
If by exercising this right the rights and freedoms of third parties could be unfavourably touched, your request cannot be accommodated. The request can be submitted at O2 brand shops once the legitimacy of the request is proven.
7. The right to raise an objection against the processing of personal data
According to article 21 of the regulation, the data subject will have the right raise an objection against the processing of their personal data for the reason of rightful interest of O2.
If O2 does not prove that there is a serious rightful reason for processing that prevails over the interest or rights and freedoms of data subjects, O2 will cease the processing based on this objection without any unnecessary delays. The objection can be sent in writing to the seat of O2.
8. The right to recall an approval with the processing of personal data
An approval with the processing of personal data for marketing and business purposes valid as of May 25, 2018, can be recalled at any time after this date. The recalling needs to be done in an expressed, comprehensible and specific manifestation of will, either by calling the customers’ care line, at an O2 brand shop or in your Web Self-Care.
An approval for a marketing address given for a specific electronic contact can be recalled at an O2 brand shop, at a customers’ care line or by clicking on a link in a corresponding marking address at any time.
Processing of data from cookies can be limited by setting up the web browser.
9. Automatized individual decision-making including profiling
Data subject has the right not to be a subject of any decision based solely on automatized processing, including profiling, which could lead to legal impacts or significantly concern them in a similar way. O2 specifies that it does not carry out automatized decision-making without the influence of human evaluation with legal impacts for data subjects.
10. The right to turn to the Office for Personal Data Protection
Data subject has the right to turn to the Office for Personal Data Protection (www.uoou.cz).
I. Commissioner for personal data protection
As of May 25, 2018, this contact for the commissioner for personal data protection is available in accordance with the regulation: O2 Czech Republic a.s., commissioner for personal data protection, Za Brumlovkou 266/2, 140 22 Prague 4 – Michle.