The purpose of the Personal Data Processing Policy for O2 Customers, adopted by O2 Czech Republic a.s. Company ID 601 93 336, VAT Reg. No. CZ60193336, registered office Za Brumlovkou 266/2, 140 22 Praha 4 ‑ Michle (“Policy”and “O2”), is to inform customers about the processing of their personal data by O2 as the controller in the course of providing services under the O2, BleskMobil and Opencall brands, selling goods at O2 brand stores and e-shops, on the O2 websites and as part of potential contacts with customers, for what purposes and how long O2 processes this personal data in accordance with applicable legal regulations, to whom and for what reason O2 may transfer the personal data, and also inform them of the rights they have in relation to the processing of their personal data.
This Policy applies to the processing of personal data of customers and, as appropriate, their representatives or contact persons, users of services, those interested in services and goods, and visitors to websites operated by O2 ("Customer"), always in the scope of personal data corresponding to their position towards O2.
This Policy is published in accordance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“Regulation” or “GDPR”) in order to ensure that O2, as the controller, meets the duty to provide information as per Article 13 of the GDPR.
This Policy is of an informative nature and therefore is not part of a contract for the provision of electronic communication services.
A. Categories of personal data
Personal data is any information relating to a natural person that O2 is able to identify. In connection with the provision of services and the sale of goods, O2 may process the following categories of personal data.
1. Basic personal identifying data and addresses
Data necessary for the conclusion and performance of the contract. Such data includes:
- academic title
- name and surname
- company name
- social security number (if the social security number has not been assigned for any reason, the date of birth)
- IČO, DIČ numbers (Company ID, VAT Registration No.)
- permanent address
- address of registered office or place of business
- billing address
- the numbers of the identification documents submitted and copies thereof (any data not required for the provision of the service will be blacked out on copies of documents)
- identification information of the customer's representative or contact person designated by the customer
- payer identification data
- bank details
- contract and handwritten signature (in paper or digital form including signature metadata
In the case of one-off contracts, the scope is limited to basic identification data. In the case of prepaid services, only personal identification and address data that the customer voluntarily discloses to O2 are processed and such data is not authorized in any way.
2. Contact details
- contact phone number
- contact e-mail
- social network addresses
3. Information on purchased goods, services, use of services and payment discipline
- type and specification, or tariff, of the service or goods provided
- volume of services provided and their price
- customer segment
- information about payment discipline
4. Operational and location data
Data processed for the purposes of transmission of messages over electronic communications networks, billing purposes (telephone calls, data transmission, short text messages and other services provided by O2), purposes of resolving any disputes arising from the provision of the service and the purposes of compliance with O2's statutory obligations. These include:
- calling number
- called number
- data connection address (e.g. IP address or URL address)
- date and time of the connection
- IMEI of the terminal equipment
- number of units
- duration of the connection
- number, name, and location of the network endpoint
- type of internet access
5. Other data generated in connection with the provision of services
This data is generated when providing non-electronic communications services when using applications O2 or when providing electronic communications services beyond the data needed for transmission of a message. Data generated by networks when providing electronic communications services beyond operational and operational-location data, which is necessary for the resolution service quality disputes, evaluation and improvement of network and service quality and for network maintenance.
6. Data from communication between O2 and the Customer
Data generated during communication related to the provision of services and goods between O2 and the Customer. This data includes written records of personal communication with the Customer in the store or other direct contact with the Customer, electronic communication with the Customer and records of telephone calls, chat and video chat between the Customer and O2.
7. Camera recordings from O2 brand stores and O2 premises
O2 places O2 cameras in O2 brand stores and O2 premises to protect the legitimate interests of O2. Areas where cameras are located are always marked with a warning.
8. Data processed with your consent
The processing of such data is not necessary for the performance of the contract or legal obligations or for the protection of legitimate interests of O2 but their processing will allow O2 to improve its services, focusing on what customers are really interested, and possibly inform customers about offers that are right for them. Such data is processed only with consent of the Customer and may be processed for as long as this consent is valid. The data includes:
- data obtained from marketing surveys (processed for O2 customers based on their consent with the processing of their personal data for commercial purposes)
- data on the use of services, products, benefits and bonuses and usage behaviour (processed for O2 customers based on their consent with the processing of their personal data for commercial purposes)
- contact information in case the Customer is not O2 customer (processed based on marketing authorization address)
- records of behaviour on websites managed by O2 obtained from cookies if cookies are allowed in a web browser (processed to improve the operation of websites operated by O2, online advertising and if consent is given to the processing of personal data for commercial purposes, such data is processed together with other personal data for this purpose)
- data obtained during registration on the website for the services for people with hearing and sight impairment (Linka pro neslyšící a nevidomé) for the purposes of providing this service, and personal data obtained in the course of the service of the helpline.
B. Purposes, legal reasons and lead times for the provision of personal data
The extent of the processed data depends on the purpose of the processing. For some purposes, data may be processed directly on the basis of a contract, O2's legitimate interest or the law (without consent), for others consent is required.
1. Processing for the purpose of contract performance, legal obligations and O2's legitimate interests
Providing personal data necessary for the performance of the contract, fulfilment of O2's legal obligations and protection of the legitimate interests of O2 is mandatory. Without the provision of personal data for these purposes, it would not be possible to provide the service. We do not need consent to process personal data for these purposes; however, processing of personal data in the legitimate interest of O2 can be challenged. Processing in connection with contractual performance and compliance with legal obligations cannot be refuses.
There are mainly the following specific purposes:
- ensuring the operation and protection of electronic communications networks (contractual performance)
- provision of electronic communications services, payment transactions, provision of other services (contractual performance)
- billing for services (contractual performance)
- compliance with statutory tax obligations (compliance with statutory obligations)
- purposes stipulated by special laws for the needs of criminal proceedings and for fulfilling the duty of cooperation with the Police of the Czech Republic and other state authorities (compliance with statutory obligations)
- exchange of data between network operators and providers of electronic communications services to ensure interconnection; and network access, billing (contractual performance)
- operation of CCTV and monitoring systems at O2's premises to prevent damage (legitimate interest of O2)
- evaluation of customer behaviour in the use of services (telcoscoring) and payment discipline for the purpose of prevention receivables that may have an impact on O2's decision-making on the terms of concluding further contracts with the Customer in cases where the decision to conclude or not to conclude another contract is not automated (legitimate interest of O2)
- debt collection and other customer disputes (legitimate interest of O2)
- recording and monitoring of calls to the customer line (contractual performance)
- customer identification processes (contractual performance)
- obtaining evidence in the event of the need to defend the rights of O2, including business monitoring (legitimate interest of O2)
- debtors’ register (legitimate interest of O2)
- records of misuse of electronic communications networks and services (legitimate interest of O2)
Personal data for these specific purposes are processed to the extent necessary for the fulfilment of these purposes and for the time necessary to their achievement or for a period directly set forth in the law. Personal data is deleted or anonymized afterwards. The guiding deadlines for the processing of personal data are available below.
O2 is entitled to process the data of customers who had have fulfilled all their obligations towards the company their basic personal, identification, contact information, service data and data from their communication with O2 for 4 years from the date of termination of the last contract with O2 in the customer database.
When goods are purchased from O2, O2 is entitled to process basic personal, identification and contact details of the Customer and information about the goods, as well as communication between the customer and O2, for 4 years from expiry of the warranty period for the goods in question.
When negotiations are held between O2 and a potential customer about a possible contract that have not led to a conclusion of the contract, O2 is authorized to process the personal data provided for a period of 3 months from the relevant negotiations.
Invoices issued by O2 are archived in accordance with Section 35 of Act No. 235/2004 Coll., On Value Added Tax for 10 years after their date. Due to the need to substantiate the legal reason for issuing invoices, contracts with customers are archived for 10 years from on the day of termination of the contract.
Identification data from the Customer's identity document necessary for the provision of the service is processed by O2 in accordance with Section 16 of Act No. 253/2008 Coll., on Certain Measures Against Money Laundering and Terrorism Financing for 10 years from the date of termination of the contract with O2. To fulfil this legal obligation, O2 keeps copies of identity documents for a period of 10 years from the date of termination of the Customer 's last service Only the data necessary for the provision of the O2 service is kept, while other data not necessary for the provision of the service is blacked out on the copy of the identity document.
Personal data necessary to provide special disability (ZTP or ZTP/P) discounts pursuant to Section 3 of Act No. 127/2005 Coll. On Electronic Communications is processed for a period of 5 years from the provision of the appropriate discount, or until the time when it is not possible to legally challenge the amount of the state subsidy in compensation for the discount discounts, whichever is longer.
For debtors, O2 retains personal debt-related information for 4 years after the debtor is deleted from the SOLUS Register due to a legitimate interest in defending claims related to the transfer of the debtor to the SOLUS Register.
Camera recordings from brand stores and O2 premises and around O2 buildings are processed for a maximum of 90 days from the date of the camera recording.
Pursuant to Section 90 (3) and (4) of Act No. 127/2005 Coll., On Electronic Communications, O2 is obliged to store service operation data until the end of the period during which the amounts billed or the electronic communications service provided can be legally challenged through a complaint. For this purpose, O2 processes in accordance with Section 64(8)-(10) and Section 129(3) of Act No. 127/2005 Coll., On electronic communications, service operation data for a period of 3 to 6 months, unless a longer period is required. O2 can also process service operation data until the resolution of the dispute is final by way of a decision on the objection against the settlement of the dispute or while the claim can be legally enforced.
Pursuant to Section 97(3) of Act No. 127/2005 Coll., On Electronic Communications, O2 is obliged to store operational and location data that is generated or processed in the course of its public communication networks and in the course of the provision of its publicly available electronic communications services. Upon request, the data must be provided without delay to law enforcement authorities, to the Police of the Czech Republic for the purposes of the proceedings initiated searching for a specific wanted or missing person, identifying a person of unknown identity or dead bodies found, preventing or detecting specific terrorist threats or screening of a protected person, and to the Security Information Service for the purposes and subject to the conditions laid down in a special legal regulation, and to the military intelligence services for the purposes and in compliance with the conditions laid down in a special legal regulation, and to the Czech National Bank for purposes and subject to the conditions laid down in a special legal regulation.
2. Processing of O2 customer data with consent for commercial purposes
O2 processes personal data of a Customer for commercial purposes with the Customer’s consent. For the period from 25 May 2018, O2 collects a new consent with processing for commercial purposes, which, if granted by 24 May 2018, is effective from 25 May 2018.
All the categories of data listed in Section A of this Policy may be processed with consent for commercial purposes (with the exception of signature and copies of identification documents) for as long as O2 is authorized record such data for the purpose of providing services, complying with legal obligations and protecting their legitimate interests, until the withdrawal of consent. With consent with processing for commercial purposes, O2 processes the Customer's personal data for the purpose of relevant targeting of advertising O2 or third-party products or services to specific customers and for the distribution advertising of O2 or third-party products or services by reaching the Customer. Reaching of the Customer takes place by telephone, in writing (including invoice attachments), by any means of online advertising or in the form of direct commercial communications through electronic communication using contact details and service numbers.
In the case of consent to the processing of personal data for commercial purposes, O2 customers are contacted with advertising of O2 products and services, as well as advertising of third-party products and services. If customers are only interested in O2 products and services, they can view these offers through indirect marketing channels. O2 sends commercial messages advertising O2 or third-party products or services under the name of O2 as the sole promoter and sender of the commercial message, and in the case of advertising of third-party products and services, O2 does not transfer any personal data with third parties which commissioned the advertising. Up-to-date list of third parties whose offers are being distributed by O2 (advertisers) can be found available here.
For the relevant targeting of advertising offers and for the purpose of business strategic planning, O2 creates and stores data about customer behaviour when using O2 services and products of customers who grant their consent and creates and stores anonymized behavioural analysis. All these activities are essential for reaching customers with appropriate marketing offers.
Providing consent for commercial purposes is voluntary and can be revoked at any time by the customer. This consent remains valid for the period of use of O2 products and services and for the following 4 years thereafter or until the Customer withdraws it.
If the Customer withdraws consent for commercial purposes, this does not affect the processing of the Customer’s personal data by O2 for other purposes and on other legal grounds in accordance with this Policy.
If the Customer allows the use of the service to other users different from the person of the Customer, confirms in the consent that the Customer has the authority to grant consent with the processing of personal data for commercial purposes also in relation to any such users.
3. Processing the data of data subjects who have given their consent to being contacted with marketing offers via electronic means of communication
For entities that have given their consent to being contacted for marketing purposes via electronic means through electronic means of communication, O2 processes, with their consent, for the period specified in the consent, contacts made available by the data subject for offering O2 services and products. If this consent is given through a website operated by O2, O2 cookies distributed by the website where the consent was given are processed together with these contacts provided the data subject has cookies enabled in the web browser.
4. Processing of cookies from websites operated by O2
If the data subject has cookies enabled in the web browser, we process behavioural records of the data subjects from cookies placed on the websites operated by O2 for the purpose of optimising the operation of the O2 website and for the purposes of O2 online advertising.
5. Processing of data subjects' data for the purpose of providing service for people with hearing and sight impairment
For Customers of services provided by O2, O2 processes personal data subject to the Customer’s consent for the purpose of provision of services for people with hearing and sight impairment. Personal data of data subjects who have consented to the processing of personal data for people with hearing and sight impairment is processed upon registration for this service. Services for people with hearing and sight impairment cannot be provided without such consent.
6. Processing of data subjects' data for the purpose of sending application notifications
If the data subject has an application installed by O2, which sends application notifications, and has application notifications enabled for the application in question, O2 will send the app notifications. The content of the application notifications depends on the type of application.
C. Transfer of personal data to other controllers
Pursuant to Section 20z and Section 20za of Act No. 634/1992 Coll., On Consumer Protection for the Purpose of Protecting Rights and Statutory Interests of Sellers and Consumers, O2 has the right to transfer, without the consent of the data subject, data indicating the creditworthiness, payment discipline and creditworthiness of the data subject with registers that serve to reciprocally inform sellers about consumers' capacity and willingness to fulfil their obligations. This transfer also applies to relationships incurred in the course of the business or other self-employed activity of the data subject. O2 participates in the registers of natural persons and of self-employed and independent traders operated by SOLUS (“Registers”), to whom O2 transfers information.
The Registers contain a database of data subjects who have breached the contractual obligation to pay duly for the service provided, and O2 is entitled to screen them for the purpose of verification and evaluation of the payment discipline of the data subject, without the consent of the data subject, both upon the establishment of the contractual relationship and, if necessary, at any time during the term of the contract.
More information can be found in the document "INSTRUCTIONS on SOLUS Registers" available at www.o2.cz and www.solus.cz.
As part of its statutory duties, O2 transfer personal data to the government authorities, other authorities and organizational units of the state according to applicable legislation.
Within some other activities, such as networking, access to other operators' networks, mutual billing, sales of receivables, issuing telephone directories, or making payment transactions, O2 transfers personal data to recipients as separate personal data controllers. A list of these controllers is available here.
D. Processors of personal data
In fulfilling its duties and contractual obligations, O2 relies on professional and specialized third-party services. When these contractors process personal data transferred from O2, they have the status of personal data processors and process personal data only as part of instructions from O2 and may not use it otherwise. These contractors are mainly debt collectors, experts, lawyers, auditors, IT systems administrators, online advertising or sales agents. O2 carefully selects each such contractor and enters into a personal data processing agreement with them, in which the processor undertakes strict obligations to protect and secure the personal data. The list of processors is available here.
The processors are companies established both in the Czech Republic, a member state of the European Union or a state which is one of the so-called safe states. The transfer and processing of personal data in countries outside the European Union always takes place in in accordance with applicable legislation.
E. Method of personal data processing
O2 processes personal data manually and automatically. O2 keeps track of all activities, both manual and automated, in which personal data is processed.
F. Commercial communication
Commercial communication of O2 or third parties is clearly marked with the abbreviation OS or other appropriate designation from which it is clear that that the message is commercial communication within the meaning of the relevant legislation. As for commercial communication sent by O2, it is always clear that O2 is the sender. Commercial communication is sent by O2 to Customer’s contacts either in line with O2's legitimate interest, and only until the Customer objects to processing of personal data, or with the Customer’s express consent to the processing of personal data for commercial purposes or with consent to being contacted with marketing offers through electronic means of communication. Commercial messages also include a link which allows to opt out from receiving commercial communication.
G. Telephone directory service
At the Customer 's request, O2 will publish the Customer’s contact information in its own directory service and in the directory service or a printed telephone directory of other providers, if these providers request the Customer’s contact details. The application can be made when the subscription contract is concluded or later at the O2 brand store or by means of the "Publication in the telephone directory and information services" form available at www.o2.cz. Corrections of details in the printed telephone directory can only be carried out when the directory is being re-edited. It is possible to request not to be contacted, using the published contact details, for the purpose of commercial solicitation, using the means specified for this purpose while making the application for publication in the telephone directory.
H. Information on the rights of data subjects in relation to the processing of personal data
If the data subject is an identifiable natural person for O2 and proves their identity to O2, the data subject has the following right. These rights must be exercised in a way that is intended for the exercise of a particular right and not to the address Data Protection Officer. Applications made in violation of these principles will not be considered. Stated rights may also be exercised only in relation to personal data which, beyond any doubt, is the data of the applicant.
1. Right of access to personal data
According to Article 15 of the GDPR, the data subject has a right of access to personal data, which includes the following rights:
- obtain confirmation that their personal data is being processed;
- obtain information on the purposes of the processing, categories of personal data concerned, any third-party recipients of the personal data to date or in the future, duration of the processing, and the existence of the right to request the controller to correct or delete personal data concerning the data subject, restrict the processing or to object to this
- processing, the right to lodge a complaint with the supervisory authority, and all available information about the sources of the personal data, if not obtained directly from the data subject, the fact that automated decision-making, including profiling, is being performed, and information on appropriate safeguards for data transfers outside the EU,
- obtain a copy of personal data, provided that the rights and freedoms of others are not adversely affected.
In the event of a repeated application, O2 is entitled to charge a reasonable fee for a copy of the personal data. O2 contract customers can exercise their right to access personal data at an O2 brand store provided that the request is legitimate.
In the event that the exercise of the right with respect to personal data could result in certain categories of personal data adversely affecting the rights and freedoms of third parties (e.g. when it is not clear that traffic and location data belongs to the applicant, especially for flat-rate subscribers with multiple mobile numbers or flat-rate subscribers who may let other users use the service, if a recorded call to a call centre involves O2 employees), the application in the scope of these data categories cannot be granted in accordance with the opinion of the Office for Personal Data Protection No. 6/2013. In addition, O2 does not provide documents such as contracts or invoices that the Customer has demonstrably already received from O2.
In view of the above, prepaid customers cannot exercise the right to a copy of their personal data. All personal data that O2 under the right of access to personal data can provide with respect to possible risks to third-party rights can be found in the online self-service application.
2. Right to rectification
According to Article 16 of the GDPR, the data subject has the right to rectify inaccurate personal data, which O2 will be processing about the Customer. The Customer is also obliged to notify O2 of changes in their personal data and to prove that the change has occurred. At the same time, the customer is obliged to provide assistance to O2 if it is found that personal data processed by O2 is not accurate. O2 will make corrections to the personal data without undue delay, subject to the technical feasibility. The request for correction of personal data can be made at the O2 store, provided that the request is legitimate.
3. Right to erasure
Pursuant to Article 17 of the GDPR, the data subject has the right to have their personal data erased, unless O2 can prove legitimate reasons for the processing of such personal data. O2 has security mechanisms in place for automatic anonymization or deletion of personal data when it is no longer required for the purpose for which it was processed. If the data subject nevertheless considers that their personal data has not been erased, they may apply for erasure at an O2 brand store, provided that the application is legitimate.
4. Right to restrict processing
Pursuant to Article 18 of the GDPR, the data subject has the right, until a complaint is resolved, to restrict processing if they challenge the accuracy of personal data, the reasons for their processing or if they object to the data processing, by making a request in writing to the registered office of O2.
5. Right to notify rectification, erasure or restriction of processing
According to Article 19 of the GDPR, the data subject has the right to be notified by O2 in the event of rectification, erasure or restriction of processing of personal data. If personal data is rectified or erased, O2 will inform each individual recipient, except where this proves impossible or requires disproportionate effort. Upon the data subject’s request, O2 may provide information about these recipients.
6. Right to portability of personal data
Pursuant to Article 20 of the GDPR, the data subject has the right to request from O2 their personal data concerning which they have provided to O2 in connection with a contract or with a consent, and which is processed automatically by the company, in a structured, commonly used and machine-readable format, and the right to request the transfer of such data to another controller if the person acting on behalf of the relevant controller is duly nominated and can be authorized. In the event that the exercise of this right could adversely affect the rights and freedoms of third parties, the application cannot be granted. The application can be made at O2 brand stores, provided that the request is legitimate.
7. Right to object to the processing of personal data
Pursuant to Article 21 of the GDPR, the data subject has the right to object to the processing of their personal data for the purposes of O2’s legitimate interests. Unless O2 can prove that a legitimate reason for processing that outweighs the interests or the rights and freedoms of the data subject exists, O2 will terminate the data processing without undue delay.
The objection can be sent in writing to the registered office of O2.
8. Right to revoke consent to personal data processing
a. Consent to the processing of personal data for commercial purposes may be revoked at any time after has become effective. In order to revoke the consent, it is necessary to make an explicit, comprehensible and certain expression of will, either by telephone, at an O2 brand store (not applicable to prepaid customers) or in the online self-service application.
b. Consent to being contacted for marketing purposes using electronic means of communication may be revoked at any time by calling the customer service or in the manner specified in a commercial message.
c. Consent to the processing of personal data for the purpose of registering and providing the services for people with hearing and sight impairment can be withdrawn at any time after it becomes effective. The application must contain the applicant’s express, comprehensible and certain will, and be made either by phone at 800 142 142 or by email at email@example.com.
d. The processing of cookies data can be prevented by setting up a web browser.
e. Data processing for application notification purposes can be prevented via settings on the device.
9. Automated individual decision-making including profiling
The data subject has the right not to be the subject of any decision based solely on automated processing,
including profiling that would have legal or similar effects on the data subject.
O2 declares that it does not make automated decision-making without the components of human judgment which would have legal consequences for data subjects.
10. Right to contact the Office for Personal Data Protection
The data subject has the right to contact the Office for Personal Data Protection (www.uoou.cz).
Data Protection Officer
Contact details for the Data Protection Officer:
O2 Czech Republic a.s., Data Protection Officer, Za Brumlovkou 266/2, 140 22 Praha 4 – Michle, firstname.lastname@example.org
Please note that it is always necessary, in connection with exercising the rights of data subjects, to verify the identity of the data subject under Articles 15 to 22 of the GDPR and the legitimacy of their request. To this end, we advise to always follow the specific method set out in this Policy for the exercise of the given right, and not to send requests to the Data Protection Officer.