Information on the processing of personal data under the terms and conditions of the Czech Telecommunication Office

Last updated on: 20.04.2023

ČTÚ-17305/2023-604
CTU0X093HEY9

Personal data controller

The personal data controller is the Czech Telecommunication Office (hereinafter referred to as the "Office"), with its registered office at Sokolovská 219/58, 190 00 Prague 9, Company ID: 70106975, which was established on May 1, 2005 as the central administrative office for the performance of state administration in matters stipulated by Act No. 127/2005 Coll., on electronic communications and on amendments to certain related acts (Electronic Communications Act), as amended, including market regulation and setting conditions for doing business in the field of electronic communications and postal services.  

Contact details of the personal data controller

Postal address: Czech Telecommunication Office, PO Box 02, 225 02 Prague 025
Data box: a9qaats
E-mail address: podatelna@ctu.gov.cz
Telephone operator: 224 004 111
By personal submission through the Office's filing room (Registry)
Detailed contact information can be found on the Office's website (www.ctu.gov.cz/en).

Data Protection Officer

The Office shall appoint a Data Protection Officer in accordance with Article 37 of the GDPR. The Officer may be contacted in any of the following ways::
Data box: a9qaats
E-mail address: podatelna@ctu.gov.cz, or osobniudaje@ctu.gov.cz
Telephone: 224 004 716
Postal address: Czech Telecommunication Office, PO Box 02, 225 02 Prague 025
By personal submission through the Office's filing room (Registry)

With regard to the effectiveness of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the "General Regulation") on May 25, 2018, the individual points of this information below elaborate on the relevant provisions of this General Regulation applicable to the Office.
The notice summarizes the principles of personal data processing by the Office, both for natural persons and natural persons acting on behalf of legal entities (hereinafter referred to as "data subjects").

Personal Data Processing Policy

1. personal data is processed fairly, lawfully, and transparently,
2. personal data is collected only for specific, explicitly stated, and legitimate purposes, and personal data is not further processed in a manner incompatible with those purposes,
3. the scope of the processed personal data is adequate, relevant, and necessary to achieve the stated purposes,
4. measures are taken to ensure that only accurate personal data is processed, which is updated where necessary,
5. personal data is stored for the period necessary for the purpose of its processing,
6. the personal data processed is adequately secured, in particular against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

Overview of processed data (types) and their sources

Personal data is considered to be any information about an identified or identifiable natural person. An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data is collected by the Office primarily in the course of performing administrative activities, while being submitted, either directly from natural persons (participants in administrative proceedings) and also their legal representatives, or in the processing of such data in specific information systems of the Office, which are interconnectable with public registers of persons and other public registers (e.g. trade register and similar). Personal data of visitors to the Office who have entered the premises of the Office are also processed. Furthermore, personal data may be obtained from the undertakings in the field of electronic communications services and postal services during their contact with the Office, respectively from their representatives acting on the basis of a power of attorney or mandate. Personal data is also obtained from other public authorities involved in cooperation with the Office in its regulatory and administrative activities, but also from the security forces of the Czech Republic and the competent judicial authorities. Furthermore, the Office cooperates and obtains personal data from banking institutions, health insurance companies, social insurance companies, employment offices, or from relevant regional or municipal self-governing units. 
Personal data is also obtained by the Office from specific service providers to the Office and their subcontractors, within the framework of public procurement, application of contractual requirements and other associated records.
The Office also processes the personal data of its employees (including former employees) for the purposes of personnel and payroll administration.

The types and categories of personal data processed by the Office include, in particular, name and surname, address of permanent residence or place of business, date and place of birth, birth number, identity card number, passport number, contact information in the form of an e-mail or telephone, delivery address, data box ID, bank account, personal status, nationality, information on educational attainment, or data on legal capacity and data from the Criminal Register relating to this natural person, including the handwritten signature of a natural person and other features of the physical form of persons (e.g. photographs). 
The CTU-NetTest tool, as well as its repeated measurement mode, also processes the client's UUID, optionally the manually entered measurement address, and its IP address. 
In the case of registration of users of frequencies in the 57-66 GHz, 5.8 GHz and 5.2 GHz bands of fixed outdoor radio stations (point-point, point-multiple points) and RLAN stations, the Office also processes the MAC addresses of Stations or their serial numbers, operational/technical data (aggregate metadata) assigned by the Office to each registered person for its Stations. This is the date and exact time of the actions performed in the registration portal, the protection period for the expiration of the recording and the automatically assigned serial number of the Station.    

In the case of personnel records, also the driver's license number and gender of the person.

Purposes of processing

For what purpose does the Office use the personal data of the subjects?

Usually, each piece of data is used for a precisely defined and uniform purpose of its processing. The means of processing itself, the duration of their processing, the limitations of their processing, etc. depend on the defined purposes of processing. In certain cases¹  stipulated by the General Regulation pursuant to Article 6, the Office may process data for purposes other than those listed below, however, these are exceptional and limited cases that the General Regulation makes subject to the fulfilment of additional conditions and in such cases the Office provides this information to the specific data subject. In order to determine whether processing for another purpose is compatible with the purposes for which the personal data was originally collected, the Office takes into account the individual links between the purposes, the circumstances of the collection of the personal data and its nature, including the possible consequences of the processing. 

The primary purpose of processing is all administrative, managerial, and regulatory agenda of the Office, which includes the recording of such data within the framework of monitoring activities in the field of electronic communications and postal services, as well as the use of data for aggregate statistical purposes and for the development of the Office's services, in connection with recovery of claims against parties to administrative proceedings in the field of postal services and electronic communications (within the framework of disputed administrative proceedings), within protecting the rights of the Office and third parties in legal disputes, as well as in the exchange of information in public administration and self-government, exchange of information between network operators and operators of electronic communications services, ensuring cyber and information security and other areas related to ensuring the security of the Office. 
A substantial proportion of this data is also necessary to ensure the operation of the Office itself, for operational purposes and related administration, such as accounting, human resources, the Office's economic projects, tenders, etc.
Personal data is also used for internal communication within the Office and for external communication by the Office. 

None of the categories or types of personal data of data subjects are used for marketing and other similar purposes, which would include profiling applicants, their interests, preferences, and other mapping information about their current activities. At the same time, the Office does not use elements of automated decision-making in any of its information systems.

The Office does not publish any of the categories of special² personal data that could thus violate the privacy and security of individuals. 

Legal basis for data processing

All processing of personal data must be lawful – it must be based on one of the legal grounds for processing listed in the General Regulation. In most cases, personal data is processed on the basis of one specific legal ground for processing, which may, however, include the simultaneous fulfilment of the conditions of several legislative norms for its processing. In the event of the absence or invalidity of a legal basis for processing personal data, the Office shall restrict the processing or directly proceed to terminate the processing of the data subject's personal data. Possible legal grounds for processing are set out in Article 6 of the General Regulation.

If the Office processes personal data beyond the scope of a legal obligation or the fulfilment of public interest, this is possible only on the basis of the qualified consent of the data subject, which the data subject may withdraw at any time (you can use the contact details below to revoke consent). The withdrawal of consent does not affect the lawfulness of processing based on consent given before its withdrawal. However, the Office does not currently use the institution of consent to legitimize its processing of personal data in terms of its legal obligation and the fulfilment of the public interest (except for contact details within the personnel agenda). 

The main legal basis of the Office for processing of personal data is compliance with the legal obligation imposed  based on the designated performance of state administration in the field of telecommunications and postal services³, as well as in the field of radio and television broadcasting⁴ and information society services and consumer protection⁵, with a specific definition of the scope of the relevant legal regulations on the Office's website. The Office also processes certain personal data under other legal provisions, but this does not constitute its main (functional) responsibility in this regard.
The Office also carries out its activities in the exercise of public authority or in the exercise of public interest, and for some processing purposes it also uses the legal basis of legitimate interest, relating in particular to tools in the field of information and cyber security.
The Office also uses the legal basis of compliance with contractual obligations for its processing in the field of cooperation and negotiation of individual contracts with service suppliers for the Office (and third parties), where such processing is necessary for the performance of the contract or for the implementation of pre-contractual measures at the request of the supplier.

When using the legal title of legitimate interest, the Office always carries out a proportionality test, which summarizes the impact on privacy for the data subject and clarifies the reasons for legitimate processing under this legal title. Therefore, the Office always considers and compares the individual rights of data subjects and its legitimate objectives that the processing of personal data fulfils.

Right to object

Every data subject has the right to object to the processing of their personal data. Objection allows the processing to be reviewed in cases where it is justified by specific circumstances – i.e. in a situation where the processing itself is permissible, but there are specific reasons on the part of the data subject why they do not want the processing of their personal data to continue. This situation occurs when the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Office, or when the processing is necessary for the purposes of the legitimate interests pursued by the other controller or by a third party. In all these specified cases, the Office shall suspend and restrict processing activities and consult with the Data Protection Officer (hereinafter referred to as the "Officer") on the appropriate course of action. 
It should be noted here that even in the above cases, parallel processing of such personal data will usually take place, but for other purposes that will justify the Office continuing to process such data. The Office therefore further processes the data if it proves legitimate and legal grounds for their processing (proof of legal obligation) that outweigh the interests or rights and freedoms of the data subjects, or in the case of the establishment, exercise, and defence of legal claims of the Office.

A request for objection or a request for review of the processing of personal data shall be sent by a specific data subject to the data box of the Office: a9qaats or to the Office's mailing address: podatelna@ctu.gov.cz.
Specific details and exceptions are laid down in Article 21 of the General Regulation.

Period for which the data will be processed

The Office may not process personal data for an indefinite period of time, but the processing period is always limited to the time period when the Office actually needs the data to perform its activities as defined above. The Office endeavours to limit the length of this period so that it properly reflects both the interests of the data subject and the needs of the Office and its legal obligations. Since in certain extreme cases it is difficult to determine the necessary processing time, or for security reasons it is not possible to disclose the exact length of the processing time frame, below we list at least some of the criteria used by the Office to determine the length of personal data processing.

The aim of the Office is to avoid redundancies in the processing and storage of data that is no longer necessary for the performance of the Office's activities. Precise rules for working with printed documents and electronic data are defined in the Office's File Rules, which clearly and precisely define and specify specific deadlines for the processing and storage of personal data. In cases where no such time limit is specified, the Office shall be guided by the longest limitation period within which the relevant supervisory or judicial authority would be able to conduct an investigation. After this regular period has expired, the Office shall either archive such files containing personal data or destroy or anonymize such files containing the personal data of the data subject. Therefore, in all cases where no specific retention period is specified, the Office shall consider the specific conditions for the appropriateness of the retention period.

In determining the adequacy and effectiveness of the period of processing of personal data, the Office shall take into account, in particular, the following aspects:

1. the length of the limitation period,
2. the duration of the contract,
3. the likelihood of legal claims being raised,
4. usual procedures and requirements in the field of public administration,
5. the likelihood and significance of imminent risks,
6. any recommendations from supervisory authorities.

Update of data

One of the duties of the Office as a personal data controller is to process accurate data or, in view of the circumstances, to add incomplete data. If the data subject provides the Office with information about a change in personal data, they will help the Office to properly fulfil this obligation.
If there is a change in the data provided, the Office would like to ask for information on any such change. In order to update the data, it is possible to contact the Office via the contacts below.

Data processing methods

The Office processes all personal data primarily in its information systems and stores this data in data repositories with limited and controlled access, which are located in guarded buildings. The Office also processes personal data in the information systems of external processors, service providers or cloud solution providers. Printed documents and data in paper form are processed in compliance with all principles for the management and processing of personal data.

In order to ensure the protection of personal data, the Office has adopted technical and organizational measures to ensure the protection of personal data, which determines, in particular, procedures to prevent unauthorized or accidental access to personal data, its change, destruction or loss, unauthorized transmission, its unauthorized processing, as well as other misuse of personal data. All entities and bodies of public administration and self-government to which personal data may be disclosed must respect the data subjects' right to privacy protection and are obliged to proceed in accordance with the applicable legislation on the protection of personal data.
As part of the use of cloud storage and other tools for working with documents of the Office, some personal data may also be stored territorially in the territory of other states of the European Union outside the Czech Republic, in the given data storages of cloud providers.

Transfer of personal data to other persons (recipients of personal data)

Not all processing of personal data is carried out by the Office itself. For processing in certain cases, it hires third parties, so-called personal data processors. The Office shall only select processors (suppliers) who are sufficiently trustworthy and who use knowledge, procedures, or technology with the necessary expertise to enable them to achieve any of the aforementioned processing purposes more effectively. In some cases, personal data of data subjects may also be made available to persons who will be separate personal data controllers or joint controllers together with the Office.
If it is necessary to transfer special (sensitive) categories of personal data, the Office shall encrypt such files in order to prevent alteration of the content and to protect the integrity of such documents.
The Office may disclose personal data to third parties only in cases where it is required or permitted to do so by law or an important public interest.

The Office therefore makes personal data available only to the usual extent to processors or other recipients, such as, in particular, participants in specific administrative proceedings, other public authorities, courts, health and social insurance companies, registers managed by the Ministry of the Interior, operators of electronic tools for public procurement, control authorities and security forces of the Czech Republic.

The Office also transfers certain personal data or electronic documents containing personal data to foreign institutions and other organisations, such as the European Commission and its relevant services, the BEREC Body of European Regulators for Electronic Communications, the ERGP Group of European Regulators in the Postal Services Sector, the RSPG Radio Spectrum Policy Group, where in all cases it provides mainly aggregated data. In such cases, the data is processed within the same purpose and legal title and therefore no processing for different purposes takes place. In most cases, these transfers minimise the personal data provided or pseudonymise it so that it is not clear which specific natural person is involved. Sufficient technical and organisational security rules are always strictly applied, including compliance with the principle of necessity for such data.

The Office currently does not transfer personal data outside the European Union, and in the event of a possible transfer of such data to the USA, the European Commission has introduced the "Privacy Shield" principle, which is intended to ensure effective protection of personal data, sufficient exercise of the rights of data subjects, and a uniform transnational procedure.

Provision of personal data

In some cases, the Office is obliged to provide personal data to other personal data controllers in accordance with legal regulations. These include, in particular, the provision of personal data to other public authorities in compliance with legal obligations, the provision of personal data to law enforcement authorities and the provision of personal data to other Member States of the European Union or international organisations, if this results from directly applicable European Union regulations, an international treaty by which the Czech Republic is bound, or other international obligations.

Information on the rights of the data subject

A data subject who is an identifiable natural person and proves their identity sufficiently shall have the following rights:

1. Right of access to personal data – the data subject has the right to access their personal data pursuant to Article 15 of the General Regulation, whereby the Office is obliged to provide them with information confirming the processing of their personal data and further specific information on the purposes of processing, categories of personal data concerned, recipients or categories of recipients to whom the personal data have been or will be disclosed, the planned duration of processing and the criteria used to determine it, the existence of the right to request from the controller the rectification or erasure of personal data concerning the data subject or the restriction of processing, or to object to such processing, the right to lodge a complaint with a supervisory authority (the Office for Personal Data Protection), all available information on the source of the personal data, if not obtained from the data subject, the fact that automated decision-making, including profiling, is taking place in connection with its use for decision-making, if actions or decisions are made on the basis of this processing, the content of which interferes with rights and legitimate interests, and appropriate guarantees when transferring data outside the EU. When making a copy, the Office is obliged to prevent the misuse of personal data of other data subjects, if it is located here.
2. Right to rectification of inaccurate data - a data subject who finds out or believes that the Office, as a controller or processor, or another person who carries out the processing of their personal data for the Office that is contrary to the protection of private and personal life or contrary to the law, may request an explanation or request the rectification or completion of personal data, pursuant to Article 16 of the General Regulation. The data subject also has the obligation to update their personal data and cooperate with the Office in this activity. In the event of non-compliance on the part of the Office, the data subject is entitled to submit a complaint with the supervisory authority.
3. Right to erasure - the data subject has the right to have their personal data erased pursuant to Article 17 of the General Regulation if the legal conditions have been met, e.g. the personal data is no longer needed for the purposes for which they were obtained or otherwise processed.
4. Right to restriction of processing– until their request is processed, data subject has the right to restrict processing pursuant to Article 18 of the General Regulation if they contest the accuracy of personal data, the reasons for its processing, or if they object to its processing.
5. Right to notification of rectification, erasure, or restriction of processing – the data subject has the right to notification pursuant to Article 19 of the General Regulation in the event of rectification, erasure, or restriction of processing of personal data. If correction or erasure occurs, the Office will inform the individual recipients of the data, except where this proves impossible or would involve disproportionate effort.
6. Right to data portability - the data subject has the right to obtain personal data pursuant to Article 20 of the General Regulation, the processing of which is carried out by automated means and which has been provided to the Office on the basis of consent, and has the right to transmit it to another controller. The data will be provided in a structured, commonly used, and machine-readable format. If the exercise of the right to the portability of personal data could adversely affect the rights and freedoms of third parties, this request cannot be granted.
7. Right to object to an automated decision, including profiling having legal effects.
8. Right to withdraw consent – for example, the processing of cookie data can be prevented by setting a web browser on the computer of the data subject.
9. Right to contact the supervisory authority – the data subject has the right to submit a complaint with the supervisory authority, which is the Office for Personal Data Protection, with its registered office at Pplk. Sochora 27, 170 00 Prague 7, e-mail: posta@uoou.gov.cz, Data box ID: qkbaa2n.

If the Office receives one of the above requests concerning the exercise of data subjects' rights, it shall inform the applicant of the measures taken without undue delay and in any case within one month of receipt of the request. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests.
In certain cases, specified in the General Regulation, the Office is not obliged to comply with the request in whole or in part. This will be the case in particular if the request is manifestly unfounded or excessive, in particular because it is repetitive. In such cases, the Office may impose a reasonable fee taking into account the administrative costs associated with providing the requested information or communication or performing the requested actions or refuse to comply with the request. The Office shall retain all requests from data subjects for a reasonable period of time, with the Data Protection Officer being responsible for these actions.

_______________________

¹ For example, processing of personal data for archiving purposes in the public interest, for criminal investigation purposes or for the purpose of ensuring public security of the state.
² Special categories of personal data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, or sex life or sexual orientation of a natural person. Genetic and biometric data processed for the purpose of uniquely identifying a natural person is also considered special categories of data.
³ Act No. 127/2005 Coll., on Electronic Communications and on Amendments to Certain Related Acts (Act on Electronic Communications), as amended; Act No. 29/2000 Coll., on postal services and on amendments to certain acts (Postal Services Act), as amended; Act No. 194/2017 Coll., on measures to reduce the costs of deploying high-speed electronic communications networks and on amendments to certain related acts.
⁴ Act No. 206/2005 Coll., on the protection of certain services in the field of radio and television broadcasting and information society services, as amended by Act No. 281/2009 Coll.
⁵ Act No. 69/2006 Coll., on the implementation of international sanctions, as amended; Act No. 634/1992 Coll., on consumer protection, as amended.