PRIVACY POLICY

PRIVACY POLICY
(the principles of personal data protection)


1. INTRODUCTION
Our company, Výzkumný Ústav Železniční, a.s., IČ: 27257258, with its registered office at Prague 4 - Braník,
Novodvorská 1698/138b, Post Code 142 00, registered in the Commercial Register kept by the Municipal Court in
Prague in Section B, Insert 10025, uses (when performing its business activities) the personal data of its customers
and clients, business partners, their representatives and employees, visitors of the premises in which we operate,
as well as personal data of our employees, possibly also the personal data of job applicants and members of our
bodies.
We do not underestimate the protection of your personal data and your privacy and we make every effort to secure
them sufficiently. We handle the personal data entirely in compliance with legal regulation in force, i.e. with the
Regulation of the European Parliament and of the Council (EU) No. 2016/679 dated 27 April 2016, on the protection
of natural persons with regard to the processing of personal data and on the free movement of such data, and
repealing Directive 95/46/ES (hereinafter referred to as the „GDPR“), and with related national legislation.
This document explains which personal data we collect, for which purpose, how we use them, what we do to make
them safe and which rights you can exercise towards us.


2. PERSONAL DATA ADMINISTRATOR AND A CONTACT INFORMATION
Our company is a personal data administrator within the meaning of article 4 sub. 7 of the GDPR.
With your inquiries, requests or objections regarding the processing or protection of personal data, you may contact
our company by mail, e-mail, telephone.


Mgr. Nikola Kortánová
lawyer
Výzkumný Ústav Železniční, a.s.
Prague 4 - Braník, Novodvorská 1698/138b, PSČ 142 01
E-mail: gdpr@cdvuz.cz
Phone: +420 725 873 150


3. DEFINITIONS
Personal data – means any information that by itself or together with other information, may lead to an identification
of a particular person (so-called data subject).

  • general – name, surname, gender, age, personal status, citizenship, nationality, address, e-mail address, phone number, photo, CCTV record, the person´s appearance, cookie, user name, IP address, position at work, wages, etc.;
  • specific categories of data – race or ethnic origin, political opinions, religion and philosophical beliefs, labor union membership, health status, sexual orientation, criminal offenses and enforceable convictions, children data, genetic and biometric data.

Administrator – person (entity) determining the purpose and method of processing personal data, i.e. our company.
Processor – person (entity), which processes personal data in the name of the controller, i.e. our company or another
entity authorized by our company (legal or natural person).
Data subject – the natural person, to whom the personal data relate (e.g. the employee of our company, job seeker,
a representative or employee of a business partner of our company, visitor of our company premises etc.).
Personal data processing – any operation or set of operations which is performed on personal data or on sets of
personal data, whether or not by automated means (collection, recording, organization, structuring, storage,
adaptation, alteration, retrieval, inspection, use, disclosure by transmission, dissemination, otherwise making
available, alignment, combination, restriction, erasure or destruction).


4. WHICH DATA DO WE PROCESS?
Without your consent
• Identification data – personal data serving for your clear and unmistakable identification, e. g. name, surname,
degree, date of birth, identity card number, residence address, signature, login data to our company
applications, etc.
• Contact data – data enabling to contact you, e. g. phone number, e-mail, contact (mailing) address, etc.
• Other personal data – data concerning purchases and our business cooperation, e. g. the history of
transactions, payment data, banking information, payment card information, etc
• Data concerning entries into our company´s premises – the name and surname of the entering person.
• Photos – e.g. photos of employees of our company, etc.
• CCTV recordings – in case of moving in the monitored premises of our company.
• Data collected about devices in relation to the use of applications of our company – when using our websites
or applications, we use various technologies to identify your browser and device (cookies files and similar
technologies) to collect and save information, we collect data about devices (e. g. the IP address or other
unique identifiers of your device, hardware model, operational system version, mobile network data, server
protocols, internet protocol address, date and time of your requirement), data about a position (IP address,
GPS system, access points of the WI-FI network or mobile network transmitter).
• Data concerning exercising your lawful rights and records about their exercising in relation to our company.
• Other data which processing is imposed on our company by a legal regulation of the Czech Republic or the
European Union.
With your consent
Further, our company may process the above data or other data based on your explicit consent. In such case, the
exact scope of the personal data to be processed must be specified in the consent that you have signed. You are
entitled to withdraw your consent anytime.


5. FOR WHICH PURPOSES DOES OUR COMPANY USE PERSONAL DATA?
In compliance with legal regulation in force, we collect and process personal data for a purpose determined in
advance and only in the extent required to meet such a purpose.
Without your consent
• For the purposes of the performance of a contract that you have concluded with us. It ensues from the contract
which data we have to process in order to be able to fulfill everything that we have agreed and what the law
(e. g. Accountancy Act, tax rules, Labor Code, etc.) imposes on us in relation to such contract. Such purpose
and lawful reason for processing apply also to the preparation of the contract, negotiations about the
conditions of the contract or organizing a competitive tendering.
• For the purposes of meeting legal obligations (e. g. Accountancy Act, tax rules, Labor Code, VAT Act, Act on
filing and archiving service, etc.).
• For the purposes of managing relationships with customers and creating analytic models – in order to provide
you with services according to your needs, comfortably and quickly, we process also data about purchases,
about requirements or complaints, we compare and analyze data about our company´s products, we create
statistics and sales forecasts for the reason of protecting our rights and justified interests. In such cases, we
make every effort to anonymize the data as much as possible.
• For the purposes of safety and risk management – in cases when a legal regulation imposes an obligation on
us or for the reason of protecting our justified interests, we process your personal data in necessary extent
for the purpose of securing safety within our company´s premises, the protection of our property, preventing
and detecting deceptive or harmful actions, etc.
• For the purposes of exercising or defending our legal claims – if we are forced to exercise our rights or to
defend them in court or in administrative proceedings, we use necessary personal data.
• For the purposes of our company´s internal administration – our employees process your personal data also
when performing their labour-law obligations as a part of our company´s defined internal processes. The
reason is, for example, the internal administration of our activity, preparing reports on the activities of our
company or individual employees, efforts to optimize internal processes or the need to train employees.
With your consent
We can process personal data also for other purposes with your consent (e. g. marketing, etc.).
In such cases, the purpose of collection and further handling of personal data is exactly defined in your consent. In
such cases, you are always entitled to withdraw your consent.
Using the personal data for another purpose than for which they have been collected
In certain cases, our company is authorized to process personal data for another purpose than the purposes for
which the personal data have been collected. For example, if we collect your data for the purposes of a contract´s
performance and, consequently, a legal regulation obliges us to save the data for a certain time period (under the
Accountancy Act, we have to archive invoices regarding the provided goods or services for the period of 10 years
even if we already do not need these data for the purpose of the contract´s performance). Further, our company
may collect personal data about its employees in order to meet legal obligations, and later, due to the occurrence of
an accident or other extraordinary events, including abuse or damage to our company's property, we process the
collected personal data (in particular, the identification data of the employees who caused the accident or were
involved in it) for the purpose of investigating such events or, in case of a dispute, for the purpose of enforcing our
legal claims or protecting our rights.


6. FROM WHICH RESOURCES DOES OUR COMPANY OBTAIN PERSONAL DATA?
• Directly from you, as a data subject, or as a person who is obliged to provide us with the data for fulfilling a
legal obligation when negotiating a contract or other agreement or when filling the entrance questionnaire.
• From our company´s CCTV and the system recording entries to our premises.
• From the providers of telecommunication services or other services used by our company during its activities
or during the performance of our company´s obligations (e.g. billing of business calls, use of a company car,
checking activities on company´s computers, etc).
• From other entities if a legal regulation explicitly allows it (e.g. data sent by state authorities to our company´s
data box or disclosed in litigation, data from insurance company of our company or provided by the labor
union in compliance with the legal conditions), or if you have granted such entity with explicit consent to pass
on information about you.
• We may mutually transfer data with other entities which form the ČD group, for internal administrative
purposes1.
• From publicly available sources – such as registers or records open to public, websites or advertisements –
if it is necessary to protect the rights and legitimate interests of our company or third party, e.g. verifying
timeliness of data, for the purposes of communication, etc.


7. ARE YOU OBLIGED TO PROVIDE US WITH YOUR PERSONAL DATA?
If we process data based on your consent, the provision of your personal data is completely voluntary.
If we process personal data in relation to a contract or agreement that you have concluded with us or in relation with
a service that we provide to you, you can decide voluntarily whether you conclude the contract or make use of the
service. If the contract has been concluded or the service has been used, then you are obliged to provide us with
the information necessary for the performance of the contract or the use of the service. We cannot provide you with
a service or other performance without such information.
If meeting legal obligations or protection of our justified interests is a reason to collect or to further process your
personal data, then you are obliged to provide us with your personal information. We always request only the data
necessary for the defined purpose.


8. HOW DO WE SECURE PROTECTION OF YOUR DATA?
Our company, in compliance with effective legal regulations, secures personal data that it handles by means of all
suitable technical and organizational measures in order to secure the highest possible level of protection considering
the character, extent, and purposes of processing and probable risks. We have introduced safety and controlling
mechanisms in order to prevent unauthorized access or transfer of data, their loss, destruction or other possible
abuse.
Employees or authorized representatives of our company, who have access to your personal data, are obliged to
maintain confidentiality. Only employees performing necessary activities to ensure the above-mentioned purposes
have access to your personal data, while they always have access only to the data necessary to carry out their work.
If we pass data to third entities, these entities are obliged to maintain statutory or contracting confidentiality as well.
Further, we cooperate only with partners that are sufficiently trustworthy and which secure the obtained personal
data.
Our company is processing personal data both manually and automatically, especially in its secured PC systems
and processors´ PC systems (e.g. in our system, within Outlook application - concerning emails, in our accounting
system - concerning the data necessary for invoicing, etc.). Documents are stored in our company´s filing rooms
which are adequately secured.


9. TO WHOM WE PASS YOUR PERSONAL DATA?
1 Within the ČD concern/group, we transfer certain personal data of our business partners, customers or employees, in particular, for the
purpose of internal administration and reporting. However, the purpose can be also the facilitation of the conclusion of contracts, the
provision of performances or the solution of certain affairs. For a list of members of ČD concern/group, see item 10 below.
• To processors – our company carries out most of the processing activities itself; however, we take advantage
of third parties´ services in certain cases (hereinafter referred to as the “processors”). Our company chooses,
after careful consideration, only contract workers/entities who provide the maximum warranty for the security
of personal data. Under the contracts with the processors, they are obliged to provide at least the same level
of the protection of the passed personal data as our company and, at the same time, the processors are
obliged to keep the data confidential. The processor is entitled to handle the passed data exclusively for the
purpose of the performance of the activity under the contract. Even when using cloud storage, the level of
protection required by applicable law is ensured.
The processors are for example as follows:
- providers of software services and applications (personnel and accounting system, etc.),
- providers of IT services, applications, and cloud repositories,
- providers of accounting services,
- providers of archiving services,
- legal representative, or, where appropriate, entities collecting our receivables,
- marketing agencies,
- financial and tax advisors, auditors.
• Our business partners – if we charge somebody to perform a certain activity that is a part of our services,
provision of personal data can be required. Such entities themselves become the administrators of your
personal data (e.g. carriers or Česká pošta in particular).
• Our advisors – if it is necessary for the provision of advisory services to our company or if it is necessary for
the protection of our company´s rights and interests (e.g. legal representative, tax and economic advisor,
network security consultant, auditors, insurance companies or insurance brokers, banks, courts, court
executors, auctioneers etc.).
• Companies within the ČD group – within the ČD group, we pass certain personal data of our business
partners, customers or employees and members of our bodies, in particular, for the purpose of internal
administration and reporting. However, the purpose can be also facilitation of contracts´ conclusion, provision
of performances or solving certain matters.
• State authorities or other entities, in cases when our company is obliged to do so under a legal regulation (e.
g. state administrative bodies, supervisory bodies, prosecuting authorities, courts, executors, notaries,
trustees in bankruptcy).
• Your personal data can be provided also to other entities with your consent or under your instruction.
• Our company is authorized to pass your personal data within the EU in accordance with the principle of free
movement of persons without restriction. Our company is also authorized to pass personal data outside the
EU, e.g. if the processor processes personal data in servers which are located in non-EU countries, or if a
business partner from outside the EU is the only one who provides the service or product of the required
quality. In all these cases, our company requires from its business partners, in accordance with the GDPR,
to ensure at least the same level of protection of personal data as our company provides. Our company will
pass the personal data only under warranty that you, as a data subject, are sufficiently protected.


10. GROUP ČD
The following companies belong to the ČD group:
• ČD, a.s.
• ČD Cargo, a.s.
• Výzkumný Ústav Železniční, a.s.
• DPOV, a.s.
• ČD - Informační Systémy, a.s.
• Dopravní vzdělávací institut, a.s.
• ČD Reality, a.s.
• RailReal a.s.
• ČD - Telematika a.s.
• ČD travel, s.r.o.
• Smíchov Station Development, a.s.
• Žižkov Station Development, a.s.
• ČD Restaurant, a.s.
• JLV, a.s.
• Masaryk Station Development, a.s.
• CR-City a.s.
• RS residence s.r.o.
• Hit Rail, B.V.
• BCC, s.c.r.l.
• EUROFIMA


11. DURATION OF YOUR PERSONAL DATA STORAGE
We process your personal data for the period necessary to meet the purpose for which they have been collected or
subsequent purpose. We will process most of your personal data during the duration of the contractual relationship,
as the purpose of processing during the period lasts.
In most cases, the law directly determines how long some personal data must be processed - for example,
accounting data for 10 years, etc.
If a legal regulation does not directly stipulate a specific period during which personal data have to be processed,
we consider that the purpose of processing continues for the period when the exercise of legal claims from this
activity is imminent (usually a ten-year limitation period) and one more calendar year after all imminent legal claims
terminate, i. e. in case of a contract, 11 years after the contracting relationship terminates).2
The CCTV records are kept for 14 days after their taking unless the need for its extended storage period arises (if
the CCTV record captures damaging behavior, in the event of a dispute and the consequent need to make claims
or the defense rights). We also keep records of the visitors' book for 14 days after the day they were taken, unless
the need for their extended storage arises (e.g in the event of an accident or other similar extraordinary events). For
employees and members of the statutory body of our company, we have an attendance (chip) system where the
primary records of this system are kept for 12 months unless the need for their extended storage arises (e.g. in the
event of a dispute and making claims or defending rights).
If we process your personal data with your consent, we will process it for the period specified in your consent or until
the withdrawal of your consent.


12. WHAT ARE YOUR RIGHTS AND OPTIONS?
2 We keep the personal data for the period of one year after the expiry of the limitation or prescription periods in order to
be sure that no claim against our company was filed before the court or another authority even on the last day of the period.
• Right for information and explanation
Our company is obliged to provide you with information specified in this document, briefly, transparently and
comprehensibly. If any provision of this document is not clear to you or it is not completely understandable
for you, don´t hesitate to address us.
• Right to withdraw consent
In cases when we collect and process data based on your consent, you are entitled to withdraw the consent
anytime. Granting the consent is completely voluntary. If you withdraw your consent, it has influence neither
on the processing activities that took place at a time when the data were effectively provided nor on the
processing activities that our company is obliged to make for a reason of an earlier granted consent and the
already completed processing activities (for the reason of observing legal obligations or the protection of our
justified interests).
The withdrawal of the consent is free of charge and you can make it via the authorized employee:
Mgr. Nikola Kortánová
lawyer
Výzkumný Ústav Železniční, a.s.
Prague 4 - Braník, Novodvorská 1698/138b, PSČ 142 01
E-mail: gdpr@cdvuz.cz
Phone: +420 725 873 150
• Right to access to personal data
You are entitled to obtain confirmation from our company on whether your personal data are processed. If
so, we will provide you with any related information in the extent required by Article 15 of the GDPR.3
In order to ensure that this right is not abused by another person and to prevent us from passing all your
personal data to an unauthorized person, we are obliged to verify the identity of the person claiming the right
of access as described in point 13 of this document below.
• Right to raise an objection
If we process personal data for the purposes of the justified interests of our company or a third party, you are
entitled to object against such processing in cases when it is justified by your specific situation – i. e. in case
when the processing itself is admissible but there are specific reasons on your side why you do not wish the
processing to take place.
Our company will have to review the processing that takes place. It will not process such personal data
anymore unless there are substantially justified reasons for processing that prevail over your interest for the
protection of your privacy or other interests, rights and freedoms or unless the processing is carried out in
order to stipulate, exercise or defend our company´s legal claims.
If we process personal data for the purposes of direct marketing, you can object to such processing of
personal data anytime. You can exercise such right also by technical means (unsubscribing to deliveries of
commercial communications). Afterward, our company will not process your personal data for the purposes
of direct marketing. However, they can continue to be processed for other purposes.
You can exercise your objection, as well as your other rights, at the above-mentioned contacts of our company
(see item 2 of this document). Please always describe your specific situation which leads you to the conclusion
that our company should not process your personal data.
3 We will communicate you the categories of personal data that we process, the purposes of processing, the categories of
recipients to whom personal data can be made available, the planned duration of data processing, information about the
source of these data, information about your rights and information whether automated decision-making takes place.
However, the option to raise objection does not apply to all cases of processing; it cannot be claimed in case
when we process your data on another legal basis than the necessity for a justified purpose – e. g. for the
reason of necessity for the performance of the contract or the fulfillment of statutory obligations.
• Right for correction or completion, if applicable
If you consider that we process inaccurate data, you are entitled to notify us about it and to request correction
or addition.
• Right for deletion (so-called right „to be forgotten“)
You are entitled to ask for deletion of your personal data if the conditions of Article 17 of the GDPR are fulfilled
- in particular, the data is no longer necessary for the purposes listed above, consent was withdrawn or other
legal title ceased to exist, you raised rightful objection against processing, personal data are not needed
anymore for the purposes for which they were collected, etc.
• Right for restriction
You are entitled to ask for restrictions on the processing of your personal data under conditions defined in
Art. 18 GDPR.
• Right for the portability of data
Art. 20 of GDPR guarantees you the right to obtain your personal data from our company that you have
provided to us yourself, in a structured, commonly used and machine-readable format. We can pass these
data to you or another administrator if you request so and if it is technically feasible. This right can be
exercised in case that (i) the reason of processing is your consent or the performance of a contract or the use
of our company´s service and, at the same time (ii) our company performs the processing in an automated
manner.
• Right to file a complaint to a supervisory body
If you do not agree with the manner in which we process your personal data or if you disagree with our
company´s attitude, you can address the Office for Personal Data Protection with your complaint anytime:
Úřad pro ochranu osobních údajů
poštovní adresa: Praha 7, Pplk. Sochora 27, PSČ 170 00
tel.: 234 665 111
e-mail: posta@uoou.cz
web: www.uoou.cz


13. HOW ARE WE DEALING WITH YOUR OBJECTIONS AND REQUESTS?
The exercise of your rights must not affect the rights of others.
If you address our company with an objection or a with a request for exercising any of your statutory rights, we will
inform you about the measures taken. If we do not take any action, we will inform you about it and we will explain to
you the reasons. We will provide you with this information not later than one month from the delivery of the request.
If it is necessary to extend such period due to the complexity and the number of requests, we will notify you about it
also not later than one month from the delivery of the request together with the reasons of postponement. We will
extend the period for not more than two more months. We will do our best in order to provide you with information
about measures taken as soon as possible.
We will provide you with information about the measures taken in the same way as you requested them. Any and
all objections and requests and our responses are made and provided free of charge. However, if your requests
keep repeating or are apparently unreasonable, we can request the compensation for costs related to the provision
of information or we can even refuse to comply with a request.
Our company can comply with your requests or objections only if it has no doubts regarding the identity of the person
that submits the request or objection. We have to make sure that the rights are not abused by other persons and
your personal data are not passed to another person without authorization. Therefore, our company verifies the
applicant´s identity by demanding additional information by which the applicant´s identity is confirmed to us or filing
request or objection with an officially authenticated signature. In case that a request or an objection is submitted
personally at our branch, we will request that your identity is proved by producing an ID-document.


14. CONCLUSION
This document becomes effective on 25 May 2018 and will be continuously update.

Výzkumný Ústav Železniční, a. s. (VUZ)
Novodvorská 1698/138b, Praha 4
phone: +420 241 493 135
VAT CZ27257258
Registered in the Commercial Register maintained by the Municipal Court in Prague, Section B, File 10025
Zkušební centrum VUZ Velim
281 02 Cerhenice
© COPYRIGHT 2022 All rights reserved.
VUZ Slovakia, s. r. o.
Seberíniho 1
821 03 Bratislava – Ružinov
Slovakia