Privacy Policy

INFORMATION ABOUT THE CONTROLLER OF YOUR PERSONAL DATA

Výzkumný Ústav Železniční, a.s., ID No. 27257258, is the controller of your personal data, which it processes in accordance with the requirements of Regulation (EU) No. 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the "General Regulation", and Act No. 110/2019 Coll. on the processing of personal data.

 

Contact address of the controller:

Výzkumný Ústav Železniční, a.s.

Novodovorská 1698/138b

142 00 Prague 4

Phone: (+420) 241 493 135

e-mail: e-podatelna@cdvuz.cz

DS ID: m37gziu

 

Within our company, there is a data protection coordinator who serves as your contact person for any questions, requests or applications concerning the processing of personal data.

 

Contact details of the Data Protection Officer:

Mgr. Zdeněk Novák

Phone: (+420) 543 214 714

E-mail: gdpr@cdvuz.cz

DS ID: m37gziu

 

DEFINITION OF BASIC TERMS

Personal data – any information which, by itself or in combination with others, leads or may lead to the identification of a specific natural person (data subject).

Personal data fall into two categories:

General personal data – in particular, name, surname, gender, date of birth or age, home address, email address, telephone number, nationality, education, employment data (name of employer, job title), image, sound or audiovisual record of a person, description of a person's appearance, network identifiers, location data, indication of the amount of wages or claims or evaluation of work performance, etc.

Special categories of personal data – data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person and data concerning the health or sex life or sexual orientation of a natural person.

Data subject – the natural person to whom the personal data relates (e.g. a job applicant, employee, trainee or intern, visitor to our website or our premises, representative of our contractor or its employee, etc.) 

 

Processing of personal data – any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other disclosure, alignment or combination, restriction, erasure or destruction.

 

Controller – our company as the entity which, alone or jointly with others, determines the purposes and means of processing personal data.

Processor – an external entity that processes personal data on behalf of the controller on the basis of instructions imposed by the controller and within the scope of a contract for the processing of personal data concluded in accordance with Article 28 of the GDPR.

 

WHY WE PROCESS YOUR PERSONAL DATA (PROCESSING PURPOSES)

VUZ processes personal data primarily for the purposes of:

  • contract or other agreement that you have entered into with us or have requested us to enter into (typically a tender application, employment contract, contract for work, service contract, insurance contract, purchase order, etc.); the legal basis for processing is in particular Article 6(1)(b) GDPR; in these cases, your consent to the processing of personal data is not required;
  • the legal rules to which we are bound (typically employment and tax law, accounting, occupational safety rules, etc.);
  • the legal basis for processing is Article 6(1)(c) GDPR, in these cases your consent to processing is not required; 
  • our legitimate interest, of which you are always informed in advance (in particular, the records on entrances and exits to our premises, the operation of CCTV in our premises, the records of suppliers or customers, network monitoring, the exercise or defence of our legal claims in out-of-court, judicial or administrative proceedings, etc.);
  • the legal basis is Article 6(1)(f) GDPR; in these cases, your consent to processing is not required;
  • consent to the processing of personal data that you have given us for a specific purpose (e.g. in connection with direct marketing, the use of your personal data for advertising or similar presentation purposes, the use of non-technical cookies, etc.); the legal basis for processing is Article 6(1)(a) GDPR.

Consent to the processing of personal data is a free, specific, informed and unambiguous expression of will, by which you give your consent to the processing of your personal data by means of a declaration or other manifest confirmation.

You will be asked to give your consent whenever we are not allowed to process your data on the basis of the performance of our legal obligation, the performance of a jointly concluded contractual arrangement or on the basis of our legitimate interest.

You have the right to withdraw your consent at any time or to request a change in its scope. We fully respect your decision to not  to give consent or to withdraw consent, and there will be no negative consequences for you.

 

SOURCES OF PERSONAL DATA

Personal data is extracted or obtained by our company:

  • from the data subject, i.e. from you (e.g. when negotiating a contract or other agreement, when submitting applications, requests, orders, etc.)
  • from other data controllers, if this is expressly required or permitted by law (e.g. data sent or made available by public authorities, data from insurance companies,  data from trade unions within permitted scope ) or if you have given your consent to the transfer of your personal data to our company;
  • from open or publicly available sources (in particular from publicly available registers and records, information published on the Internet, in advertisements, etc.);
  • from CCTV systems we operate to enhance the security of persons and property in our buildings and premises;
  • from providers of telecommunication services or other services used by our company (e.g. in the context of billing for  company telephones, checking the use of company vehicles, monitoring the use of company computers, laptops, etc.)

 

TRANSMISSION AND STORAGE OF PERSONAL DATA

We only share your personal data in justified cases and to the extent necessary to authorised recipients to whom we are obliged to disclose such data in order to fulfil our legal obligations or authorisations under applicable law.

In specified cases, we utilize an external processor to process your personal data, with whom a contract for the processing of personal data is always concluded in accordance with Article 28 of the General Regulation. In this contract, we enforce processing instructions and obligations on the processor to ensure that your data is as secure as possible given the associated risks.

Within some companies of the ČD Group, to which we belong, employee personal data is transferred between them for internal administration and payroll processing purposes. The list of the ČD Group's members is provided below.

 

AUTOMATED DECISION MAKING

When processing personal data, our company does not engage in automated decision-making, including profiling, that would affect your rights or legitimate interests.

 

LENGTH OF PROCESSING AND RETENTION OF PERSONAL DATA

We process your personal data only for the necessary period of time, which is individual for each processing purpose. After this period, the personal data is securely disposed of permanently or further stored for the period specified in the relevant Filing and Shredding Code. These time limits are determined by the relevant special legislation or the time needed for possible defence or enforcement of our legal claims.

If we process personal data on the basis of your consent, we will only do so for the period specified in the consent or until you withdraw your consent.

 

SECURITY OF PERSONAL DATA

In accordance with the applicable legislation, our company secures the personal data it handles using all appropriate technical and organisational measures to ensure the highest possible level of protection, taking into account the nature, scope and purposes of the processing and the likely risks. We have security and control mechanisms in place in an effort to prevent unauthorised access to or transfer of data, its loss, destruction or other possible misuse. The effectiveness of these security measures is regularly monitored and audited.

Employees or authorised representatives of our company who have access to your personal data are obligated to maintain confidentiality. Only authorized employees have access to your personal data within the scope of their role.

If we transfer or disclose personal data to other entities, they are bound by a legal or contractual duty of confidentiality. At present, we strive to select only those partners who are sufficiently trustworthy and provide adequate security for the data transferred.

 

THE RIGHTS OF THE DATA SUBJECT AND HOW TO EXERCISE THEM

Regarding the processing of your personal data, you have the right to access, rectify or delete your personal data, or restrict processing, object to processing, or exercise the right to data portability and other rights under the General Data Protection Regulation.

You can exercise your rights through the data protection officer, whose contacts are listed above, in the following ways:

  • by writing to the address of the headquarters of the VUZ; in the upper left-hand margin, please write "GDPR"
  • electronically by e-mail, with a qualified or guaranteed electronic signature of the applicant, sent to the Data Protection Officer's e-mail address or to our electronic mailroom,
  • electronically via the applicant's data box,
  • by submitting the application in person at the VUZ headquarters; please bring your identity document with you in order to identify the applicant.

Your request will always be duly considered and handled in accordance with the relevant provisions of the General Regulation. If you disagree with the handling of your requests and applications, you have the right to lodge a complaint with the Data Protection Authority.

 

MEMBERS OF čd GROUP

ČD Groups currently includes the following companies:

  • ČD, a.s.
  • ČD Cargo, a.s.
  • Výzkumný́ Ústav Železniční, a.s.
  • DPOV, a.s.
  • ČD – Informační Systémy, a.s.
  • Dopravní vzdělávací institut, a.s.
  • ČD Bus, a.s.
  • RailReal a.s.
  • ČD – Telematika a.s.
  • ČD travel, s.r.o.
  • Smíchov Station Development, a.s.
  • Žižkov Station Development, a.s.
  • ČD Restaurant, a.s.
  • JLV, a.s.
  • Masaryk Station Development, a.s.
  • CR-City a.s.
  • Hit Rail, B.V.
  • BCC, s.c.r.l.
  • EUROFIMA