Further information on the processing of personal data

When processing personal data, ČP adheres to the principle of lawfulness and therefore processes personal data to the appropriate extent and in compliance with at least one of the following conditions (legal grounds):

  1. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  2. Processing is necessary for compliance with a legal obligation to which ČP is subject;
  3. Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  4. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in ČP;
  5. Processing is necessary for the purposes of the legitimate interests pursued by ČP or a third party;
  6. Processing is based on the data subject's explicit consent.

Purposes and legal grounds for processing

The purposes of personal data processing, as well as information on legal titles, including the legitimate interests of the controller or a third party, or information on whether certain personal data processing is feasible only on the basis of the client's free and active consent, are always expressed in the contract concluded between ČP and the client, or in the terms and conditions supplementing the contract (e.g., postal terms and conditions available at www.ceskaposta.cz, hybrid mail service terms and conditions available at www.postservis.cz, certification authority service terms and conditions available at www.postsignum.cz).

Within the framework of the contract concluded between ČP and the client, personal data is also processed for the purpose of fulfilling ČP's obligations arising from legal regulations (tax regulations and, where applicable, other public law regulations).

The records of visitors to ČP establishments and accommodation facilities contain only basic identification data of clients.

ČP also processes personal data on the basis of its legitimate interests. The legitimate interests of ČP are, in particular:

  • prevention of fraud, protection of the company's assets and reputation (in this context, ČP, for example, conducts checks on selected third parties); 
  • keeping records of ČP clients who have been contacted by ČP sales representatives regarding an offer to conclude a contract with ČP. ČP also keeps records of clients who conclude contracts via internet applications (e-shop, online mail, and others) and clients who conclude lease and purchase agreements. For record-keeping purposes, ČP only records basic identification data of clients;
  • determination, exercise, or defense of legal claims (e.g., complaint proceedings, conclusion of a payment schedule, resolution of a legal dispute, etc.);
  • improvement of the quality of services provided (in this context, ČP processes personal data from email communication with clients, for example. Personal data is stored for a maximum of 3 years);
  • ensuring security;
  • direct marketing (i.e. processing the personal data of existing ČP clients for the purpose of directly contacting them with commercial offers, ČP research, or other commercial communications. If a client objects to direct marketing for a specific service, ČP will immediately cease processing their personal data for this purpose and sending commercial offers for the service in question);
  • checking of established technological processes, protection of property and persons due to security risks when handling financial resources, detection and prevention of criminal activity, and control within the framework of complaint procedures (in this context, ČP processes video recordings from the camera system located in ČP buildings and premises).

In all cases where ČP processes personal data on the basis of an expressed legitimate interest, the client has the right to object to such processing. After an objection is filed, ČP will assess whether the client has rights and freedoms that would outweigh the serious legitimate reasons for processing personal data. If the assessment is positive, ČP will comply with the client's objection. 

All personal data processed by ČP is properly secured using appropriate organizational and technical measures.

Recipients of personal data

The recipient is a natural or legal person to whom personal data is provided by ČP. Public authorities that may obtain personal data in the course of a special investigation in accordance with specific legal regulations are not considered recipients; the processing of such personal data by these public authorities must comply with the applicable personal data protection rules for the given processing purposes. 

ČP only transfers the customer's personal data to recipients specified in the contract concluded between ČP and the customer (or on the website referred to in the contract), and therefore the transfer of such data is necessary for the performance of the contract. In particular, a personal data processor who processes personal data for ČP in accordance with the concluded contract is considered a recipient.

A list of processors who process personal data under a contract with ČP can be found here.

Transfer of personal data abroad

Personal data may only be transferred abroad when a customer sends a postal item abroad. In such cases, the transfer of personal data abroad is necessary for the fulfillment of the postal contract between the customer and ČP. Personal data in the form of name, surname, and address are also transferred to authorized foreign postal operators and customs authorities for customs clearance purposes in the country specified by the customer, in order to improve and facilitate operational and national security and the enforcement of rights in accordance with national legislation and the rules of the International Post Corporation.

Retention period for personal data

The period for which personal data is stored, or the criteria for determining this period, are always specified in the contract concluded between ČP and the client. For record-keeping purposes, the storage period is set at one year from the date of negotiation of the contractual relationship (data on potential clients), or ten years from the date of termination of the contract with the client. In accordance with generally applicable legal regulations, clients' personal data is stored in accordance with the Act on Archiving and Filing. When ČP stores client data, it also records all other information provided by the client about individuals with whom they cooperate or whose data is necessary for the performance of the contractual relationship. The client is obliged to inform these individuals in a similar manner about the transfer of their personal data to ČP.

Processing of personal data in the context of public procurement

Česká pošta processes personal data for the purpose of administering tender procedures in accordance with Act No. 134/2016 Coll., on Public Procurement (hereinafter referred to as “ZZVZ”), as well as selection procedures carried out outside the ZZVZ regime in accordance with the contracting authority’s internal regulations.

Categories of personal data processed:

  • Identification details of participants in the proceedings and their subcontractors, members of their statutory bodies, and members of implementation teams (first name, last name, title)
  • Contact details of the above persons (email, telephone)
  • Bank details of participants in the proceedings
  • Details recorded in the commercial register of participants in the tender procedure and their subcontractors
  • Data on participants' social security and tax arrears
  • Data on entries of participants and members of their statutory bodies in the criminal register
  • Data on education and professional qualifications, or other data specified in the CVs of implementation team members submitted in the bids of participants in the proceedings

Personal data forms part of bids/requests to participate and similar sets of documents, including explanations of tender documentation and other documents from suppliers, submitted/sent as part of tender/selection procedures, and as such is archived by the contracting authority for a period of 10 years in accordance with the Public Procurement Act. In the event of a review of the award of a public contract, personal data may be provided to the Office for the Protection of Competition or another administrative or judicial authority with supervisory powers.

Some personal data is also published to the extent specified by the Public Procurement Act (identification and address details of participants in tender procedures and the selected supplier).

The processing of data to the extent specified above is necessary for the fulfillment of ČP's legal obligation as a data controller within the meaning of Article 6(1)(c) of the GDPR.

Processing of personal data in the exercise of public administration powers

The Czech Post acts as an administrative authority within the scope of Czech POINT public administration contact points and also within the scope of document and signature verification.

When providing services at Czech POINT public administration contact points, Česká pošta (hereinafter referred to as “ČP”) acts in accordance with Act No. 365/2000 Coll. on public administration information systems and other legal regulations. These information systems contain personal and other data administered by individual state administration bodies, i.e. ministries and other state authorities (administrators of public administration information systems or registers that provide extracts or other outputs to the Czech POINT information system).

Under the aforementioned Act, the Czech Post is authorized to provide outputs from public administration information systems at the request of the data subject. The information system through which the public administration contact points operate is administered by the Digital and Information Agency. This information system is a public administration information system. ČP is not responsible for the content of the services provided in connection with the issuance of extracts or other outputs from this system and does not collect or store data from this system.

Based on the above, in the event of a request to exercise rights under the GDPR, ČP does not provide any information on the processing of personal data of data subjects in public administration information systems, as it is not the controller of the data contained in these systems.

Written requests submitted to ČP establishments by data subjects for the purpose of providing ČP services as a public administration contact point and in accordance with the aforementioned legal regulations are archived in a manner specified in accordance with applicable legal regulations and are not used to create personal data records.

The outputs provided at the request of data subjects through the Public Administration Information System by Czech Post and other public administration contact points are listed here:

  • Extracts from the central register of drivers and the register of participants in the ISOH end-of-life vehicle module (Act No. 361/2000 Coll., on road traffic and the register of participants in the ISOH end-of-life vehicle module, Act No. 352/2008 Coll., on details of the handling of end-of-life vehicles)
  • Extracts from the Criminal Register (Act No. 269/1994 Coll., on the Criminal Register)
  • Requests and notifications concerning ISDS
    • The purpose of processing personal data by the public administration contact point is to process requests for the creation of a data box, the invalidation of access data, adding an authorized person, making a data box inaccessible, making a data box accessible again, authorizing and canceling the delivery of documents within the framework of private law communication, and notifying of a change in the statutory body – in accordance with Act No. 300/2008 Coll., on electronic acts and authorized conversion of documents.
  • Requests concerning Basic Registers (Act No. 111/2009 Coll., on Basic Registers)
    • Extract from the population register
    • Public extract of data from the register of personse
    • Non-public extract of data on a natural person conducting business from the register of persons
    • Statement on the use of data from the population register
    • Record of data use in the register of persons
    • Request for change of data in the population register
    • Request for correction of data in the event of a discrepancy in the register of persons
    • Request for disclosure of data to a third party
  • Extract from the Insolvency Register (Act No. 182/2006 Coll., on Bankruptcy and Methods of its Resolution (Insolvency Act)
  • Mediation of submissions under the Trade Licensing Act (Act No. 455/1991 Coll., on Trade Licensing (Trade Licensing Act)
  • Other services provided by the public administration contact point (regulated by special legal provisions):
    • Extract from the public register
    • Extract from the land register
    • Image from the cadastral map
    • Extract from the Criminal Register for legal entities
    • Extract from the Trade Register
    • Extract from the list of qualified suppliers
    • Performing identification and drawing up a public document on identification

Certification (verification of documents) and legalization (verification of signatures), authorized conversion of documents from paper to electronic form and vice versa from electronic to paper form

When providing these services, ČP proceeds in accordance with the law, specifically Act No. 21/2006 Coll., on verification, and Act No. 300/2008 Coll., on electronic acts and authorized conversion of documents. ČP is not responsible for the content of documents submitted by data subjects for the provision of these services.

Evidence of certifications and legalizations is kept in a verification book, which includes the signatures of applicants that have been legalized. The verification book also includes a list of signature samples of the certifying persons performing the certification and legalization. The verification book is kept for one calendar year. After its closure, it is stored at ČP for a period of 10 years.

As the entity performing the conversion, the Czech Post is required to keep records of all conversions performed, with specified content for each conversion record. The entity performing the conversion is required to keep the records for 10 years after the conversion is performed, in order to be able to prove the authenticity of the converted documents if necessary. Each authorized conversion performed is recorded in a repository administered by the Digital and Information Agency. The repository does not store the converted documents themselves, but only clauses marked with a unique identifier, which can be used to remotely verify whether such a conversion has actually been performed. The application is available at: https://www.czechpoint.cz/overovacidolozky/

Processing of personal data of ČP Customer Card holders

This information supplements the information already provided to customers in the new Customer Card forms, which have been available at ČP branches since May 25. We hereby inform existing customers who have received the new terms and conditions, effective from the above date, that the scope of personal data remains the same as before, with the aim of this addition being to specify more precisely the purposes for which personal data is processed, which is not stated on older forms.

The personal data of the customer card applicant will be processed to the extent that it was provided to ČP in the customer card application and for the duration of the applicant's use of the "Česká pošta Customer Card" Customer Program in accordance with the Terms and Conditions available at www.zakaznicka-karta.cz, or until the consent is revoked, if provided, or an objection to the processing is filed.

The scope of data processed according to the application for a ČP Customer Card is as follows: first name, last name, address, telephone number, e-mail address, and, depending on the type of application, date of birth, place of birth, Czech Post employee number, and identification number of a natural person engaged in business.

The purposes of personal data processing are as follows:

1/ Client identification and contract fulfillment, customer card management, including sending operational information about the service.

For this purpose, we use the full range of address and contact details you have provided. The provision of data is a contractual requirement.

2/ Sending commercial communications about ČP products and services – physically to your address/by email.

For this purpose, which is our legitimate interest, we use data such as your first name, last name, address, and, in the case of electronic business communications, your email address. We may also send you targeted commercial offers for products and services provided by ČP based on the automated processing of the aforementioned personal data, including information about your transaction history (service preferences). We may use contractual processors for this processing.

If you do not agree with this processing, please exercise your right to object.

3/ Conducting marketing research and analysis

For this purpose, which is our legitimate interest, we use the full range of address and contact details you have provided, as well as data obtained from your transaction history (purchasing preferences) within the customer program. We may then contact you as part of research and analysis to improve our services. We may use contractual processors for the purposes of conducting surveys. If you do not agree to this processing, please exercise your right to object.

4/ Sending commercial communications about third-party products and services – only with CONSENT

If you have given your express consent on the ČP form, we may, in accordance with the above-mentioned purpose of processing, which consists in sending and targeting commercial communications by post/electronically, also send and target offers from our business partners who have concluded a contract with ČP for the sending of commercial offers, but to whom

we will not pass on your personal data. For this purpose, we will process data in the scope of name, surname, address, email, transaction history data (service preferences).

5/ Implementation of targeted commercial offers, marketing research, and analyses using data obtained from research or publicly available sources – only with CONSENT

If you have given your express consent on the ČP form, we use the full range of address and contact details you have provided for this purpose, as well as data obtained from your transaction history (purchasing preferences), marketing research data, and data obtained from publicly available sources (the internet). Based on this data, we may send you targeted commercial offers from ČP or third parties. We may also contact you as part of marketing research and analysis in order to improve the services provided by ČP or its contractual partners. We may use contractual processors to implement these offers and contact you.

YOU CAN EASILY WITHDRAW YOUR CONSENT by sending a message to gdpr@cpost.cz. Please also send any OBJECTIONS you may have to the processing of your personal data to this address.

A prerequisite for processing your rights is your unambiguous identification, which requires that you provide the same information in your email request the same information that ČP has on record based on your customer card application, i.e., we must receive the request from the corresponding email address (registered according to your application) and it must contain your first name, last name, and address, or possibly also your employee number, as you provided in your customer card application.

A list of processors who process personal data under contract with ČP can be found here.

Processing of personal data of SIPO payers

Information on the processing of personal data is based on the SIPO Terms and Conditions for Payers, published at https://www.ceskaposta.cz/sluzby/platebni-a-financni-sluzby-cr/sipo.

We process the personal data you provide on SIPO forms for the following purposes:

1/ Client identification and contract fulfillment, administration and provision of SIPO services, including sending operational information about the service.

For this purpose, we use the full range of address and contact details you have provided in the completed form. The provision of data is a contractual requirement.

2/ Sending commercial communications about ČP products and services – physically to the address/electronically (email/SMS).

For this purpose, we use data such as your first name, last name, address, email address, and telephone number. If you do not agree with this processing, please exercise your right to object.

3/ Processing of information on the payer's transaction history, including information on specific recipients of their payments.

For this purpose, we use data such as your first name, last name, address, email address including domain, transaction history, bank code, and information about the recipients of your payments. This information will be used for analytical research and Payer segmentation. ČP will then use these analyses to improve the quality of its services; for example, it may contact the Payer with an offer of advice on optimizing household costs. This is our legitimate interest. If you do not agree with this processing, exercise your right to object.

4/ Alternatively, if you have previously given your express consent, we process your personal data for the purpose of conducting marketing research and sending targeted commercial offers from ČP and its contractual partners – only with your CONSENT.

For this purpose, we use your personal data provided in the SIPO service application and data obtained on the basis of the SIPO service you use, such as information about the recipients of your SIPO payments. Based on the evaluation of this data, we may then contact you in order to improve the services we provide or to send you a commercial offer that may be of particular interest to you. We may also send you commercial offers from our contractual partners who have concluded an agreement with ČP on the sending of commercial communications, but to whom we do not transfer your personal data.

5/ Alternatively, if you have previously given your express consent, we will pass on your personal data to the recipients of your SIPO payments – only with your CONSENT.

On the new SIPO forms (available at post offices from November 1, 2020), you have the option to grant the above-mentioned consents and, if necessary, also submit objections directly at the ČP office.

YOU CAN EASILY WITHDRAW YOUR CONSENT by sending a message to gdpr@cpost.cz. Please also send any OBJECTIONS you may have to the processing of your personal data to this address. In order for us to process your rights, we need to be able to clearly identify you, so it is necessary that you include the following information in your email request the same information that ČP has on file based on your SIPO application (completed form), i.e., the request must include your SIPO connection number, first name, last name, and address as you provided them on the SIPO form when applying for its establishment or change.

A list of processors who process personal data under contract with ČP can be found here.

Processing of personal data of customers as persons interested in the products and services of ČSOB Bank and other Financial Partners

In general, Česká pošta acts as a processor of personal data when providing financial services. The controller of such data is the relevant Financial Partner or the ČSOB Group. Information on the processing of personal data in connection with the services provided can be found on the ČSOB Group website at www.csob.cz.

You can also submit your request under the GDPR at a specialized Czech Post counter, which will immediately forward it to ČSOB for direct processing.

This information supplements the information on the processing of personal data provided to customers during a telephone call between an employee of Česká pošta and a customer interested in the products and services of ČSOB bank and other financial partners.

The recording of telephone calls with persons interested in a product or service is required of Česká pošta by certain legal regulations, such as MiFID (the European Markets in Financial Instruments Directive), and is also necessary to ensure high-quality customer service, particularly for handling customer requests and suggestions. Česká pošta is the controller of customers' personal data for this purpose.

When processing personal data, we comply with legal regulations, in particular the GDPR. This is always done only to the extent specified by the specific service or purpose of processing.

The personal data of applicants for a product or service will be processed to the extent that it was provided to ČP during a telephone call in accordance with the Terms and Conditions relating to the specific product or service.

Purposes and nature of personal data processing:

Processing of personal data for the purpose of recording and storing telephone calls. Personal data is processed for the purpose of fulfilling the obligations of Česká pošta as a financial services intermediary for ČSOB bank and other financial partners directly under the law, as well as for the purpose of handling customer complaints and claims.

Scope of personal data processing:

For this purpose, we use the full range of address and contact details provided. The provision of data is a contractual requirement for a specific product or service.

The scope of data processed according to the product or service request is as follows: first name, last name, address, telephone number, e-mail address, and, depending on the type of request, date of birth, place of birth, and identification number of the natural person conducting business.

Subject and processing time:

Customers' personal data will be processed and stored for a period of 10 years from the date of its provision during a telephone call, unless otherwise provided by law.

Method of processing personal data:

 Customers' personal data is processed primarily electronically and automatically as part of telephone call recordings.

Provision of personal data to third parties:

Personal data of customers provided during a telephone call are transferred to third parties only if required by law, in particular by the Czech National Bank in the exercise of its supervisory powers, and only to recipients who provide a specific product or service, i.e. where the transfer of such data is necessary for the performance of a contract.

The recipient of personal data is, in particular, ČSOB Banka as a personal data processor for the purposes of recording telephone calls, which, on the basis of a contractual relationship, provides Czechia with the recording and storage of telephone calls, or T-Mobile as a sub-processor of personal data.

ČP transfers customer personal data only to those recipients who are specified in the contract concluded between ČP and the customer (or on the website referred to in the contract), and therefore the transfer of this data is necessary for the purposes of performing the contract. The recipient is considered to be, in particular, the personal data processor who processes personal data for ČP in accordance with the concluded contract.

Processing of personal data in connection with assessing the creditworthiness and trustworthiness of consumers

Česká pošta, s.p. processes the personal data of its customers on the basis of the conditions set out in Act No. 634/1992 Coll. on consumer protection, for the purpose of assessing the ability of consumers (natural persons engaged in business) to fulfill their obligations and to prevent fraudulent conduct. Under the aforementioned legislation, Česká pošta obtains and provides information on the creditworthiness of consumers, their payment history, and their trustworthiness through exchanges within information registers established under the aforementioned Act.

The scope of personal data processed by Česká pošta is determined by Act No. 634/1992 Coll.:

  • Consumer identification data,
  • data on the consumer's financial obligations arising from contracts between the consumer and sellers using the register, and
  • the time period to which the data relates.

The recipients of personal data in this case are entities designated as registry operators under Act No. 634/1992 Coll., which are independent personal data controllers.

Currently, Česká pošta cooperates with the REPI Register. Further information concerning the REPI Register, including information on clients' rights in connection with the REPI Register, is provided in the REPI Register Information Memorandum, the current version of which is available on the website: www.repi.cz.

Client identification and verification in the area of prevention of money laundering and terrorist financing

Česká pošta, s.p., with its registered office at Politických vězňů 909/4, 225 99, Prague 1, ID No.: 47114983, registered in the Commercial Register of the Municipal Court in Prague, Section A, File 7665 (ČP), is an obligated entity under Act No. 253/2008 Coll., on measures against the legalization of proceeds from crime and terrorist financing, as amended (AML), and with regard to this fact, certain obligations arise for it from this Act.

Based on the above-mentioned Act, ČP, as a personal data controller, is authorized to obtain and process information and personal data about clients (data subjects) and, where applicable, their representatives (this applies to legal representatives, authorized representatives based on a power of attorney, and guardians), whereby this data is further processed for the purpose of ensuring ČP's obligations under the AML Act, in accordance with the rules of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data (GDPR). Personal data is subject to the highest possible level of organizational and technical security measures to ensure its protection.

The personal data of data subjects may also be transferred to the Financial Analytical Office (FAÚ) as the supervisory state authority in the area of AML.

The scope of personal data processing, i.e., what information is ČP authorized to obtain and record?

For individuals (from the ID card presented)

  • First and last name
  • Gender
  • Birth number/date of birth
  • Place of birth
  • Identity card details (type and number of card, date of issue, date of expiry, issuing authority), with the ČP employee verifying that the applicant's appearance matches that on the identity card
  • Citizenship
  • Permanent residence
  • Whether the person is politically exposed*
  • For self-employed individuals, also place of business and ID number
  • Source of funds used
  • Purpose of payment

For legal entities (from the submitted document proving the existence of the legal entity for the person acting on its behalf in the given transaction)

  • Business name or title
  • Registered office
  • Company ID number
  • Details of the beneficial owner (first name, last name, date of birth, nationality)
  • Details of statutory bodies (first name, last name, permanent address, date of birth)
  • Details of the person acting on behalf of the legal entity in the transaction (to the same extent as for natural persons).
  • Source of funds used
  • Purpose of payment

In order to fulfill the purpose of the AML Act, ČP may make copies or extracts from the submitted documents and process the information thus obtained.

ČP retains personal data for a period of 10 years from the date of the transaction or the termination of the business relationship with the client, and this period begins on the first day of the calendar month following the calendar month in which the last known transaction was carried out.

The data subject has the right to request access to their personal data from ČP, to have it corrected or to restrict its processing. In this case, the data subject's right to erasure is limited, as the processing of personal data is necessary for the purposes of fulfilling the obligations arising from the above-mentioned legal regulations for a specified period of time. At the same time, the data subject has the right to lodge a complaint with the supervisory authority.

* A politically exposed person within the meaning of Act No. 253/2008 Coll. is understood to be:

  1. a natural person who holds or has held a significant public office of national or regional importance, such as head of state, prime minister, head of a central government body and his or her deputy (deputy minister, secretary of state), a member of parliament, a member of the governing body of a political party, a leading representative of a local government, a judge of the supreme court, constitutional court, or other supreme judicial body whose decisions are generally, with some exceptions, not subject to appeal, a member of the central bank's board, a senior officer of the armed forces or corps, a member or representative of a member, if it is a legal entity, of the statutory body of a state-controlled commercial corporation, an ambassador or head of a diplomatic mission, or a natural person who performs or has performed a similar function in another state, in a European Union body or in an international organization,
  2. a natural person who is
  1. a person close to the person referred to in point (a),
  2. a partner or beneficial owner of the same legal entity, trust, or other legal arrangement without legal personality as the person referred to in point (a), or is known to the obligated person to be in any other close business relationship with the person referred to in point (a), or
  3. the beneficial owner of a legal entity, trust, or other legal arrangement without legal personality, which the obligated person knows to have been created for the benefit of the person referred to in point (a).

Vetting selected third parties

Česká pošta, s.p. (hereinafter referred to as “ČP”) processes personal data for the purposes of pursuing its legitimate interests, which are fraud prevention and protection of the company’s assets and reputation, within the framework of concluding contractual relationships with selected third parties. 

Selected third parties, which ČP screens before entering into a contractual relationship, are primarily parties interested in operating Pošta Partner, delivery partners, or Parcel Partners, suppliers selected through public procurement processes, business partners whose services or products ČP offers in its postal networks, parties interested in purchasing ČP real estate, and entities from which ČP leases premises.

Based on the above and for the above purpose, ČP obtains data on natural persons (whether acting independently or within legal entities) from publicly available registers and publicly available sources on the internet, including internet media, to the extent published there. 

Personal data is transferred to third parties in cases where this is necessary for the purposes of fulfilling a legal obligation. 

ČP stores personal data for a period of 10 years from the date of verification.