PRIVACY POLICY AND PRINCIPLES OF PERSONAL DATA PROCESSING

We process personal data lawfully, fairly, and transparently, solely for specified and legitimate purposes, to the necessary extent, with an emphasis on accuracy, limited storage duration, and security. The controller is responsible for demonstrating compliance (principle of accountability).

• Identification and contact details from web forms (name, surname, e‑mail, telephone) and the content of the message including attachments.
• Technical and operational data (IP address, access logs) for security purposes.
• Cookies and similar technologies, if they contain personal data.

We process only those data necessary to properly fulfil our contractual obligations, legal obligations related to proper identification of contractual partners, the subject and content of the relevant contract, to provide professional services, to comply with our legal obligations and to protect our legitimate interests as well as the legitimate interests of data subjects. We mainly collect data about our employees, suppliers, and customers (including members of statutory bodies and employees), and, for example, about visits to our premises.

We mainly process the following categories of data:

• Identification data: title, name, surname, date of birth, identity card number, business identification number (for self-employed individuals), and, where required by law or a duly documented contractual reason and where such data cannot be substituted by other personal data, personal identification number.
• Address data: permanent residence address, delivery or other contact address, telephone, e‑mail address.
• Other personal data: bank account number, other personal data arising from the specific contract or from the law.
• Image recordings when making CCTV recordings in areas where we carry out our activities, while respecting the rights of data subjects according to the GDPR Regulation, the Czech Personal Data Processing Act and privacy protection under private law regulations.

Our company, ÚJV Řež, a. s., does not process special categories of personal data in view of the nature of its business activities, unless a specific form provides otherwise in exceptional and specific cases. For special categories, Article 9 of the GDPR applies. Such personal data, i.e., the personal data referred to in Article 9 of the GDPR Regulation, are processed by our company only exceptionally.

• Handling your request/enquiry (forms, e‑mail): performance of a contract or negotiations for a contract and/or legitimate interest in communication.
• Compliance with legal obligations (accounting/tax regulations).
• Debt recovery: if we are required to recover our claims through legal means, or if we are parties to legal proceedings concerning you, we will use your identification data and, where necessary, other data required to protect our rights.
• Fulfilment of contractual obligations.
• Network and service security (logging, incident prevention): legitimate interest.

Data are stored for the period necessary for the specified purpose, but not longer than the period required to process your request, the duration of the contract, or the period of any statutory limitation periods (typically 3–10 years), unless otherwise specified in the contract. The contract must include justification for storing personal data beyond the usual retention period. In the event of disputes, longer periods may apply for the duration of the establishment, exercise or defence of legal claims of rights before a public authority.

Within the ÚJV Group, personal data are processed both manually and automatically. Personal data protection within the ÚJV Group is secured technically and organisationally in accordance with the GDPR and the Czech Personal Data Processing Act. We require the same level of protection from personal data processors. Certain public authorities and other organisations are entitled to request personal data. Data are provided only if such entitlement is permitted by the relevant legal regulations.

The processor is authorised to handle data solely for the purpose of performing activities for which they have been entrusted by the relevant controller, i.e., our company, under a personal data processing agreement. In such cases, your consent is not required for processing, as such processing is permitted directly by legal regulations. If consent is required or personal data are transferred to processors, we, ÚJV Řež, a. s., as the controller, ensure that you are informed of the transfer or that your consent is obtained.

Processors of personal data include, in particular:

• Suppliers or service providers, e.g., providers of printing and postal services, including couriers, IT service providers.
• Suppliers of camera, access, and time and attendance systems located within ÚJV Group premises,
• Other persons involved in the conclusion, management, and archiving of contracts and related documents,
• Other third parties providing or receiving services related to the fulfilment of contractual or statutory obligations.

• ČEZ ICT Services, a.s., Company Registration No.: 264 70 411 (provision of certain IT services);
• ČEZ, a.s., Company Registration No.: 45274649.
• ČEZ Corporate Services, s.r.o., Company Registration No.: 262 06 803 (insurance, vehicle leasing and other related services).
• ENGINEERING PRAHA a.s., Company Registration No.: 001 28 201.
• Nuvia Dosimetry s.r.o., Company Registration No.: 452 40 043.
• Penta Clinic Network s.r.o., Company Registration No.: 264 22 719 (provision of occupational medical services pursuant to Act No. 373/2011 Coll. and implementing legal regulations).
• Securitas ČR s.r.o., Company Registration No.: 438 72 026 (protection and physical security of premises).

Personal data are not transferred outside the EU/EEA by our company, unless necessary for the use of a particular online service (e.g., analytical or cloud tools) or to fulfil a public law obligation pursuant to a binding legal regulation or a final decision of a public authority. In such cases, mechanisms under Chapter V of the GDPR apply (especially standard contractual clauses).

• Directly from data subjects based on consent (web forms, e‑mail, telephone, personal contact, contract and similar legal actions).
• Public registers (verification of basic identification of business partners, their business or similar authorisation).
• Technical records (server and security logs generated when using the website).
• Third parties based on the consent of data subjects – only if necessary (e.g., IT and security providers who inform us of security incidents or site visits).

Data subjects have the right to request information regarding the processing of their personal data, the purpose of processing, the scope, or categories of personal data being processed, the sources of personal data, the nature of automated processing, the processors, the recipients, or categories of recipients of personal data.

If a data subject discovers or believes that we or our contractual processor are processing personal data in a manner contrary to the protection of the private and personal life of the data subject or contrary to law, the data subject is entitled to request an explanation or demand that ÚJV Řež, a. s., or its contractual processor rectify the situation. In particular, the subject is entitled to request blocking, correction, supplementation, or deletion of personal data.

To exercise their data protection rights, data subjects may contact ÚJV Řež, a. s., at ujv@ujv.cz. ÚJV Řež, a. s., will inform you without undue delay regarding the resolution of such requests.

Data subjects also have the right to contact the Office for Personal Data Protection, as the supervisory authority, at any time with their complaint.

We implement appropriate technical and organisational measures (access management, encryption, logging, backup, training, contractual confidentiality). We require a comparable level of protection from processors according to Articles 28 and 32 GDPR. We require contractual processors to provide a list of their processors if their processor is a sub-processor of personal data provided by our company to the processor.

Upon entering secured areas, visitor records and camera recordings operated by security (Securitas ČR s.r.o) may be made. The purpose is to protect persons and property. The legal basis is legitimate interest, which does not conflict with the principles defined in the GDPR and the Czech Personal Data Processing Act. These activities concern physical visits, not routine browsing of the website.

Personal Data

Personal data means any information relating to an identified or identifiable data subject; a data subject is considered identified or identifiable if the data subject can be directly or indirectly identified.

Data Subject

A data subject is a natural person to whom personal data relate.

Controller

A controller is any entity that determines the purpose and means of personal data processing, carries out processing, and is responsible for it.

Processor

A processor is any entity that, based on law or authorisation by the controller, processes personal data for the controller.

Recipient

A recipient is any entity to whom personal data are made available.

Personal Data Processing

Processing of personal data means any operation or set of operations which the controller or processor systematically carries out with personal data, either automatically or by other means; personal data processing includes, in particular, collection, storage on information carriers, making available, modification or alteration, retrieval, use, transfer, dissemination, publishing, retention, exchange, sorting or combining, blocking, and deletion.

Public Register

For the purposes of this document, public register means (i) a public register under Act No. 304/2013 Coll., on public registers of legal and natural persons, as amended, i.e., the Association Register, Foundation Register, Register of Institutes, Register of Owners’ Associations, Commercial Register and Register of Public Benefit Corporations; (ii) other registers as per Act No. 111/2009 Coll., on Basic Registers, as amended.

ÚJV Group

The ÚJV Group consists of ÚJV Řež, a. s. and its subsidiaries Centrum výzkumu Řež s.r.o., RadioMedic, s.r.o, ENGINEERING PRAHA a. s. and NQ-Safe s.r.o. The ÚJV Group is further complemented by a subsidiary of Centrum výzkumu Řež s.r.o., namely Centrum výzkumu Řež Innovations s.r.o.