for the My CEZ platform/application
My CEZ is a service made available to clients or potential clients by CEZ Vanzare S.A., through which details about the contract, consumption, payments, invoice history, new offers and other useful information are provided.
CEZ Vanzare S.A. (hereinafter referred to as “CEZ”), a joint stock company managed in a two-tier system, with the headquarters in Craiova, str. Calea Severinului, nr. 97, etaj 1, judetul Dolj, registered at the Trade Register Office attached to the Dolj District Law Court under no. J16/517/2007, having the Fiscal Code 21349608 is the owner of My CEZ and the data operator, from the perspective of personal data processing inherent to the use of My CEZ.
Through this document, My CEZ users are informed about the processing of personal data when they create an account and use the My CEZ platform/application and the rights they have in connection with the processing of their personal data.
I. CATEGORIES OF PERSONAL DATA PROCESSED, PURPOSES FOR WHICH THEY ARE PROCESSED, AS WELL AS THE LEGAL BASIS OF THEM
When you choose to use My CEZ, we will process certain personal data that concern you, in connection with the provision of the services you have contracted. CEZ processes your personal data in accordance with the legal provisions in the field regarding the processing of personal data, as an operator, only for the specified purposes.
1. Creating the My CEZ account and authentication in the account
In order to create an account on the My CEZ online platform, we must identify you in our CEZ client database. For this purpose, we request certain account validation data, some of which may constitute personal data:
a) in case of household customers, are requested the following: the client code, the last 6 digits of the personal numeric code, the e-mail address and the telephone number (optional).
b)in case of non-household customers, are requested the following: the client code, the invoice number, the contract number, the e-mail address and the telephone number (optional).
You will also need to choose a password to access your account. After confirming the data, in addition to these the surname, first name, county and type of client (domestic/non-domestic) are stored. Later, in order to be able to log in to your account, we ask for your e-mail and password.
We process this data under the execution of a contract with you, namely the My CEZ Terms and Conditions of Use, which you accept when you open your account. In the case of legal representatives of the legal entities, we also have a legitimate interest in the processing of personal data, in order to provide the services available through My CEZ.
The data is stored for the entire duration of your active My CEZ account plus a maximum period of 3 years.
Please keep the confidentiality of account creation and account authentication data. CEZ is not held liable in the event you disclose this data to third parties.
2. Personal data available in the account
My CEZ account allows you to view certain information, including personal data, related to the services that CEZ provides to you. This information refers to: data from the electric energy/natural gas supply contract; data related to consumption, consumption measuring instruments and the address of the place of consumption; information on the provision of energy supply services, transmission of requests, report of invoices and payments; index transmission; reservations in client relations centres and other data processed within similar functionalities.
We process these data under the execution of a contract with you, namely the My CEZ Terms and Conditions of Use, which you accept when you open your account. The data is necessary to benefit from the functionalities of the My CEZ platform and will be available to you for as long as you have an active My CEZ account plus a maximum period of 3 years.
3. Data related to the use of My CEZ
a) In the case of the My CEZ mobile application, certain data regarding the use of the application are processed, such as: device type (ios/android), ios version, region (country), e-mail address, actions performed in the app (sections visited). Also, the application may request permissions to use the geographical location (only when the application is used), files (documents and pictures).
These data are processed on the basis of the legitimate interest of CEZ, in order to analyse the use of the application and to improve the services offered. The data will be kept as long as you have an active My CEZ account plus a maximum period of 3 years.
b) In the case of the My CEZ web platform, some data regarding the use of the platform can be processed, as:
- IP address with which the platform was accessed at the last authentication (for account security);
- Device Token and the type of device since the last authentication in the mobile application;
- the e-mail address used to create the account is also used for sending account activation emails, setting/resetting the email address, sending notifications.
These data are processed on the basis of the legitimate interest of CEZ, in order to ensure the necessary security standards, to analyse the way in which the platform is used and to manage the interaction with the clients. The data will be kept for as long as you have a My CEZ active account plus an additional period of 3 years.
IMPORTANT! On the creation of a user account in My CEZ, certain communications related to the supply of electric energy/natural gas (regarding the issuance of invoices, maturity of invoices, notice of non-payment, self-reading index entry period, information regarding the planned/accidental interruption of electricity) will be made by electronic mail, via e-mail or push notifications in the case of the mobile application. You can change this at any time by changing the settings in the Account Settings section, Notifications Preferences subsection, directly from the My CEZ account.
4. Request an offer through My CEZ
Even if you are not a CEZ client, you can request through My CEZ an offer for electric energy or natural gas services.
Thus, you will be able to fill in a dedicated form requesting certain information (type of client - natural or legal person; type of service of interest - electric energy or natural gas; county; distribution operator; current supplier; consumption category). We will process these personal data to act on the request of the data subject before concluding a contract or based on our legitimate interest, to offer CEZ products and services as a result of your request. We will retain these data for a maximum period of 3 years from the last interaction with you or until your request to delete them (insofar as the right of deletion applies).
5. Signing a contract for electric energy or natural gas services through My CEZ
If you accept the offer sent by CEZ for electric energy or natural gas services, the supply contract can be signed directly through My CEZ. For this purpose, you will be asked to upload certain information and documents to the platform, such as:
- Copy of the identity card;
- Copy of ownership deed/title of the place of consumption;
- The last invoice related to the place of consumption;
- A statement on your own risk (if you are not the owner of the location where the place of consumption is located).
We will process this data in order to prepare the supply contract, according to the CEZ offer accepted by you and to create a client code in our internal client management system.
II. TO WHOM WE DISCLOSE PERSONAL DATA
We will disclose your personal data only for the purposes and to the categories of recipients described below:
a) Disclosure of data to CEZ Vanzare affiliated entities
Your personal data may be disclosed to any other company that is a member of our group if we believe that this is in our legitimate interest, for internal administrative purposes (e.g. data management in internal computer systems, contract archiving, management invoices, dispute resolution, etc.) or for auditing and monitoring our internal processes. Access to information is limited to staff who need to know personal information.
b) Disclosure of data to other entities
We may also disclose your personal data to third parties in the following situations:
- companies that provide us products and services (authorized persons), such as: suppliers who have access to clients’ personal data in order to provide us with certain services such as: IT systems management; website services, database management for marketing, invoice transmission, etc.
- other entities, such as: public authorities and institutions, auditors, lawyers and other external professional consultants, when their activity imposes knowledge of the data or when the law requires us to disclose them.
We may also disclose your personal data to other third parties in the following situations:
o if you request or give us your consent in this regard;
o the persons who demonstrate that they have the legal authority to act on your behalf;
o if we have the obligation to disclose your personal data in order to comply with a legal obligation or a request from the authorities.
Also, if you choose to pay for CEZ services by card online, directly from My CEZ, your data will be processed by the payment processor (third party service provider compared to CEZ). At the time of the payment, you will be redirected to a payment page provided by the payment processor, where you will find details on the terms and conditions for using the card payment functionality and on the processing of related personal data.
The third parties with whom we choose to share your personal information in accordance with the above are limited (by law and contract) in their ability to use personal data strictly for the specific purposes identified by us. We will always ensure that any third party with whom we choose to share personal data is subject to data protection obligations. However, for the avoidance of doubt, this may not be applicable where the disclosure is not our decision (for example, whether we need to provide personal data as a result of a mandatory request from a public authority).
III. DATA TRANSFERS OUTSIDE THE EUROPEAN ECONOMIC AREA (EEA)
We process your personal data within the EEA and do not transfer or disclose your personal data to third parties outside the EEA. If we use non-EEA providers who may have access to your data for the provision of services to CEZ, we will take appropriate steps to ensure that they adequately protect your personal information in accordance with this policy. These measures include:
• in the case of service providers based in the USA, concluding standard contractual agreements approved by the European Commission with them, or ensuring their adherence to the Privacy Shield, or
• in the case of service providers based in countries outside the EEA, the conclusion of standard contractual agreements approved by the European Commission with them or other appropriate guarantees, such as decisions issued by the European Commission to ensure that the country in question provides an appropriate level of personal data protection.
IV. YOUR RIGHTS
As a data subject, according to the law, you have certain rights regarding the way we process your data.
(a) Right of withdrawal of consent: When you have given your consent to the processing of your personal data, you may withdraw your consent at any time.
(b) Right to rectification: You may request the rectification of personal data concerning you, if they are inaccurate or incomplete.
(c) Right to restriction of processing: You may request the restriction of the processing of your personal data if one of the following cases applies:
• you contest the accuracy of your personal data, for the period we need to verify the accuracy of the data;
• the processing is illegal and you oppose the deletion of your personal data, requesting instead the restriction of their use;
• we no longer need your personal data for the purpose of processing, but you request them for the appeal, exercise or defence of a right in court, or
• you object to the processing (under the right of opposition) for the period in which we verify whether our legitimate rights prevail.
(d) Right of access: You may request information about the personal data we process about you, including information about the categories of data we hold, what they are used for, the duration of the processing and to whom this data is disclosed, if applicable.
(e) Right to delete data: You may request that we delete your personal data concerning you. We must comply with this request if we process your personal data, except for the data that are necessary:
• for exercising the right to freedom of expression and information;
• to comply with a legal obligation we have;
• for archiving purposes in the public, scientific interest, or for historical studies or for statistical purposes; or
• for finding, exercising or defending a right in court.
(f) Right of opposition: You may oppose, at any time, the processing of your personal data for reasons related to your particular situation, provided that the processing is based on our legitimate interests or those of a third party. In this case, we will no longer process your personal data, unless we can prove legitimate and compelling reasons justifying the processing and prevailing over your interests, rights and freedoms or for the finding, exercising or defending a right in court.
You also have the right to oppose to the processing of data for direct marketing purposes.
(g) Right to data portability: You may request to receive your personal data that you have provided to us and which are processed under the consent or performance of a contract, and if it is technically feasible, to request that to be submitted to another operator.
(h) The right not to be subject to a decision based solely on automatic processing, including profile creation, which produces legal effects which concern or affect you to a significant extent.
(i) Right to file a complaint: If you have a grievance, please let us know to try to remedy the situation. If we do not succeed, you can contact the The National Supervisory Authority For Personal Data Processing, through the procedure described on its website: www.dataprotection.ro.
• Time period: We will try to settle your request within one month, which may be extended by a maximum of two months, for specific reasons related to a particular legal right or the complexity of your request. In all cases, if this term is extended, we will inform you about the duration of the extension and the reasons that led to it.
• Lack of identification: In some cases, we may not be able to find your personal data due to the identification elements you indicated in your application. In such cases, where we are unable to identify you as the data subject, we cannot comply with your request to exercise the legal rights described in this section unless you provide us with additional information that allow your identification. We will inform you and give you the opportunity to provide such additional details.
• Exercise of rights: To exercise your rights, please contact us in writing (including electronically) at the contact details provided in the section below.
V. CONTACT INFORMATION
Please address your questions and requests about the processing of personal data following the contact instructions in the section of this website or directly by e-mail to the address firstname.lastname@example.org.
VI. CHANGES TO THIS POLICY
This policy can be modified whenever we deem it necessary, and it will be made known by posting on our website.