České Radiokomunikace

Policy for the Protection of Data from a CCTV System

1. General provisions

This document lays down information about how České Radiokomunikace a.s. (hereinafter referred to as the “Data Controller” or “we” or “us”) processes personal data obtained through the operation of a closed-circuit television system and how it subsequently handles and protects such data. Personal data means any information pertaining to an identified or identifiable natural person, i.e., of any person entering premises monitored by the CCTV system (hereinafter referred to as “Data Subject” or also “you”).

The purpose of this Policy for the Processing of Data from a CCTV System (hereinafter referred to as the “Data Processing Policy”) is to inform about how we collect and process your personal data obtained in connection with the operation of a CCTV system and about your rights, how you can exercise them, and what we have done to help you exercise them.

2. Data controller, data protection officer and contact details

The controller of the personal data obtained by the CCTV system is České Radiokomunikace a.s., a corporation having its registered office at Skokanská 2117/1, Břevnov, 169 00 Prague 6, Czech Republic, ID No.: 247 38 875, which is also the operator of the CCTV system (hereinafter referred to as the “Operator”).

The contact details of the Data Controller for any matters concerning data protection are as follows: Address: Skokanská 2117/1, Břevnov, 169 00 Prague 6, Czech Republic, Telephone: +420242411111, Email address:

The Data Controller has appointed a Data Protection Officer who can be contacted by email at gdpr@cra.cz.

3. Purpose and legal basis of processing

We process your personal data via a CCTV system with recording for the purpose of protecting and providing the security laid down by law (in particular, Act No. 412/2005 Coll., on the protection of classified information and security clearance, as amended, Act No. 181/2014 Coll., on cyber security and on amending related acts (the Cyber Security Act), as amended, Act No. 240/2000 Coll, on crisis management and on amending certain acts (the Crisis Management Act), as amended), as well as for the purpose of protecting the Company’s property, the Company’s employees, and third parties from loss, theft, damage, or destruction, for the purpose of ensuring security of the data that the Company collects and/or processes on its designated facilities in the course of its activities for third parties (the Company’s customers), and for the purpose of ensuring occupational health and safety and the safety of persons present on the Data Controller’s premises. The legal basis for the processing of personal data is to meet the Operator’s legal obligation to adopt technical and organisational measures to ensure the security of its network and information systems and critical infrastructure, including physical security pursuant to the Cyber Security Act, the Act on the Protection of Classified Information and Security Clearance, and other legislation, and, as the case may be, the Operator’s legitimate interest pursuant to Article 6(1)(f) of the GDPR, which consists in the need to ensure adherence to above-standard physical security requirements on the premises in which the Operator carries out its activities.

4. Description of the CCTV system and the time for which recordings are stored

The CCTV system is located in CRA’s facilities and premises, which are designated as premises monitored by cameras.

The cameras capture the access corridors to each of the Operator’s facilities, the entrances to its transmitters, adjacent properties owned by the Operator, and the Operator’s key technological facilities. The cameras are set up to only capture areas within which monitoring of persons does not unduly interfere with their right to privacy. The entrances to the areas monitored by cameras are marked with information panels showing a pictogram of a camera.

5. Sharing and transfer of personal data (recipients of personal data)

We may share footage from the CCTV system with certain third parties in order to investigate security incidents on our premises or with third parties authorised to defend our legal claims, as well as with certain public authorities. In particular, we may share your personal data with:

  • Customers/tenants for the purpose of investigating security incidents;
  • External legal counsel for the protection of our legitimate interests;
  • Law enforcement authorities, courts, or administrative authorities for the purposes of misdemeanour proceedings;
  • Other security forces of the State;
  • Insurance companies in the event of the handling of an insurance claim;
  • Data subjects in case of their legitimate request (only footage where those persons are present, all other parts are anonymised).

In the event that personal data is to be disclosed to a person who processes that personal data for the Operator as a personal data processor, a personal data processing agreement shall be concluded prior to the actual transfer that will guarantee at least the same level of protection as this Data Processing Policy.

6. Data security

We have introduced and maintain adequate technical and organisational measures, internal controls, and information security processes in line with the best business practice, corresponding to the potential risk to you, as a Data Subject. We also take into account the state of technological development with the aim of protecting your personal data from accidental loss, destruction, alteration, unauthorised disclosure, or access. These measures may include, but are not limited to, taking reasonable steps to ensure the accountability of relevant staff members who have access to your data, staff training, regular backups, data recovery and incident management procedures, software protection of the devices on which personal data is stored, and other technical and organisational measures.

7. Your rights as a Data Subject

If you wish to exercise any of your rights listed below and/or obtain relevant information, please contact us using the contact details set out in Section 2, above.

We will respond to you within one month of receiving your request, but we reserve the right to extend this period by up to two months.

As a Data Subject, you have the right to information about the processing of your personal data, the right to access your personal data, the right to rectification, the right to erasure, the right to the restriction of processing, the right to object to processing, and the right to lodge a complaint.

7.1 Right to information about the processing of personal data and right of access to personal data

As a Data Subject, you have the right to obtain the information whether we process your personal data and the right to access your personal data. Due to the nature of the processing, we are only able to provide you with this information if you share with us information on the basis of which we will be able to identify you in the CCTV recordings. Otherwise, we will unfortunately not be able to provide you with this information. Additionally, we reserve the right to refuse your request for access as manifestly unfounded or unreasonable or to charge a reasonable fee that will reflect our costs associated with the provision of the information requested.

We will only be able to provide you with a copy of data from our CCTV system in cases when the rights and freedoms of third parties are not adversely affected and when we are also able to identify, on the basis of the information you have provided to us, the part of the CCTV recording that contains your personal data. Third-party rights will be deemed adversely affected, in particular, in cases when the requested part of the CCTV footage also contains personal data of such third parties.

7.2 Right to the rectification and erasure of personal data

You have the right to request the erasure of personal data if that personal data is no longer necessary for the purposes for which it was collected or otherwise processed, or should you discover that it has been processed unlawfully. However, the right to the rectification or supplementation of inaccurate or false personal data may be limited due to the nature of the data processed.

7.3 Right to the restriction of processing

If you ask us to restrict the processing of your personal data, e.g. in the event that you question the accuracy, lawfulness, or our need to process your personal data, we will limit the processing of your personal data to the minimum necessary (storage) and, as the case may be, we will only process it for the establishment, exercise, or defence of legal claims or for the protection of the rights of another natural person or legal entity or for other limited reasons prescribed by applicable laws. If the restriction is lifted and we continue to process your personal data, we will inform you thereof without undue delay.

7.4 Right to object to processing

You have the right to object at any time to the processing of your personal data processed on the basis of our legitimate interest. Unless we are able to demonstrate compelling legitimate grounds for such processing on our part that prevail over the interests or rights and freedoms of the Data Subject and unless the processing is necessary for the establishment, exercise, or defence of legal claims, we will not process your personal data any further.

7.5 Complaint to the Personal Data Protection Office

You have the right to lodge a complaint about our data processing with the Personal Data Protection Office, Pplk. Sochora 27, 170 00 Prague 7. The Office’s website is: uoou.gov.cz. E-mail: posta@uoou.gov.cz.

This Data Processing Policy was last updated on 1 October 2024.