Your privacy is a priority for us. Learn how we process and protect your personal data.
Personal data is defined by law as any information about an identified or identifiable natural person; an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, a network identifier or to one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (hereinafter also the "data"). If you enter into a contract with us for the provision of electronic communications services and do not take advantage of our offer of prepaid services, then you are a data subject within the meaning of applicable law and the data we process about you is personal data.
Anonymous and aggregated data is not personal data, this data cannot be linked to a specific person from the beginning or as a result of processing, but it is the result of the aggregation of a number of individual pieces of information without the possibility of being linked back to the data subject.
In the field of electronic communications, there are 3 basic types of data that Vodafone processes: personal, traffic and location data.
Vodafone processes personal data generally referred to as identification data. The following list of data does not imply that Vodafone processes data about each customer in its entirety. It is carried out in order to fulfil an information obligation, and the scope of the data is always individualised to the specific customer, except for the data that Vodafone is required to process in compliance with the applicable law.
For the sake of completeness, we also include data relating to legal entities, which is not personal data within the meaning of the law.
The personal and identification data means the following, including but not limited to: name, surname, address, date of birth, birth number/national identifier, age, title, sex/gender, numbers of documents submitted, company name, registered office/place of business, registered office of an organisational unit, name, surname and residence of persons authorised to act for the legal entity, identification number, tax identification number, contact telephone number, SIM card number, billing data (e.g. type, method and volume of services used), terminal equipment data, type or category of terminal equipment, e-mail, bank and account number, customer behaviour and other data legitimately obtained about the customer.
Only personal data of natural persons is protected under the applicable data protection legislation..
Traffic data is defined by the Electronic Communications Act as any data processed for the purpose of transmitting a message over electronic communications networks or for billing purposes.
So what is traffic data? Traffic data is anything that is needed to enable a customer to make calls, send SMS or MMS, use data and other services provided by Vodafone. This includes, for example, the calling number (A-number), the called number (B-number) in case of call forwarding we also have information about the originally called number, IMSI, start and end of the connection, date and frequency of the connection, information from the SS7 signalling layer, IMEI, TV card number, SIM card number, set top box identification data, modem identification data, information about watched, downloaded and subscribed shows, information about your use of TV services, configuration data, type of the service provided, data connection address (e.g. IP address), including traffic location data, which is the necessary information about where in the network the message was transmitted from and to, and these are the data generated solely for the transmission of messages.
Location data is defined by law as any data processed in electronic communications network or electronic communications service that identifies the geographic location of a telecommunication terminal equipment of a user of a publicly available electronic communications service.
Location data means any data processed in electronic communications network that determines a geographical location. Thus, location data is data about the location of the customer's terminal equipment, e.g. data about the network to which the customer is connected.
If so, you can use our prepaid services. However, it is important to point out that even in this case the processing of the so-called traffic and location data and, in particular, the associated obligations (e.g. the transmission of such data to government authorities) are involved. We will also process information about the use of these services, recharge history, use of marketing promotions and the like. If you have your SIM card sent to an address or if you take advantage of one of our marketing events, for which contact details are required, we will also process this contact data.
In the following text we describe the purposes for processing your data, the legal basis for such processing, an example list of the data processed and the processing period.
The data we process about you depends on the products and services you use, how you use those products and services and your interaction with Vodafone, or it depends on the data we have obtained from third parties, and this only on the basis of your consent given to such third parties. Therefore, if you are our customer, this does not mean that we process all of the data below for all of the purposes listed, but it always depends on the specific contractual relationship and interaction with the customer. This will also be reflected if the right to access is applied when a copy of data corresponds to the actually processed data and not to all data listed below.
Some of our products or services may have separate documents dealing with the processing of personal data in relation to these particular products and services which are linked to such documents and provide more detailed or additional information.
We will primarily process your personal data for the purpose of providing services or products in accordance with a contract, in particular the provision of publicly available electronic communications services. We process the data to enable you, for example, to make calls, send text messages and use the internet on your phone, but also for other processing related to the provision of services, which includes processing orders, negotiating or concluding a contract, managing and administering your account, sending you bills, connecting and accessing other operators' networks, providing you with information you request or responding to your complaints or queries about your account.
The legal basis for processing the data is the performance of the contract (Article 6 (1) (b) GDPR), however, the scope of the personal data we must process for the purposes of the contract is partly determined by Article 63 of Act No. 127/2005 Coll.
Data processed:
We process the aforementioned data in its entirety for 6 months from the termination of the contract and then in a limited form for the general limitation period, i.e. 3 years. Exceptions are as follows:
We will process your data for direct marketing purposes. As our customer, we will inform you about new products and services, send you newsletters or official communications, or inform you about offers, promotions, drawing lots or competitions. We tailor these messages according to the type of products and services you have bought from us (for example, we know that we shall not contact you with further offers if your phone contract is only in the middle of its effect) and how you use our services (for example, we know from your bill that you use a lot of data, therefore to provide you the best we will offer a tariff adjustment). If you give us your consent for personalised targeting based on cookies on our website, we may also use this information from the cookies in question to prepare offers directly for you.
The services we provide change and evolve over time and we would like you to always be able to choose the ones that best suit your needs. We will contact you, for example, by post, online, by telephone (to the telephone numbers you have provided) or by notifications via our applications.
If you wish to tailor our services to your needs, you can give us your consent to process your traffic and location data for marketing and business purposes, including profiling, and we will then be able to offer you a targeted offer of new services, products, discounts or other interesting things tailored to you.
The legal basis for processing data in the context of direct marketing is our legitimate interest (Article 6 (1) (f) GDPR). The legitimate interest is seen in the possibility to make you aware of our offers. However, if you do not wish to receive such communications, you can inform us of this. The legal basis for the processing of data in the context of tailoring our services to your needs by processing your traffic and location data or on the basis of personalised targeting according to cookies is your consent (Article 6 (1)(a) of the GDPR), which you can withdraw at any time.
For the sake of legal precision, we would like to point out that if you decide to object to our direct marketing, then subsequently change your mind and express your choice again for our direct marketing, this will also legally constitute processing on the basis of your consent. For the case described in the previous sentence, all information for processing for direct marketing on the basis of legitimate interest will apply similarly. In particular, it is easy to withdraw such consent to direct marketing at any time, as in the case of an objection to direct marketing by Vodafone.
Data processed:
We process the aforementioned data in its entirety for 6 months from the termination of the contract and then in a limited form for the general limitation period, i.e. 3 years. Exceptions are traffic and location data, where we act in accordance with applicable law and process such data for six months after they are made.
We may process some of your data to a limited extent for the purpose of marketing our services and products after termination of the contract, but only if you give us your consent.
The legal basis for processing your personal data is therefore your consent (Article 6 (1) (a) GDPR).
Data processed:
We process the above data for a maximum of two years or until the consent is withdrawn.
We may process some of your data to a limited extent for the purpose of sending/marketing commercial communications from third parties, but only if you give us your consent. In this case, we will be able to offer you from time to time advantageous offers from our business partners. Of course, we will not send you all offers, but only those that may be of interest to you, based on an evaluation of the data we process about you below.
We do not pass on your personal data to these third parties under any circumstances..
The legal basis for processing your personal data is therefore your consent (Article 6 (1) (a) GDPR).
Data processed:
We process the above data for no longer than the duration of the provision of our services or until consent is withdrawn.
The list of our business partners, whose offers we can send you, you can find here.
We will process your data even if you leave us an indication to contact you with a commercial offer, so that we can contact you with our commercial offer according to your wishes. Similarly, if you do not complete your order when ordering our services via the online e-shop, we may contact you.
The legal basis for processing your personal data is therefore your consent (Article 6 (1) (a) GDPR) or entering into a contract under (Article 6 (1) (b) GDPR), as the case may be.
Data processed:
We process the above-mentioned data for a standard period of six months, but if you ask us, we may process the above-mentioned data for longer. If you withdraw your consent, we will cease such processing.
We also process your data to comply with our legal obligations where we are required to do so by law, in particular in the following cases:
The legal basis for processing your personal data is therefore compliance with of our legal obligations (Article 6 (1) (c) GDPR).
Data processed:
We process the aforementioned data for the period of time specified by the applicable legislation. In the case of tax documents, this is ten years from their issue. We process traffic and location data for six months from the date of their creation.
We may process your data to a limited extent for the purpose of listing it in the telephone directory. The telephone directory can only be kept in relation to specific services and products.
The legal basis for processing your data is therefore your consent (Article 6 (1) (a) GDPR) and our legal obligation under Act No. 127/2005 Coll., Electronic Communications Act (Article 6 (1) (c) GDPR).
Data processed:
We process the aforementioned data for the period when the services are provided and until the consent is withdrawn.
We may also process your data for the purpose of possibly protecting our rights in administrative, civil or criminal proceedings (for example, if you fail to perform your obligations or, on the contrary, believe that Vodafone is not fulfilling its contractual or legal obligations). This purpose of the processing will apply, for example, if we are involved in a legal dispute, a complaint procedure or a debt recovery process.
The legal basis for processing the data is therefore our legitimate interest (Article 6 (1) (f) GDPR). The legitimate interest is seen in the possibility of protecting and enforcing our rights.
Data processed:
If necessary, we process the above data in a limited form for the general limitation period, i.e. 3 years or for the duration of the relevant proceedings.
We may anonymise certain data using the most modern technical anonymization methods and subsequently aggregate it into a form that is completely separate from your person. This process cannot be reversed, so the resulting data no longer has the character of personal data according to current legislation. The process of anonymization and aggregation occurs in the vast majority of cases directly at the time of the data creation, so the information is not linked to any data subject from the beginning. When considering whether it is possible to prepare the statistical and analytical output in question, we are guided by the basic condition of privacy protection. An example is preparation of a statistical-analytical map of the load on a road section for the needs of a local authority.
The legal basis for processing the data is our legitimate interest (Article 6 (1) (f) GDPR). The legitimate interest of the controller, but also of third parties, is seen in the possibility to offer statistical and analytical outputs of anonymised aggregated data.
Data processed:
We process the above data in a limited form and in a limited way at the moment of its creation.
We may process your data for the purpose of returning any unjust enrichment that arises on our side (such unjust enrichment may be overpayments based on your payments for our services and/or equipment that you sent to us after termination of the contract despite the fact that you owned it).
The legal reason for processing the data is to comply with our legal obligation under Section 2991 of Act No. 89/2012 Coll., the Civil Code, in accordance with Article 6 (1) (c) GDPR, as well as our legitimate interest in ensuring the returning of any unjustified enrichment from our former customers, in accordance with Article 6 (1) (f) GDPR.
Data processed:
We process the aforementioned data for as long as the unjust enrichment on our side lasts or until the unjust enrichment is settled.
Before a contract/sale is executed, we will carry out the so-called risk assessment for the purpose of fraud prevention.
If you are our non-business customer, a risk assessment process based on an automated individual decision, in some cases using advanced technological methods (e.g. artificial intelligence), takes place before each sale. The information obtained in this way is then considered in the context of the value and nature of the order. As a result of the risk assessment, an additional security deposit is set, depending on the level of risk of the request being made.
For the sake of completeness, we would like to point out that when you are our corporate customer, the process of assessing the risk and creditworthiness of the corporate customer is based on a manual assessment. During this assessment, the following information is processed: company identification data, data on any historical claims with Vodafone, information from the SOLUS register, information from publicly available registers such as the insolvency register, the commercial register, ARES register, RZP register (Trade Register), information obtained from third parties containing information about the property interconnection of the company's statutory bodies and information about the company's financial results. As a result of the assessment, steps are taken to cover any risk, either by adjusting the contractual offer or by setting an additional security deposit, the amount of which is determined depending on the level of the risk.
If you are an individual (natural person), you can of course express your opinion within the fraud prevention procedure described above, by requesting a review by our vendor or by exercising your right to object.
The legal basis for processing the data is therefore our legitimate interest (Article 6 (1) (f) GDPR). The legitimate interest is based on the protection of our property.
Data processed:
We process the above data before a contract is concluded. We process the results of this assessment for 6 months after the assessment is carried out.
We may process your data for the purpose of recommending and uploading television content that you might like if you choose to activate personal recommendations with the television service. Personal recommendations may relate to TV programmes, VOD and applications. However, we do not provide personal recommendations related to adult content..
Please note that both Vodafone TV and the Horizon service have specific personal data processing terms and conditions available on the applications and also on our website.
The legal basis for processing personal data is therefore your consent (Article 6 (1) (a) GDPR).
Data processed:
We process the aforementioned data for the period when the services are provided. Processing times may vary depending on the specific service or product you use.
We process personal data for training and quality assurance purposes. In order to be able to ensure your satisfaction we constantly improve our services, including training and monitoring our staff.
The legal basis for processing your personal data is therefore our legitimate interest (Article 6 (1) (f) GDPR). The legitimate interest is seen in the need to train our staff to be able to provide you with a first class service.
Data processed:
We process the aforementioned data for the period when the services are provided. We only process recordings of communications made on the customer service line or in the shop for this purpose for a maximum of six months after their creation. We keep communications via chatbot, communication applications and social media if you are not our customer, and e-mail communications for 6 months from their creation.
In order to ensure your satisfaction when communicating with our voice and text assistant Tobi, we are constantly working to ensure that Tobi understands you better and provides you with relevant answers when we communicate together.
The legal basis for processing your personal data is therefore our legitimate interest (Article 6 (1) (f) of the General Data Protection Regulation). The legitimate interest is seen in the need to continuously train and improve the Tobi assistant.
Data processed:
We process the aforementioned data for this purpose for a maximum period of six months from the date of its creation.
We may process your personal data for the purpose of conducting satisfaction surveys in relation to our services and products, as well as the care we provide. From time to time we may also ask you other questions relating to the services we offer. We may also use the data where we ask you for feedback in relation to the operation of our products and services, our customer care services and maintenance and operations carried out by us.
Therefore, the legal basis for processing the data is our legitimate interest (Article 6 (1) (f) GDPR) or consent (Article 6 (1) (a) GDPR), as the case may be.
Data processed:
We process the aforementioned data for the period when the services are provided.
We will also process your data in order to ensure the security of information systems managed by us, such as our website, Internet self-service and other information systems that are accessible outside of the company's internal environment.
The legal basis for processing the data is therefore our legitimate interest (Article 6 (1) (f) GDPR). The legitimate interest is seen in ensuring the security of our information systems and also in fulfilling our legal obligation under Act No. 181/2014 Coll., on Cyber Security and on Amendments to Related Acts (Cyber Security Act), as amended.
Data processed:
We process the aforementioned data for 6 months from its occurrence or for the duration of an ongoing investigation; in the case of a motion handed over to a competent authority, until the motion is solved.
We will also process your data for the purpose of protection against any violation of security and integrity of our network, security of the service, and possible subsequent restriction or interruption of the provision of services, this for the necessary period of time for operational, technical and security reasons. We note that in connection with the possibility of cyber-attacks on our network, in which the IP addresses of our subscribers may be used, we may send you an e-mail informing you of this attack and, where appropriate, also attaching information about the necessary steps to be taken on your part. Such e-mail is in no way a commercial communication, but a communication to protect the security and integrity of our network.
The legal basis for processing the data is therefore our legitimate interest (Article 6 (1) (f) GDPR). The legitimate interest is seen in ensuring the security of the network and also to comply with our legal obligation under Act No. 181/2014 Coll., on Cyber Security and on Amendments to Related Acts (Cyber Security Act), as amended.
Data processed:
We process the aforementioned data for 6 months from its occurrence or for the duration of an ongoing investigation of a breach of the network security and integrity, in the case of a complaint to a competent authority until the complaint is settled.
We will also process your data for the purpose of the network capacity planning, to ensure that we are able to ensure strength and coverage of the signal, sufficiently fast fixed connection and to make better decisions about possible strengthening of network elements to ensure the above.
The legal basis for processing the data is therefore our legitimate interest (Article 6 (1) (f) GDPR). The legitimate interest is seen in ensuring a quality network for our business activities.
Data processed:
We process the aforementioned data for 6 months from its occurrence.
We may also process your data for the purpose of investigating fraudulent behaviour. The vast majority of our customers are honest, however, there are some where it is absolutely necessary to prevent further conduct that is detrimental to our company. In such cases, personal data related to such fraudulent activity is then processed.
The legal basis for processing the data is therefore our legitimate interest (Article 6 (1) (f) GDPR). The legitimate interest is seen in the protection of the controller's property.
Data processed:
We process the aforementioned data for 6 months from its occurrence or for the duration of an ongoing investigation, in the case of a complaint to the Police of the Czech Republic, then until the complaint is settled.
We will also process your data for the purpose of keeping a record of requests of data subjects and their settlement.
The legal basis for processing the data is therefore our legitimate interest (Article 6 (1) (f) GDPR). The legitimate interest is seen in the possibility to demonstrate compliance with the requirements of the GDPR.
Data processed:
We process the above data for three years from granting or refusing the exercise of the right under the General Data Protection Regulation.
From time to time, we organise competition events either online or during cultural events. If you wish to compete with us, we will process certain of your data.
The legal basis for processing your personal data is consent (Article 6 (1) (a) GDPR) or performance of a contract (Article 6 (1) (b) GDPR) (depending on the setting and form of the competition event in question).
Data processed:
We process the aforementioned data for a maximum of the duration of the competition event or until the consent is withdrawn.
In order to protect Vodafone's property and legal claims, camera recording devices may be installed in our premises, brick-and-mortar stores and points of sale.
The legal basis for processing the data is therefore our legitimate interest (Article 6 (1) (f) GDPR). The legitimate interest is seen in the need to ensure the necessary protection of Vodafone's property and legal claims.
Data processed:
Depending on the type of location, we process the above-mentioned data for a maximum of 21 days, and a minimum of 10 days, from the date of such camera recording.
Consent is one of the legal grounds for the personal data processing. Consent may always be withdrawn without giving any reason. In selected cases, Vodafone may also process your personal data on the basis of your consent if you provide it to us. For the avoidance of doubt we point out that direct marketing, including the sending of commercial offers of our services and products, is not based on consent but on the legitimate interest of the controller in accordance with applicable law. If you do not wish to receive commercial communications with offers of our services and products, please use the objection route as described below in the section Your rights under applicable law.
You can find information about your consents given in My Vodafone Internet self-service or also in My Vodafone mobile application. If consent has been granted, the relevant box is ticked. If consent has not been granted, the box is blank. Through My Vodafone, you can manage your consents and, of course, withdraw the consents you have given. You also have the possibility to tell us that you are not interested in receiving information about our services, either in the self-service as mentioned in the previous sentence or by contacting us on the contact details provided in the specific commercial communication (e.g. by calling *77).
If the method described above is not suitable or possible for you (for example, if you do not have access to the Internet self-service or My Vodafone application), our stores or customer care centre at *77 are available and we will be glad to help you with the setting and explaining everything.
If you have provided us with a consent other than the one listed in My Vodafone Internet self-service or My Vodafone mobile application (for example, the consent used for Vodafone TV service), then please follow the information provided in the relevant consent document (for example, withdrawing consent by sending an e-mail to a specific e-mail address). In cases under this paragraph, your consent is not in our core systems and most probably you are not an identified person to us.
In the event of consent given for the purpose of providing a commercial offer, you can withdraw such consent at any of our stores or customer service lines (however, you must know the contact number that was provided so that we can trace your data). If the contact is confirmed by a text message, it will be easiest for you to reply to this text message according to the instructions contained in the message. However, if you are not happy with this method, you can always use the shop or customer service line to withdraw your consent.
Certain personal data may also be processed on the basis of consent in connection with cookies. More information can be found here.
For the sake of clarity, we also note that if you object to Vodafone's direct marketing and subsequently change your mind because you wish that we prepare and communicate to you a commercial offer, this is no longer processing of personal data on the basis of Vodafone's legitimate interest but processing on the basis of your consent. Of course, in this case you have the option to withdraw your newly given consent at any time and we will fully respect this, as is the case when you object to direct marketing.
We disclose information relating to your personal data to you, the customer, only after we sufficiently verify your identity by your customer password. For more details, please refer to the chapter Security - Password.
We may disclose your personal data and/or your account details to recipients only under the terms and conditions stipulated by the law and, where applicable, other documents that we agree directly with you.
Vodafone will not pass your personal data to third parties (other than those listed below) unless (a) you have given us your consent to do so, (b) it is necessary to provide the services or products you have subscribed to or you use, (c) it is required by law, or (d) Vodafone is authorised to do so by law.
Your personal information may only be disclosed to the following entities:
Where necessary, we transfer your data to other Vodafone Group companies (this may include Vodafone Group service centres in India, Romania, Hungary, Germany and Egypt) or to service providers in countries outside the European Economic Area (EEA)The EEA consists of the European Union, Switzerland, Iceland, Liechtenstein and Norway, and these countries have equivalent data protection and privacy laws. This data transfer may occur when our servers (i.e. the locations where we store data) or our suppliers and service providers are located outside the EEA, or if you use our services and products when visiting countries outside the EEA.
Where Vodafone sends your data to a country outside the EEA, we ensure that this data is properly protected. We also always ensure that the data transfer is governed by a proper legal agreement. In addition, if a particular country does not have legislation that meets EU data protection standards, we will ask the third party to enter into a legal agreement that takes these standards into account. For such transfers outside the EEA, we use the standard contractual clauses recommended by the EU (see Data protection (europa.eu) for more information).
The General Data Protection Regulation (GDPR) grants the data subject (natural person) the data subject´s rights that can be exercised against the data controller. These rights allow the data subject to obtain information about the personal data processing, and also, in the cases defined below and subject to legal conditions, to have a direct influence on the processing.
There are three ways to exercise the data subject's rights:
If your data is not accurate, you have the right to have it corrected. Therefore, if the data we hold about you requires updating or if, in your opinion, it is inaccurate, you can contact us and we will make the necessary corrections.
You have the right to know what data we process about you and to request a copy of your personal data held by Vodafone. The request can only be made as an individual (natural person), where we are absolutely certain that you are the right person. We may charge a reasonable fee for additional copies based on the administrative costs incurred.
The following information may be requested under the right of access:
In the case of customer account data, a copy of your data is individual and depends on the services and products you have used, your communication with us and other relevant circumstances. However, this copy always corresponds to all the data we process about you in our customer systems. This includes the following data:
Traffic and location data processed in accordance with Section 97 of the Electronic Communications Act. Access to this data requires the strictest protection. Vodafone has a legal obligation to ensure that access to this data is limited to the natural person whom the data is linked to, the so-called end user. For this reason, access is only granted to customer accounts with one GSM SIM or one GSM SIM and a data SIM, in accordance with the opinion of the Office for Personal Data Protection.
If you request access to customer account data or traffic and location data, this is the so-called additional identification data. In order to satisfy you, we need additional identification of the processing (for example, a reference to a specific processing), so that we can sufficiently identify the data subject in accordance with the applicable legislation, in accordance with Article 11 of Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation). Examples include the processing of the personal data of a subscriber in a one-off competition organised as part of a summer festival or the processing in the context of an e-mail registration.
Under certain circumstances you have the right to obtain the data provided. For example, Vodafone allows you to download your monthly bills on My Vodafone mobile application.
In certain circumstances you also have the right to object to processing your personal data by Vodafone.
This includes where we process your data on the basis of our legitimate interest. You can also object to direct marketing or satisfaction surveys.
You can exercise this right if you believe that the personal data we hold about you is inaccurate or that we should not process it. You have the right to request restriction of processing under certain circumstances.
Vodafone aims to ensure that your data is only processed and retained for as long as necessary. In certain circumstances you have the right to request the erasure of your personal data that we hold. If you believe that we are keeping your data for longer than is strictly necessary, we recommend that you first check whether your contract with Vodafone has been terminated, which you can do through Customer Services. Even if your contract with Vodafone has been terminated, we may still have legitimate grounds for processing your personal data.
If you would like to complain about how we process your data, please contact our customer service team in the first instance or e-mail the Data Protection Officer at ochranaosobnichudaju@vodafone.cz. We aim to do our best to accommodate you, but if you are still not satisfied you can contact the Office for Personal Data Protection, for more information visit: https://www.uoou.cz/en.
In order for us to be able to comply with some of your requests to exercise your rights, we need to be absolutely sure that it is you, the relevant data subject, who is exercising those rights. We have set up our rights processes to ensure that someone other than you does not exercise your right or that someone other than you has access to your data. Identifying the data subject therefore protects you, but it also protects us.