Privacy policy

I. Introductory provisions

1. This document was drawn up by EnerSpot FLEXI Ltd., ID No.: 21 029 776, registered office at Na Šafránce 1803/24, Vinohrady, 101 00 Prague 10, Czech Republic, registered with the Commercial Register kept by the Municipal Court in Prague (hereinafter “EnerSpot FLEXI Ltd.” or “Controller”).
2. The purpose of this document (hereinafter the “Document”) is to inform you about the principles and procedures for the processing of personal data within the meaning of Article 4(2) of the GDPR Regulation specified below.
3. This Document is issued by EnerSpot FLEXI Ltd., which is a member of the HGN Power CZ corporate group within the meaning of § 79 of Act No. 90/2012 Coll., on Commercial Companies and Cooperatives (Business Corporations Act), as amended, in the position of a controlled entity. This Document also applies to the rights and obligations of entities related to the processing of personal data.
4. EnerSpot FLEXI Ltd. obtains and processes all personal data in accordance with the relevant legal regulations, in particular Act No. 110/2019 Coll., on Personal Data Processing (“Personal Data Processing Act”), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation, “GDPR”), and Act No. 480/2004 Coll., on Certain Information Society Services, all as amended, or any other legislation that may amend or replace them in the future.
5. The purpose of processing any personal data is always determined solely by the scope of the specific service provided or the purpose of processing.
6. For ease of reference, any natural person whose personal data is administered and processed by EnerSpot FLEXI Ltd. shall be referred to as the “Data Subject“. “Device” refers to a flexible energy asset (BESS, cogeneration unit, diesel generator, biogas plant, small hydro, PV plant or any other device) operated by any customer of EnerSpot FLEXI Ltd.
7. A customer of EnerSpot FLEXI Ltd. is a natural or legal person who has entered into a contractual relationship with EnerSpot FLEXI Ltd. (hereinafter “Customer“).

II. Controller

1. The controller of personal data is EnerSpot FLEXI Ltd., ID No.: 21 029 776, registered office at Na Šafránce 1803/24, Vinohrady, 101 00 Prague 10, Czech Republic, registered with the Commercial Register kept by the Municipal Court in Prague (hereinafter “Controller”).
2. Contact details of the Controller:
   • Customer line: +420 724 685 961
   • Email: info@enerspotflexi.cz
   • Postal address: Na Šafránce 1803/24, Vinohrady, 101 00 Prague 10, Czech Republic

III. Personal data processed and their categorisation

1. The Controller processes in particular the following personal data of Data Subjects:
   • Identification and address data: title, first and last name, residential/registered office address, billing address, date of birth, birth number, ID No. (if assigned), VAT No. (if assigned), signature;
   • Contact data: phone number, email address, data box ID (if any);
   • Electronic data: internet IP address of the device, location data of the Device, address details of the metering point;
   • Other data related to the contract: bank account number, contract number, region of residence of the Customer, installation address of the Device (GPS coordinates), title deed number, parcel number, name of the cadastral area and the cadastral office (if the property owner differs from the Customer, the property owner is also identified); photographs of the location and structure for placement of the Device; other data related to the contract describing the production, consumption and flexibility of electrical energy and the Customer’s behaviour for evaluating the parameters of the installed Device;
   • Data related to employees, business representatives and suppliers of the Controller, the processing of which is required by legal regulations, e.g. for accounting, tax records, payroll and personnel records, etc.;

   hereinafter collectively referred to as “Personal Data“.

2. The Controller usually obtains Personal Data directly from Customers, based on a contact form available on the website www.enerspotflexi.cz. Further Personal Data is obtained during contract negotiations, contract performance and from third parties facilitating contract negotiations, if any. Personal data may also be obtained from public registers and records (cadastre, trade register, commercial register, insolvency register) or from your own websites, if applicable.

IV. Purpose of processing

1. The Controller processes Personal Data for the purpose of communication with Data Subjects, i.e. potential and/or existing Customers — for contract negotiations and execution of rights and obligations under the contract, including order records, fulfilment, and provision of services related to the contract (typically flexibility aggregation, technical supervision, Device monitoring, ČEPS certification and other related services) (hereinafter “Services“).
2. The legal basis for processing Personal Data is primarily the performance of a contract to which the Data Subject is a party, or the implementation of measures taken before the conclusion of a contract at the request of the Data Subject, all in accordance with Article 6(1)(b) of the GDPR Regulation.
3. The Controller also processes Personal Data of the Data Subject for marketing purposes, in accordance with Article 6(1)(f) of the GDPR Regulation. The legal basis for such processing is the legitimate interest of the Controller.
4. The Controller also processes Personal Data on the basis of compliance with legal obligations applicable to it, in accordance with Article 6(1)(c) of the GDPR Regulation. This processing concerns mainly the Controller’s employees and the fulfilment of the Controller’s legal obligations, especially in the area of labour, civil, commercial, accounting, tax and security regulations.
5. Where processing is based on consent, the Controller processes Personal Data only to the extent strictly necessary, in accordance with Article 6(1)(a) of the GDPR Regulation. Such processing is carried out for the specific purpose(s) stated in the consent.

V. Method of processing

1. The Controller processes Personal Data of Data Subjects manually or automatically through its employees, business representatives or third parties supplying services to the Controller that enable proper performance of the Contract.
2. The Controller does not use automated decision-making or profiling when processing Personal Data. The Controller processes Personal Data using organisational, physical and software security measures — secure databases, access rights configuration for employees (or cooperating third parties), physical security of premises and storage media, and software protection against unauthorised access via the internet.
3. If processors are involved in the processing of Personal Data, the Controller requires from them a comparable level of organisational and technical security measures. Processing is carried out under a data processing agreement and processors are obliged to use Personal Data exclusively for the purposes for which they were transferred, with a prohibition on passing Personal Data to other entities without the Controller’s consent. The list of processors is available at www.enerspotflexi.cz.
4. The Controller processes Personal Data for the period necessary to fulfil the purpose of processing, to fulfil obligations under the Contract, to settle all rights and obligations under the Contract, and for the period stipulated by legal regulations for individual purposes of processing — whichever ends later.

VI. Rights of the Data Subject

1. Each Data Subject has the right to request from the Controller in respect of their Personal Data:
   • Right of access — to be provided with access to their Personal Data processed under this Document, in the form of a list of all processed Personal Data in relation to individual purposes of processing, including the duration of processing. The Data Subject is also entitled to information on recipients or processors who process their Personal Data based on agreement with the relevant controller.
   • Right to explanation and rectification — if the Data Subject believes that the Controller is processing their Personal Data in violation of this Document or applicable law, they may request an explanation and remedy. If the Controller processes inaccurate Personal Data, the Data Subject may request rectification and, where incomplete, completion.
   • Right to erasure — the Data Subject may request that the Controller erase their Personal Data if:
     • the Personal Data are no longer needed for the defined purposes of processing,
     • the Data Subject has withdrawn consent (where consent was previously given) and there is no other legal ground for processing,
     • the Data Subject objects to processing and there are no overriding legitimate grounds for the processing,
     • the data must be erased to comply with a legal obligation of the Controller, or
     • the Personal Data have been processed unlawfully.
   • Right to restriction of processing — the Data Subject may request restriction of processing where they contest the accuracy of Personal Data; where processing is unlawful and the Data Subject opposes erasure; or where the Controller no longer needs the data for the purposes of processing but the Data Subject requires them for the establishment, exercise or defence of legal claims.
   • Right to object — where Personal Data are processed based on a public-interest task (Article 6(1)(e) GDPR) or the Controller’s legitimate interest (Article 6(1)(f) GDPR), the Data Subject may object to processing on grounds relating to their particular situation. The Controller must cease processing unless it demonstrates compelling legitimate grounds that override the interests, rights and freedoms of the Data Subject.
   • Right to data portability — the Data Subject has the right to receive Personal Data concerning them in a structured, commonly used and machine-readable format, and to transmit such data to another controller without hindrance, where (i) processing is based on consent under Article 6(1)(a) or Article 9(2)(a) of the GDPR Regulation, or on a contract under Article 6(1)(b) of the GDPR Regulation, and (ii) processing is carried out by automated means. The Data Subject is entitled to have Personal Data transmitted directly from one controller to another where technically feasible. The exercise of this right shall not adversely affect the rights and freedoms of others.
   • Right to withdraw consent at any time — where processing is based on consent, the Data Subject has the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
2. The Data Subject has the right to lodge a complaint with the supervisory authority if they believe that the processing of their Personal Data violates the GDPR or the Personal Data Processing Act. The supervisory authority for Data Subjects residing in the Czech Republic is the Office for Personal Data Protection, registered office at Pplk. Sochora 27, 170 00 Prague 7 (www.uoou.cz).

VII. Cookies

Our website uses cookies. Detailed information is available in the Cookies document. You can adjust your preferences at any time by clicking Cookie settings in the footer.