Through this Privacy Policy (the "Policy"), Nano Energies Holding a.s. (also referred to as "Nano Energies" or "we") informs its customers and employees of its business partners what personal data it processes, how it processes it and for what purpose. The policy also includes information on the rights of data subjects in relation to the processing of their personal data and how to exercise them. Unless otherwise stated below, each member of Nano Energies processes the personal data of its customers and the employees of its business partners in the capacity of a data controller.

1. Nano Energies

Nano Energies Holding a.s.
ID No: 11899913, with registered office at Na Florenci 2139/2, 110 00 Prague, Czech Republic

Nano Energies CZ s.r.o.,
registration number: 28188861, with registered office at Na Florenci 2139/2, 110 00 Prague, Czech Republic

Nano Energies Hrvatska d.o.o.
ID: OIB 081387929; VAT number: HR87165314175, with registered office at HR-10000 Zagreb, Puževa ulica 11, Croatia

Digital Energy Services Romania S.R.L.
Sole registration number: 46079860, with registered office at Bucureşti Sectorul 1, Strada TIPOGRAFILOR, No. 11-15, PARTER, CAMERA NR.3


Contacts for more information on the processing of personal data and for exercising the rights of the data subject

Telephone: 721 383 123

E-mail: dataprivacy@nanoenergies.eu

Nano Energies Holding a.s. has not appointed a data protection officer.

2. Basic terms

GDPR:

Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

Personal Data:

Personal data means any information relating to an identified or identifiable natural person ("data subject").

Special Category Personal Data:

Special category personal data means data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, and data concerning the health or sex life or sexual orientation of a natural person.

Data subject:

A data subject is an identified or identifiable natural person, where an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, a network identifier or to one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The categories of data subjects whose data we process are set out in Article 4 of the Principles.

Processing of personal data:

Processing of personal data means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated processes, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other disclosure, alignment or combination, restriction, erasure or destruction.

Controller:

The controller of personal data is the natural or legal person, public authority, agency or other entity which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, that law may determine the controller in question or the specific criteria for its designation; unless otherwise specified below in this Policy, the controller of your personal data is the member of Nano Energies with whom you are a customer or with whom you interact in the course of your employment or business.

Processor:

A processor is a natural or legal person, public authority, agency or other entity that processes personal data on behalf of a controller.Nano Energies uses contractors who are processors of personal data for some processing operations. A list of these is set out in Article 6 of the Policy.

Supervisory Authority:

The supervisory authority for the processing of personal data in the Czech Republic is the Office for Personal Data Protection ("OPPD").

3. Personal data processed

In particular, we process the following categories of your personal data.

a) Identification data (name, surname, address, date of birth, birth number, identity card number)

b) Contact data (e-mail, telephone number)

c) Descriptive data (professional position and classification with the business partner)

d) Accounting data (information on mutual claims, payment data)

e) Data about services and products provided or requested, including transaction data and mutual claims

f) Customer preferences and needs

g) Records of our communications (telephone calls, electronic communications)

h) Network identifiers and other information relating to electronic communications

i) Information from cookies and similar online tools

4. Categories of data subjects

In particular, we process personal data relating to the following categories of data subjects

a) Our customers (electricity/gas customers and suppliers) and their agents.

b) Our prospective customers and their agents

c) Employees, business partners and their employees

5. Purpose, scope, legal basis and duration of the processing of personal data

In this section you will find information about the purposes for which we process your personal data, our legal basis for doing so, to whom the processing relates and how long we keep the data for each purpose.

Purpose of processing personal data

Legal basis and description

Compliance with legal obligations in energy distribution

  • The legal basis is the fulfilment of a statutory obligation, in the case of the Czech Republic regulated in particular by Act No. 258/2000 Coll., the Energy Act.
  • Categories of data subjects
    a) Our customers (electricity/gas customers and electricity suppliers) and their agents
    b) Collaborators, business partners and their employees
  • In order to fulfil our legal obligations in the distribution of energy, we process in particular identification data, accounting data and data on services and products provided or requested.
  • For this purpose, personal data may be processed for up to 10 years after the end of the business relationship.

Bookkeeping

  • The legal basis is the fulfilment of a legal obligation, in the case of the Czech Republic regulated in particular by Act No. 563/1991 Coll. on Accounting.
  • Categories of data subjects:a) our customers (electricity/gas customers and suppliers) and their representativesb) Employees, business partners and their employees
  • For accounting purposes, we mainly process identification data, accounting data and data on services and products provided or requested.
  • Personal data may be processed for up to 10 years from the end of the accounting period to which it relates.

Executing and implementing contracts with customers and business partners, including invoicing

  • The legal basis is the performance of a contract, the processing of personal data is not excessive for the performance of mutual contractual obligations.
  • Categories of data subjects:
    a) Our customers (electricity/gas customers and suppliers) and their agents
    b) Employees, business partners and their employees
  • For this purpose, we process personal identification and contact data, accounting data, data on services and products provided or requested and records of our communications relating to the conclusion and performance of contracts.
  • Personal data is processed for the duration of the contractual relationship and for five years after its termination.

Dissemination of business messages in the form of professional information and reports, marketing materials, offers of cooperation, invitations to professional seminars and conferences, cultural and sporting events

  • The legal basis is our legitimate interest in informing our current customers and business partners about our activities and offers.
  • Categories of data subjects:
    a) Our customers (electricity/gas customers and electricity suppliers) and their
    b) employees, business partners and their employees.
  • For this purpose, we process mainly identification and contact data, descriptive data, data about services or products provided or requested and information about our customers' preferences and needs.
  • We process personal data for this purpose for the duration of our contractual relationship and for five years after its termination.

Exercise of contractual rights after termination of the contract

  • The legal basis is our legitimate interest in enforcing claims and receivables arising from contractual relationships.
  • Categories of data subjects:a) Our customers (electricity/gas customers and electricity suppliers) and their
    b) employees, business partners and their employees.
  • For this purpose, we process in particular identification and contact data, accounting data, data on services or products provided and related records of our communications.
  • For this purpose, personal data may be processed for a period of five years after the termination of the contractual relationship or until the claim is recovered.

Reaching out to potential clients according to a completed energy price calculation form or data obtained during contract negotiations with the customer

  • The legal basis is our legitimate interest in contacting those interested in our services and products who complete an online quotation form or otherwise express an interest in learning more about our products and services.
  • Categories of data subjects:
  • a) Our customers (electricity/gas customers and suppliers) and their contact details.
  • For this purpose, we process identification and contact data, data about the services and products requested, and data about the preferences and needs of those interested in our services.
  • The personal data will be stored for a period of 6 months from the completion of the form, from the receipt of the e-mail containing the personal data or from the conclusion of the contract, if within this period the data subject is contacted by us for the purpose of offering services. After this period, we will either ask for consent to continue processing the personal data or we will destroy all personal data.

Personal data provided in the recording of a telephone call to a customer service line for the purpose of improving the quality of service

  • The legal basis is the data subject's consent obtained during the telephone call.
  • Categories of data subjects:
    a) Our customers (electricity/gas customers and suppliers) and their representatives
    b) Our prospective customers and their representativesc) Employees, business partners and their employees
  • We process personal data from voice recordings in our communications in order to improve the quality of our services.
  • For this purpose, personal data may be processed for a period of six months after the communication has taken place.

Personal data of potential customers processed for the purpose of re-contacting the data subject with an offer of services

  • The legal basis is the data subject's consent to receive information about our current offers, products and services, including the sending of electronic commercial communications within the meaning of Act No. 480/2004 Coll.
  • Categories of data subjects:
    a) Our potential customers and their representatives
  • For this purpose, we process identification and contact data, data on the services and products requested, and data on the preferences and needs of those interested in our services.
  • Personal data may be processed for this purpose until consent is withdrawn.

Personal data provided in the recording of a telephone call to the dispatch and customer care line for the purpose of protecting our rights and interests

  • The legal basis is our legitimate interest in protecting our rights and interests.Categories of data subjects:
    a) Our customers (electricity/gas customers and electricity suppliers) and their agents
    b) Our potential customers and their agents
    c) Associates, business partners and their employees
  • The processing of personal data from voice recordings in our communications is carried out to protect our rights and interests, in particular to prove that we have fulfilled our contractual obligations.
  • For this purpose, personal data may be processed for a period of six months after the communication if you do not have a contract with us, up to 3 years after the end of the contractual relationship if you have a contract with us, and in the case of a specific dispute situation until it is resolved.

Ensure security, stability and flexibility of ancillary services

  • The legal basis is our legitimate interest in controlling and managing the security and proper functioning of the services provided.
  • Categories of data subjects:
    a) Our customers (electricity/gas customers and suppliers) and their agents.
  • For this purpose, we process identification and contact data, data relating to the services and products provided, network identifiers and other information related to the proper functioning of the services provided, their control and related communications.
  • For this purpose, personal data may be processed for the duration of the contract and for five years after its termination.

6. Recipients of personal data

We may also share your personal information with other organisations. These include:

a) Our business partners whose products we distribute or offer, distributors, market operators and regulatory authorities.

b) Data processors. This term refers to suppliers who carry out certain processing operations on our behalf, always under our instructions and with a sufficient level of protection of your rights.

Our data processors primarily include:

• HubSpot, Inc., which operates the online tool for recording communications with our customers (CRM).

• Google, from whom we use marketing, service and analysis tools, in particular Google Ads, Google Console and Google Analytics.

• MailChimp, the operator for the creation, management and sending of electronic communications

• Semrush, operator of analytical tools

• KARAT Software a.s., which operates the system we use to manage our finances

• Atlassian, which operates systems for internal communications that may contain personal data

• Microsoft, from whom we use standard office tools (Word, Office, Outlook, Excel, etc.)

• D3Soft Future, s.r.o., which operates an information system for customer service and communication.

• T-Mobile Czech Republic a.s., operator of the information system for recording telephone calls.

c) Data sharing within the Nano Energies Holding.

We provide certain activities, services or processes uniformly within the Nano Energies Holding. The holding member responsible for these activities and providing them to others is in the position of a data processor. The holding member on whose behalf the processing is carried out remains the data controller of its customer's data and is fully responsible to them for the processing.

• Joint system for the transmission of business contacts
DES Holding a.s. operates a common system for collecting inquiries and business contacts (leads) on the website and forwarding them to other members of Nano Energies Holding.

• Management of CRM tool for customer communication
DES Holding a.s. operates a common CRM tool for the entire Nano Energies Holding. Each member of the holding manages and records its customers and their contact and other personal data in the CRM tool.



d) Public authorities, courts and other bodies, if the provision of personal data to us is expressly required by the applicable law.

7. Cookies

We use cookies and similar tools when you visit Nano Energies websites. Cookies are small files that we store or retrieve from the web browsers of visitors to our website.

Cookies help us to provide users with the services they request (e.g., to complete and submit an online form, to remember language selection or site resolution, etc.), to determine whether the site and all of its components are functioning properly, to ensure the security of our communications, and to display more targeted marketing offers.

We use cookies to ensure the proper functioning and behaviour of the website, to provide the service or functionality you have requested, and to ensure secure communications, even without your consent. You can disable the use of these cookies in your internet browser, but in this case we cannot guarantee the correct functioning of our website.

We use cookies and similar tools from Google, Meta and Hotjar to evaluate the functioning of our website, to obtain statistical data and to better target marketing communications in the internet environment. This use of cookies and the further processing of personal data obtained from them is only possible with your explicit consent, which you can give when you visit our website via the so-called cookie bar. Consent is voluntary and failure to give or later withdrawal of consent will not affect the availability or functioning of the website or our products and services.

You can find out more about how these tools work at https://www.google.com/policies/privacy/, https://www.facebook.com/about/privacy/ and https://www.hotjar.com/privacy/.

8. Automated individual decision making and profiling

The processing of personal data at Nano Energies does not involve automated individual decision-making or profiling.

Automated individual decision-making and profiling is generally understood to mean any form of processing of personal data consisting of using such data to evaluate certain personal aspects relating to the data subject, in particular for the purpose of analysing, estimating, evaluating or predicting aspects relating to the data subject's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Nano Energies does not carry out any such automated processing with legal implications for the data subject.

9. Your rights as a data subject

Right of access to personal data

You have the right to request us to provide you with access to personal data relating to you.

personal data relating to you. In particular, you have the right to obtain confirmation from us as to whether or not we are processing personal data relating to you, as well as further information about the data processed and the method of processing within the meaning of the relevant provisions of the GDPR (purpose of processing, category of personal data concerned, recipients, intended storage period, existence of the right to rectification, erasure, restriction of processing or the right to object, source of personal data and the right to lodge a complaint). Upon request, we will provide you with a copy of the personal data we hold about you free of charge. In the event of a repeated request, we may charge you a reasonable fee for providing a copy that is commensurate with the administrative costs of processing the request.

To request access to your personal data, please use the contact details set out in this policy.

Right to withdraw consent to the processing of personal data where the processing is based on consent

You have the right to withdraw your consent to the processing of personal data that we process on the basis of that consent at any time.

You may withdraw your consent by contacting us as set out in this policy or by following the procedure set out in the footer of the email containing the commercial communication.

Right to rectify personal data

If you discover that any of the personal data we hold about you is inaccurate, you may request that we correct it without undue delay. You may also request that we complete the information we hold about you if this is reasonable in the particular circumstances of the case.

You can request the correction of the data by contacting us using the contact details set out in this policy.

Right to erasure of personal data

You have the right to request that we delete the personal data we process about you without undue delay in the following cases

• You withdraw your consent to the processing of personal data and there is no other legitimate reason for us to continue processing the data that overrides your right to erasure;

• You object to the processing of your personal data (see below);

• Your personal data is no longer necessary for the purposes for which we collected or otherwise processed it;

• the personal data has been processed unlawfully;

• the personal data was collected in connection with the provision of information society services to a person under the age of 18;

• the personal data must be erased in order to comply with a legal obligation under Union law or Czech law to which we are subject.

In these cases, you may request deletion by contacting us using the contact information provided in this policy.

Please note that the right to erasure of personal data is not absolute and does not apply in all cases. Therefore, we may not be able to comply with your request to erase personal data, particularly in situations where the processing of personal data is necessary:

Exercise the right to freedom of expression and information;

• to comply with our legal obligations;

• for reasons of public interest relating to public health;

• for archiving purposes in the public interest, for scientific or historical research or for statistical purposes, where erasure of the data would be likely to prevent or seriously jeopardise the achievement of the purposes of the processing;

• for the establishment, exercise or defence of legal claims.

Right to restrict the processing of personal data

• You have the right to have us restrict the processing of your personal data where

• You dispute the accuracy of the personal data. In this case, the restriction will apply for the time necessary for us to verify the accuracy of the personal data.

• The processing is unlawful and you refuse to delete the personal data and instead request a restriction on its use.

• We no longer need your personal data for the purposes for which we processed it, but you need it for the establishment, exercise or defence of legal claims;

• You object to the processing (see below). In this case, the restriction will apply for a period of time until it is verified that our legitimate grounds outweigh your legitimate grounds.

During the period of restriction, we may process your personal data (except for storage) only with your consent or for the establishment, exercise or defence of our legal claims, to protect the rights of another natural or legal person, or for reasons of important public interest of the Union or a Member State. As stated above, you may request a restriction on processing by contacting us using the contact details set out in this policy.

Right to object to processing

You have the right to object to the processing of your personal data in the following cases

Where personal data is processed on the grounds that the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us or for the purposes of our legitimate interests, and you object to the processing, we may no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of our legal claims.

If personal data is processed for direct marketing purposes and you object to the processing, we will no longer process the personal data for those purposes.

If your personal data is processed for scientific, historical research or statistical purposes, we will no longer process it unless the processing is necessary for the performance of a task carried out for reasons of public interest.

You may object to this by using the contact details provided in this policy.

Right to data portability

Where we process your personal data on the basis of your consent or because it is necessary for the performance of a contract between us, you have the right to obtain from us the personal data relating to you that you have provided to us in a structured, commonly used and machine-readable format and to have that data transferred to another controller or to request that we provide that data directly to another controller where technically possible. To obtain your personal data, please contact us using the contact details set out in this policy.

Right to complain to a supervisory authority

If you believe that the processing of your personal data is in breach of the obligations set out in the GDPR, you have the right to lodge a complaint with the data protection supervisory authority in your place of residence. The supervisory authority in the Czech Republic is the Office for the Protection of Personal Data.

Data Protection Authority

Pplk. Sochora 27

170 00 Prague 7

Telephone: 234 665 111

E-mail: posta@uoou.cz Mailbox: qkbaa2n

www.uoou.cz

10. Your obligations as a data subject

In accordance with the legislation referred to in Article 5 of the Policy, you are required to provide us with identification and other necessary information if we are to enter into a contract with you. If you do not provide personal data, we will not be able to enter into a contract with you.

11. Final provisions

The privacy policy is valid from 31.8.2023.

We may update this policy, e.g. when we modify the services provided, changes in the Nano Energies Holding, due to legislative developments, etc. It is therefore in your own interest to familiarise yourself with the current version on a regular basis.