GDPR - Information Memorandum

1. General statement

1.1. Companies in the ComGate Group fulfill their obligations regarding the processing of personal data provided by ComGate for the performance of contractual and statutory obligations.

1.2. The protection of personal data follows in particular from the EU Data Protection Regulation (GDPR) 2016/679 / EU (General Data Protection Regulation).

1.3. Společnosti ze skupiny ComGate vystupují v pozici správce osobních údajů v případě, že určuje v souladu s článkem 4 odst. 7 GDPR účel a prostředky zpracování osobních údajů. 1.3. Companies in the ComGate group act as data Controller when they determine the purpose and means of processing personal data in accordance with Article 4 (7) of the GDPR.

1.4. ComGate companies are in the position of a personal data processor when processing personal data for Controller in accordance with Article 4 (8) of the GDPR.

2. Principles of personal data processing

2.1. When processing personal data, we meet the highest standards of personal data protection and adhere in particular to the following principles:

a) we always process personal data for a clearly and comprehensibly defined purpose, by the specified means, in the prescribed manner, and only for the time which is necessary for the purposes of its processing; we process only accurate personal data and their processing complies to the prescribed purposes and is necessary for the fulfillment of these purposes;

b) personal data are protected in a manner consistent with the state of the technique; the highest possible security available for such data, which prevents any unauthorized or accidental access to, modification, destruction or loss of personal data, unauthorized transmissions, any other unauthorized processing, and other misuse is ensured;

c) data subjects are informed of the processing of personal data and claims for accurate and complete information on the circumstances of such processing and other related rights;

d) the ComGate Group adheres to appropriate technical and organizational measures to ensure a level of security that meets all possible risks; all persons who come in contact with the personal data of their clients have a duty to observe confidentiality about information obtained in connection with the processing of such data.

3. Information on processing of personal data

3.1. General information about the entities of the ComGate group:

a) Company ComGate, a.s., ID No.: 265 08 842, with registered office at Prague 7 - Holešovice, Jankovcova 1596 / 14a, registered in the Commercial Register kept by the Municipal Court in Prague, Section B, Insert 7523;

b) ComGate Payments, a. s., ID No .: 279 24 505, with registered office at Prague 7 - Holešovice, Jankovcova 1596 / 14a, registered in the Commercial Register kept by the Municipal Court in Prague, Section B, Insert 17614;

c) Company ComGate, s.r.o., ID No.: 44 465 009, registered office in the Slovak Republic, at Ivanka pri Dunaji, Nádražná 1958, registered in the Commercial Register of the Bratislava I District Court, Section Sro, Insert 55471 / B;

d) Company ComGate Payments, s.r.o., ID No.: 36 797 472, with its registered office in the Slovak republic, at Bratislava, Svetlá 1; registered in the Commercial Register of the District Court Bratislava I., Section Sro, Insert 46691 / B;

3.2. Personal Data Protection Officer

For the purposes of Article 37 (2) of the GDPR, the ComGate Group has appointed a joint Personal Data Protection Officer for the whole group.

name: JUDr. Jan Onheiser

e-mail: dpo@comgate.cz

Phone No.: +420 224 25 25 59

3.3. ComGate groups process personal data for the following purposes:

a) fulfillment of statutory duties when acting as a personal data controller;

b) performance of contractual obligations where personal data have been transferred by the data subjects;

c) performance of contractual obligations where personal data were transferred to the ComGate group by the personal data controllers;

d) the protection of the rights and legitimate interests of the ComGate Group;

3.4. Scope of processed personal data:

The ComGate Group processes personal data to the extent necessary to meet the above goals. In particular, the following personal data are processed:

a) name and surname;

b) address;

c) e-mail address;

d) telephone number

e) personal identification number;

f) voice recording of phone calls;

g) data on clients' personal documents;

3.5. Method of processing personal data:

The way ComGate processes personal data includes both manual and automated processing in ComGate's information systems.

Personal data are processed primarily by ComGate employees and, to the extent necessary, by third parties. Prior to any transfer of personal data to a third party, the agreement is concluded with the same safeguards for the processing of personal data as the ComGate Group complies within its legal obligations.

3.6. Recipients of personal data

In particular, personal data are made available to employees of the ComGate Group in connection with the performance of their work responsibilities in which personal data must be handled, only to the extent that is necessary and in compliance with all security measures. Personal data may be made available to third parties involved in the processing of personal data, or personal data may be made available to them for other reasons in accordance with the law.

Prior to any transfer of personal data to a third party, a written agreement has been concluded with this person to modify the processing of personal data to include the same guarantees for the processing of personal data as the ComGate Group itself complies within its legal obligations.

In accordance with applicable laws, the ComGate Group is authorized or directly responsible for passing on your personal information:

a) to competent law enforcement authorities, courts and law enforcement agencies for the performance of their duties and for the purpose of enforcing the judgment;

b) to payment service providers where this is necessary to prevent, detect or detect fraud in the payment system;

c) to other persons to the extent prescribed by law, such as third parties for the purpose of recovering debts.

d) entities belonging to a group of persons linked to the ComGate group for the outsourcing of services;

3.7. Passing of personal data abroad

Personal data are processed on the territory of the Czech Republic and on the territory of other countries of the European Union where the entities belonging to the ComGate group are located and share the same standards of personal data protection as the Czech Republic.

Entities involved in the processing of personal data of clients do not transmit personal data of clients to countries outside the European Union.

3.8. Time of processing of personal data

Personal data are handled by the ComGate Group only for such time as is necessary for the purpose of processing.

The retention period of personal data follows from the individual legal regulations under which the ComGate Group processes personal data. In the event that personal data are processed for performance of a contractual obligation, it is necessary to process personal data for the purpose of protecting the rights and legitimate interests of the ComGate Group for 5 years from the date of termination of the contract.

3.9. Rights of data subjects

Data subjects have in particular the following rights under the GDPR provisions:

a) the right to information on the data controller, the processor and the data protection officer;

b) the right to information on the purpose of the processing of personal data;

c) the right of access to personal data and the information whether personal data are processed or not;

d) the right to lodge a complaint;

e) the right to the repair of personal data;

f) the right to delete personal data (the right to be forgotten);

g) to Revoke consent to the processing of personal data;

h) the right to limit the processing;

i) the right to transferability of personal data;

j) the right to object;

k) any other rights granted by the Regulation;

4. Final Statement

The ComGate Group responds responsibly to the protection of personal data processed in its business. In case of queries or suggestions from data subjects, it is possible to contact the Data Protection Officer or the company management.