Information for customers and suppliers who are natural persons

INFORMATION PROVIDED WHEN PERSONAL DATA IS OBTAINED FROM THE DATA SUBJECT — CUSTOMERS AND SUPPLIERS WHO ARE NATURAL PERSONS

pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("the Regulation").

CAMPING BALDOVEC s.r.o., ID No. 63486377, registered office Baldovec 319, 798 61 Rozstání, registered in the Commercial Register kept by the Regional Court in Brno, section C, file 21391 (the "Controller") hereby provides natural persons (the "Data Subjects") who intend to enter, or have already entered, a customer or supplier contractual relationship with the Controller the following information pursuant to Art. 13 of the Regulation.

1. Identity and contact details of the Controller

1.1. The Controller of personal data is CAMPING BALDOVEC s.r.o., ID No. 63486377, registered office Baldovec 319, 798 61 Rozstání, registered in the Commercial Register kept by the Regional Court in Brno, section C, file 21391.

1.2. Contact details of the Controller: postal address Baldovec 319, 798 61 Rozstání, e-mail address gdpr@baldovec.cz.

2. Necessary scope of processed personal data and the purposes for which it is processed

2.1. First name, surname, date of birth, place of permanent residence, delivery or other contact address of the Data Subject — for the purposes of negotiating, concluding or amending the contract between the Data Subject and the Controller and the subsequent performance of rights and obligations under those contracts. If the Data Subject acts in the contract as a business, the Controller also processes their business identifiers for the same purposes. The data may further be processed to assert the Controller's rights against the Data Subject before the competent public authority.

2.2. Telephone and e-mail contact of the Data Subject — for negotiating, concluding or amending the contract and the subsequent performance of rights and obligations. These data may further be processed to assert the Controller's rights against the Data Subject before filing with a public authority.

2.3. Bank account number of the Data Subject — for the purposes of performing the contract where the parties have agreed that performance will be made by bank transfer to the Data Subject's account.

2.4. Business name or name, name supplement, registered office, tax identification number (if assigned) — for the purposes of issuing tax documents.

3. Legal basis for processing

3.1. Processing of the data listed in Art. 2 par. 2.1, 2.2 and 2.3 is based on Art. 6(1)(b) of the Regulation. The reason the Data Subject provides the data to the Controller is the identification of the parties necessary for the conclusion and performance of the contract (a contractual requirement); without providing the data this would not be possible. Failure to provide the data by the Data Subject may result in the contract not being concluded and performance not being provided. Processing of data listed in Art. 2 par. 2.1 and 2.2 is also based on Art. 6(1)(f) of the Regulation.

3.2. Processing of the data listed in Art. 2 par. 2.4 is based on Art. 6(1)(c) of the Regulation, as the Controller's legal obligation arises from Act No. 235/2004 Coll. on value-added tax, as amended. This is therefore a statutory requirement and the Data Subject is obliged to provide such data to the Controller.

4. Legitimate interests of the Controller for processing under Art. 2 par. 2.1, 2.2 and 2.5

4.1. The Controller's legitimate interest in processing the data listed in Art. 2 par. 2.1 and 2.2 is the protection of its property, since non-performance or improper performance of obligations by the Data Subject may negatively affect the Controller's property.

5. Recipients or categories of recipients of personal data, including any processors

5.1. Public authorities, although public authorities which may obtain personal data in a specific inquiry in accordance with Member State law are not considered recipients.

5.2. The Controller's suppliers if they participate in performance for the Data Subject, including suppliers providing transport of goods covered by the contract.

5.3. Other suppliers of the Controller, in particular IT service providers, archiving service providers, lawyers, accountants, tax advisors etc.

6. Storage period of personal data, or if it cannot be determined, the criteria used to set it

6.1. All personal data is stored by the Controller only for as long as is necessary for the purposes of processing.

6.2. For personal data needed to assert or defend the Controller's rights against the Data Subject, where no other law sets a minimum retention period, data will be stored for the duration of the contractual relationship and for a further 3 years from its termination, having regard to the statutory limitation period.

6.3. Tax documents are retained for 10 years from the end of the tax period in which the supply was made (Section 35 of Act No. 235/2004 Coll. on VAT, as amended).

6.4. Pursuant to Section 31 of Act No. 563/1991 Coll. on accounting, as amended: financial statements and annual reports are retained for 10 years from the end of the accounting period; accounting documents, books, depreciation plans, inventory listings, charts of accounts and overviews for 5 years; and accounting records by which units evidence accounting for 5 years from the end of the accounting period.

6.5. If the warranty period or complaint proceedings exceed the periods above, the Controller retains the documents and accounting records for the duration of that period or proceedings; if a record relates to an unpaid receivable or unmet obligation, the entity retains it until the end of the first accounting period following the period in which payment was made or the obligation fulfilled.

7. Other information

7.1. The Controller does not intend to transfer personal data to a third country or an international organisation.

7.2. No automated decision-making, including profiling, within the meaning of Art. 22(1) and (4) of the Regulation takes place during processing by the Controller.

8. Rights of the Data Subject

8.1. Under the conditions of the Regulation the Data Subject has the right to request from the Controller access to their personal data (Art. 15), rectification (Art. 16) or erasure (Art. 17), or restriction of processing (Art. 18), and to object to processing (Art. 21), as well as the right to data portability (Art. 20).

8.2. The Data Subject has the right to lodge a complaint with the supervisory authority — the Office for Personal Data Protection (Úřad pro ochranu osobních údajů), Pplk. Sochora 727/27, 170 00 Prague 7 Holešovice https://www.uoou.cz — see Art. 77; with this is closely linked the right to an effective judicial remedy against the supervisory authority (Art. 78) and against a controller or processor (Art. 79).

8.3. The Data Subject also has the right to compensation for material or non-material damage suffered as a result of an infringement of the Regulation, which they may pursue before a competent court (Art. 82).

In Baldovec, 25 May 2018

CAMPING BALDOVEC s.r.o.