Organization: TOP CON SERVIS Ltd., registered office Varšavská 30, Prague 2, IČ 45274983 as a controller of personal data (hereinafter referred to as the controller) issues in accordance with EU Regulation 2016/679 the following information on personal data processing Scope of personal data processing: Personal data are processed in to the extent that the competent data subject has provided them to the controller, in connection with the conclusion of a contractual or other legal relationship with the controller, or which the controller has otherwise collected and processes only to fulfill its legal obligations in accordance with applicable law. Sources of personal data: - data subjects, - publicly accessible registers, lists and records (eg commercial register, trade register, real estate cadastre, public telephone directory, etc.). Categories of personal data that are subject to processing: - address and identification data used for unambiguous and unmistakable identification of the data subject (eg name, surname, title, or birth number, date of birth, address of permanent residence, lČ, DlČ) and data enabling contact with the data subject (contact details - eg contact address, telephone number, e-mail address and other similar information), - descriptive and payment details (eg bank details), - other details necessary in particular for the performance of the contract. Categories of data subjects: - client of the controller (direct by contract or authorization), - employee of the controller, - supplier, - other person legally related to the controller, - jobseeker. Categories of recipients of personal data: - public authorities (state and public administration of the Czech Republic - entities of the Ministry of Finance of the Czech Republic, CSSA, health insurance companies, Real Estate Cadastre, building authorities, etc.) within the legal obligations stipulated by relevant legal regulations, - processor on the basis of processing contract, - other entities in the performance of the activities of the administrator always on the basis of a legal relationship. Purpose of personal data processing: - negotiation of a contractual relationship, - accounting and tax purposes, - performance of the contract and provision of services, - protection of the rights of the controller, beneficiary or other persons concerned (eg recovery of claims of the controller), - protection of the vital interests of the data subject. Method of processing and protection of personal data: The processing of personal data is performed by the administrator. Processing is performed in its premises, branches and registered office of the administrator by individual authorized employees of the administrator, or processor. The processing takes place through computer technology, or also manually for personal data in paper form in compliance with all security principles for the management and processing of personal data. To this end, the controller has taken technical and organizational measures to ensure the protection of personal data, in particular measures to prevent unauthorized or accidental access to, alteration, destruction or loss of personal data, unauthorized transfers, unauthorized processing and other misuse of personal data. All subjects to whom personal data may be made available respect the right of data subjects to privacy and are obliged to proceed in accordance with the applicable legal regulations concerning the protection of personal data. Time of processing of personal data: In accordance with the deadlines specified in the relevant contracts, in the file and shredding rules of the controller or in the relevant legal regulations, this is the time strictly necessary to ensure rights and obligations arising from both the obligation and the relevant legal regulations. Instruction The controller processes data on the basis of legitimate reasons, especially in cases stipulated by law where the processing of personal data does not require the consent of the data subject. Exceptions may be made to the data subject's personal data which go beyond legitimate reasons, and such processing is always carried out with the explicit consent of the data subject. In accordance with Article 6 (1) of the GDPR, the controller may process such data without the data subject's consent provided: - the processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of measures taken before the conclusion of the contract at the request of the data subject, - the processing is necessary for the fulfillment of a legal obligation on the controller, vital interests of the data subject or another natural person, - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority entrusted to the controller, - processing is necessary for the legitimate interests of the controller or third party concerned, except where: these interests shall be preceded by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data yes. Rights of data subjects In accordance with Article 12 of the GDPR, the controller shall, at the request of the data subject, inform the data subject of the right of access to personal data and the following information: - purpose of processing, - category of personal data concerned, - recipients or categories of recipients to whom the personal data were or will be made available, - the planned period for which personal data will be stored, - all available information on the source of the personal data, - if not obtained from the data subject, whether there are automated decisions, including profiling. Any data subject who discovers or suspects that the controller or processor is processing his or her personal data, contrary to the protection of the data subject's private and personal life, without a legitimate reason or in breach of the law, in particular if the personal data are inaccurate with regard to purpose of their processing, may: - ask the administrator for an explanation. - require the controller to eliminate the situation thus created, in particular by blocking, correcting, supplementing or deleting personal data (if the data subject's request under paragraph 1 is found to be justified, the controller shall immediately remove the defective condition, the controller shall have the right to provide reasonable compensation in excess of the costs necessary to provide the information, which is publicly available on the administrator's website.

In Prague, on May 25, 2018