CERVA GROUP a.s., Company ID No. 267 12 121, with its registered office at Průmyslová 483, 252 61, Jeneč, registered in the Companies Register of the Municipal Court in Prague under File No. B 7786, represented by Albert Giliaev (hereinafter also "us", "our" or "we"), as a personal data controller, informs you, the users of the website www.cerva.com our customers, distributors and suppliers about what personal data we collect and about our privacy regulations as described below.

The privacy of your personal data is important for us and, therefore, in all our dealings with you we will always observe the provisions of this Privacy Policy. This Privacy Policy especially explains:

• Which of your personal data we will process;
• For what purposes and how we will process your personal data and the legal basis for this processing;
• To whom your personal data may be transferred;
• For how long we will process your personal data; and
• Your rights related to the processing of your personal data.

If you need an explanation of any part of this document, if you need any advice or if you need to discuss further processing of your personal data, you can contact us anytime at the e-mail address GDPR_Info(at)cerva(dot)com

SCOPE OF PERSONAL DATA PROCESSING

If you contact us via our website, you may be asked to enter certain data about you or your company. This data may especially include:

• name and surname or commercial name;
• company's address or registered office;
• date of birth or identification number and tax identification number;
• telephone number;
• e-mail address;
• IP address
• the data obtained via cookies in Google Analytics

Our website is not intended for children under 16 years of age. We do not process any personal data of children under 16 years of age.

COOKIES

Our website uses cookies (small text files stored on your device) which are used for the provision of websites and online services and for the collection of data. The text in a cookie file often consists of a string of numbers and letters that identify your web browser or computer, but it may also contain other information. We may collect this information during your interaction with our website, such as subscribing for a newsletter, submitting a contact form or inquiry about our services or goods, logging into the customer or supplier zone or completing other form-like fields. More information about cookies can be found, for example, by checking out the Internet encyclopaedia Wikipedia here. We collect this data only if you submit one of the above-mentioned forms.

Our website may also collect other information such as the type of your browser or operating system, your IP address, website visits or Internet connection provider or other information of similar nature.

All the data collected on our website is collected via Google Analytics and Google Tag Manager and serves exclusively for improving the services provided to our website visitors and for marketing purposes. The method of preventing the collection of this information is described in the paragraph below. In no case we will sell, exchange or lease this data.

While most web browsers enable cookies by default, they also provide tools by which cookies can be blocked or removed.

Our company uses these cookies:

HOW TO DISABLE COOKIES

Some features of our services are based on cookies. Even if you have agreed to the use of cookies which track your activities on our websites, you can subsequently block their use. If you decide to block cookies, you will likely not be able to log in or use these features and there may be a loss of preferences that are based on cookies. The use of cookies can be configured in your Internet browser. Most browsers accept cookies by default. In your web browser you can either disable cookies or you can set that only selected cookies will be used.

More information on browsers and on how to configure one's cookie preferences can be found on the following websites:

• Chrome
• Firefox
• Internet Explorer
• Safari
• Android

An effective tool for cookie management is also available here

PURPOSE OF PROCESSING AND LEGAL BASIS FOR PROCESSING

The data you disclose to us is used by us to contact you back and provide you with information that you request or for the performance of a contract. All personal data is processed in a legal and transparent manner and we will only ask for data that is reasonable, relevant and necessary for the purpose of the processing. The legal basis for this processing is the processing for the performance of a contract.

In addition, we can use your name, surname and e-mail address to send you commercial messages, i.e. to inform you about any events, publications or services that we provide and that, in our opinion, may interest you. The disclosure of personal data for the performance of a contract and the disclosure of personal data for answering your questions or providing information you request are one of our contractual conditions and failing to disclose this data may result in our not entering into a contract or not answering your questions. We may also use your personal data for our internal needs, especially for monitoring your satisfaction, for optimising and improving the quality of the products and services provided or for developing new products and reducing risks.

The legal basis for the above processing is the processing based on our legitimate interests, which include our interest in the promotion of our products and, at the same time, our interest in making improvements to the quality of the services we provide.

You can at any time reject the processing of your personal data for the purposes of sending commercial messages and this will have no impact on any of our other dealings. You will only have to send us an e-mail with the relevant request to GDPR_Info(at)cerva(dot)com or to the address from which you received our commercial message, or you can opt out of receiving them by using the opt-out link at the foot of every message/newsletter.

Your personal data will not be used for the purpose of any automated decision-making, including profiling.

WHO CAN ACCESS YOUR PERSONAL DATA

For the purposes of improving the quality of our services and performance of some activities, your personal data will be processed for us by processors who provide us with

• server, web, cloud or IT services;
• accounting services
• legal services
• marketing agencies

With regard to ongoing changes in the providers of some services, it is not possible to specify the names of all personal data processors. An up-to-date list of the specific personal data recipients may be provided on request at the following address GDPR_Info(at)cerva(dot)com

DATA PROCESSING/RETENTION PERIOD

We will be processing your personal data for a period during which we provide you with our services or perform a contract signed between us and you or for a period necessary for the fulfilment of the archiving obligations in accordance with the applicable laws and regulations such as the Act on Accounting, Act on Archiving and Records Management or the Value Added Tax Act.

Thus, we will retain your personal data for a period strictly necessary for the provision of products and completion of the required transactions or for other necessary purposes, such as compliance with our legal obligations, resolution of disputes and legal enforcement of our agreements. These needs may vary with different data types in the context of various products and, therefore, the actual data retention period may differ substantially. The criteria that determine the data retention period include the following:

• For how long is personal data necessary for the provision of products and for securing our company operations? This includes activities such as maintaining and improving the performance of these products, maintaining the security of our systems and maintaining the relevant business and financial records. This is a generally applicable rule which in most cases is the basis for defining the data retention period.
• Do you disclose your data to us with an expectation that we will retain this data until you expressly ask us to erase it?
• Is this personal data sensitive? If yes, it is generally appropriate to use a shorter data retention period.
• Have we introduced and announced a specific retention period for a particular type of data? If yes, then we will surely never exceed this period.
• Have you given your consent to an extension of the data retention period? If yes, we will retain data in line with your consent.
• Are we subject to any legal, contractual or similar obligations to retain data? Examples include laws that stipulate mandatory data retention or a government order that requires retention of data related to investigations or retention of data for litigation purposes.

YOUR RIGHTS RELATED TO PERSONAL DATA PROCESSING

In relation to our processing of your personal data you will have the following rights:

• the right of access to personal data;
• the right to rectification;
• the right to erasure ("the right to be forgotten");
• the right to restriction of data processing;
• the right to object to processing;
• the right to data portability;
• the right to lodge a complaint about the processing of personal data.

Your rights are explained below to give you a more concrete idea about what these rights mean.

The right of access means that you can anytime ask for our confirmation whether the personal data concerning you is or is not being processed and, if yes, for what purposes, to what extent, who is given access to this data, how long we will be processing this data, whether you have the right to rectification, erasure, restriction of processing or to object, how we have obtained this personal data and whether the processing of your personal data serves as a basis for automated decision-making, including potential profiling. You also have the right to obtain a copy of your personal data, with the first copy being free of charge, while for any additional copies we may charge a reasonable fee as compensation for our administrative costs: the fee is CZK 100.

The right to rectification means that you can anytime ask us to rectify or complete your personal data if this data is inaccurate or incomplete.

The right to erasure means that we will have to delete your personal data if (i) it is no longer necessary for the purposes for which it was collected or otherwise processed, (ii) the processing is unlawful, (iii) you object to the processing and there are no overriding legitimate grounds for the processing, (iv) we are required to do so under a legal obligation or (v) you withdraw your consent to the processing of cookies which track your activities on our websites.

The right to restriction of processing means that until we resolve any disputed issues concerning the processing of your personal data, we may only process your personal data for the purposes of its storage and we may use the data only with your consent or for the establishment, exercise or defence of legal claims.

The right to object means that you may raise an objection to the processing of your personal data that we process for direct marketing purposes or due to a legitimate interest. If you raise an objection to the processing for direct marketing purposes, your personal data will no longer be processed for these purposes; if you raise an objection to the processing due to a legitimate interest, this objection will be evaluated and we will subsequently inform you on whether we have granted your objection and we will thus no longer process your data or whether we have found your objection unjustified and the processing will continue. In any case, until the objection is resolved, the processing will be restricted.

The right to portability means that you have the right to obtain personal data that concerns you and that is processed in an automated manner on the basis of a consent or a contract in a structured, commonly used and machine-readable format and the right to transmit this personal data directly to another controller.

If you have any concern or complaint concerning personal data protection or any question to the person responsible for data protection at our company or if you want to exercise any of your rights, please contact us by using our web form. We will respond to your questions or concerns within 30 days.

Our activities are also supervised by the Office for Personal Data Protection, where you can file a complaint if you are not satisfied. For more information, visit the website of the Office.

REPORTING OF SECURITY INCIDENTS

In today's era of modern technologies there is a very low, but real risk that your personal data may leak or may be misused or lost. While carrying out our business operations, we will do our utmost to prevent any such safety incident from happening and we will especially provide regular personal data protection training to all our employees who come in contact with your personal data, we will adopt and inform our employees about our internal corporate regulations regulating the protection of your personal data and we will always use efficient technical solutions to make our data processing secure, such as data encryption, complex passwords or software updates.

If, however, despite all our best efforts, a safety incident occurs and might pose a high risk to your rights and freedoms, we will promptly notify you of this fact, by using the e-mail address you provided to us and by publishing this information on our website including all the necessary details.

AMENDMENTS TO PRIVACY POLICY

Our Privacy Policy may be amended from time to time. Without your express consent, we will not limit any of your rights arising from this Privacy Policy. Any amendments to this Privacy Policy will be published by us on this website and, if major amendments are to be made, we will inform you in a more transparent manner (with regard to some services, we may announce amendments to this Privacy Policy by e-mail). We will archive the previous versions of this Privacy Policy for you so that you can also access them in the future. They are available by using the links at the beginning of this Privacy Policy.

This Privacy Policy comes into effect on 14.5.2018