Declaration on the processing of personal data pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the information of data subjects (hereinafter referred to as "GDPR")

1. The personal data controller VLNAP a.s. with its registered office at Nejdek, Karlovarská 1342, 36221, ID No.: 00013111, VAT No.: CZ00013111, a company registered in the Commercial Register maintained by the Municipal Court in PLZNI, (hereinafter referred to as the "Controller") hereby informs you about the processing of your personal data and your rights in accordance with Article 12 of the GDPR.

2. Scope of personal data processing
Personal data are processed to the extent that the relevant data subject has provided them to the controller, in connection with the conclusion of a contractual or other legal relationship with the controller, or which the controller has otherwise collected and processes them in accordance with applicable law or to fulfil the controller's legal obligations.

3. Sources of personal data:
- directly from data subjects
- wholesale
- distributor
- publicly accessible registers,
- lists and records (e.g. commercial register, trade register, land register, public telephone directory, etc.)

4. Categories of personal data subject to processing:
- address and identification data used to uniquely and unmistakably identify the data subject (e.g. name, surname, title, birth number, date of birth, permanent address, identity document number, gender, ID number, VAT number) and data enabling contact with the data subject (contact data - e.g. contact address, telephone number, fax number, email address and other similar information)
- descriptive data (e.g. bank details, date)
- other data necessary for the performance of the contract

5. Categories of data subjects:
- customer of the controller
- service provider
- another person who has a contractual relationship with the controller

6. Categories of recipients of personal data:
- processor
- state etc. authorities in the performance of their statutory obligations under the relevant legislation

7. Purpose of the processing of personal data
- the purposes contained in the data subject's consent
- the negotiation of a contractual relationship
- performance of the contract
- protection of the rights of the controller, the recipient or other persons concerned (e.g. recovery of claims of the controller)
- archival records kept on the basis of the law
- the fulfilment of legal obligations by the controller
- protection of the vital interests of the data subject

8. Method of processing and protection of personal data
The processing of personal data is carried out by the controller. The processing is carried out at the controller's premises, branches and headquarters by individual authorised employees of the controller or by the processor. The processing is carried out by means of computer technology or, in the case of personal data in paper form, manually, in compliance with all security principles for the management and processing of personal data. To this end, the controller has taken technical and organisational measures to ensure the protection of personal data, in particular measures to prevent unauthorised or accidental access to, alteration, destruction or loss of personal data, unauthorised transmission, unauthorised processing or other misuse of personal data. All entities to whom personal data may be disclosed shall respect the right of data subjects to privacy and shall comply with applicable data protection laws.

9. Duration of processing of personal data
In accordance with the time limits set out in the relevant contracts, in the controller's filing and shredding system or in the relevant legislation, this is the period of time necessary to ensure the rights and obligations arising from both the contractual relationship and the relevant legislation.

10. Instructions
The controller shall process data with the consent of the data subject, except in cases provided for by law where the processing of personal data does not require the consent of the data subject.