Terms of Personal Data Protection

according to Regulation of the European Parliament and of the Council (EU) 2016/679, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”)

I. CONTROLLER

1) The controller of your personal data is the company:
KRPA PAPER, a.s.
with registered seat at: Hostinné, Nádražní 266, PSČ: 543 71
VAT: CZ27537820
registered under No. 2767 Rubric B, Register of Companies, Regional court Hradec Králové

PAPÍRNY BRNO a.s.
with registered seat at: Brno - Trnitá, Křenová 186/60, PSČ: 602 00
VAT: CZ49970933
registered under No. 1249 Rubric B, Register of Companies, Regional court Brno

KRPA FORM, a.s.
with registered seat at: Dolní Branná 122, PSČ 543 62
VAT: CZ 275 37 811
registered under No. 2766 Rubric B, Register of Companies, Regional court Hradec Králové

KRPA INVESTMENT, a.s.
with registered seat at: Plzeň, Zahradní 173/2, PSČ: 326 00
VAT: CZ28014111
registered under No. 1431 Rubric B, Register of Companies, Regional court Plzeň

KRKONOŠSKÉ PAPÍRNY a.s.
with registered seat at: Hostinné, Nádražní 266, PSČ 543 71
VAT: CZ45534284
registered under No. 583 Rubric B, Register of Companies, Regional court Hradec Králové

TOP LIGHT spol. s r.o.
with registered seat at: Praha 4 - Nusle, Na strži 1702/65
VAT: CZ48109266
registered under No. 15976 Rubric C, Register of Companies, Regional court Praha

(hereinafter referred to only as the "Company")

2) The Company did not appoint a data protection officer.

3) Your personal data is processed by the Company. Data is processed in its points of business, branch offices and registered office by appointed employees, its partners or statutory body, or processors. Data is processed using information technology, or also manually in case of personal data in a documentary form, in compliance with all security principles for control and processing of personal data. The Company exercises its maximum efforts to protect your privacy when its services are used. The Company adopted technical and organisational measures to protect your personal data from loss, unauthorised handling and access. The Company continuously adapts its security measures in accordance with technological progress and development.

II. PROCESSED PERSONAL DATA

1) You are not obliged to provide the Company with your personal data. However, without providing your personal data, the Company will neither enter into any contract with you, nor provide you with any other service. The Company requires your personal data only for the Company's needs (for the reasons, for the purpose and for the time as specified in details hereinafter). Your personal data will not be under any circumstances sold to third parties or used in other commercial manner.

2) The Company processes your following personal data:

a) when a contract is concluded with you
- Name and surname
- Address
- Email address (IP address)
- Telephone
- Bank details :
- Business ID and VAT ID (for natural persons - entrepreneurs)
- Contact data to your employees
- Other data necessary for fulfilment of a contract
- Data provided outside the scope of the relevant laws processed within your granted consent

b) for sending commercial communications in situation when you are not a customer of the Company, you did not conclude any contract with the Company, or if you only registered with the Company
- Name and surname
- Email address

c) if you only send a question, commentary, review
- Name and surname
- Email address

3) The Company acquires personal data for processing either directly from you (data provided by you within the registration for a service, or from individual communication with you), or from public available registers, lists or records (such as the Commercial Register, Trade Registers, public telephone list etc.)

III. LAWFUL REASON AND PURPOSE OF PERSONAL DATA PROCESSING

1) Personal data must be processed:

a) when a contract is concluded with you - in order to prepare a proposal, to conclude a contract and to perform it, or to keep the status of your customer account and to fulfil the related contract or statutory obligations, such as retention of tax documents and attending complaints.

I.e. the lawful reasons are:
(i) performance of a contract (pursuant to art. 6 (1) b) GDPR),
(ii) compliance with a legal obligation (pursuant to art. 6 (1) c) GDPR),
(iii) legitimate interests (art. 6 (1) f) GDPR), i.e. namely direct marketing when the Company processes your personal data also for the purpose of sending commercial communications related to own similar services, satisfaction survey questionnaire, sending birthday wishes or PF cards and to perform simple analyses (e.g. visitors rate of websites etc.).
(iv) giving a consent (pursuant to art. 6 (1) a) GDPR) e.g. for sending commercial communications that are not direct marketing, i.e. sending commercial communications with offers for products or services of third parties

b) for sending commercial communications in situation when you are not a customer of the Company, i.e. you did not conclude any contract with the Company, or if you only registered with the Company, the lawful reason for processing is giving your consent (pursuant to art. 6 (1) a) GDPR). If a consent is given, data is processed for the purpose of offering services, sending commercial communications and information about special events of the Company etc.

c) if you only send a question, commentary, review, the lawful reason for processing is a fulfilment of a (pre)contract obligation (pursuant to art. 6 (1) b) GDPR).

IV. TIME OF STORAGE OF PERSONAL DATA

1) Your personal data will be processed only for a necessary period of time:

a) if a contract is concluded, your personal data will be processed for the necessary period of time which is given by the fulfilment of a contract and subsequent storage of tax documents for the ordered and supplied service or goods; however, you have the right to object at any time to processing of your personal data for the purpose of direct marketing.

b) if a consent is given, your personal data will be processed for the period of 3 years, however, no later than to the withdrawal of your consent to processing your personal data,

c) if you only filled in a contact form, and a contract was not subsequently concluded, then for the period of 3 years, if your personal data is processed for this reason, you have the right to object to further processing.

2) You may send an objection to processing your personal data to the Company in writing to the Company's address or email to the address info(***antispam***@***antispam***)krpa(***antispam***.***antispam***)cz.

V. OTHER RECIPIENTS OF PERSONAL DATA

1) Your data is processed by the Company, i.e. a personal data controller, however, personal data can be processed from the Company also by third parties such as:
- suppliers of external services for the Company (typically programming or supporting technical services, server services etc.),
- operators of back-up services or of technologies used by the Company who process the data in order to keep the relevant services of the Company functional.

2) If you entered into a contract with the Company, your personal data may also be processed:
- in a necessary extent by tax advisers, auditors, legal counsels of the Company who process personal data for providing consulting services,
- members of the same Group as the Company
- personal data related to debtors with overdue debts may be made accessible also to a company providing insurance of claims or to enforcement and collection agencies for the enforcement or collection of the Company's claims,
- providers of payment gateways,
- hauliers
- at request or in case of a suspicion of illegal practises personal data can be disclosed to state regulatory authorities,
- other providers of similar services which are not used by he Company at the moment.

3) The Company does not intend to disclose your personal data to a third country (to a country outside EU) or to an international organisation.

VI. YOUR RIGHTS

1) In relation to processing of your personal data by the Company you are entitled to:
- request information about which of your personal data is processed by the Company,
- ask an explanation from the Company regarding processing of your personal data,
- request from the Company an access to your personal data and have it updated or corrected,
- ask the Company to delete your personal data, or limit its processing,
- transfer your personal data to another controller,
- withdraw your consent given to processing of your personal data,
- object to data being processed for the reason of the Company's legitimate interest
- address the Company or the Office for Personal Data Protection in case of doubts regarding compliance with the obligation related to processing of your personal data.