Information memorandum - clients

1. Who is the data controller?

The data controller is Ayvens s.r.o. (hereinafter “Ayvens”).

Data controller’s contact details: Ayvens s.r.o. Registered office: U Stavoservisu 527/1, Malešice, 108 00 Prague 10 email: osobniudaje@aldautomotive.com ​web: www.ayvens.cz Reg. (ID) No.: 61063916, registered in the Commercial Register kept by the Municipal Court in Prague, file no. C 43360

Data Protection Officer’s contact details (DPO): You can contact the DPO by email at osobniudaje@kb.cz, by phone on 800 521 521 in the Czech Republic or +420 955 559 550 from abroad, or in writing at:

Data Protection Officer / KB DPO Na Příkopě 969/33 114 07 Prague Czech Republic The data controller collects and manages your data, and is responsible for its correct and lawful processing. We use the data you provide us or that we obtained from other sources to fulfil one or more purposes. You can exercise your rights with respect to the data controller in the manner indicated below. In the case of Group Marketing Consent, your data is shared in the entire KB Group (see chapter "What types of consents do we use at Ayvens?").

Situations in which we obtain data about you are most often when:

You order/purchase our products or services If you order/purchase a product or service from us or express an interest in doing so, you provide us with Basic Data and the data required to conclude a contract or provide you with a service.

You use our products or services The "use of a product" includes the use of a vehicle based on a leasing agreement concluded between you and Ayvens, the use of supplementary services related to the use of the vehicle, as well as the use of other services agreed with Ayvens. Ayvens manages the data that you give us and that is required to provide the product or service.

You communicate and deal with us directly When you communicate with us, whether you do so electronically, in writing, by phone or during a personal visit, we collect and manage data from this communication at Ayvens. We also manage, among other things, security camera recordings and data from cookies.

Who are you providing your personal data to? We principally manage your personal data within Ayvens. We only transfer certain data outside Ayvens if you allow us to do so (such permission may be granted by Marketing Consent), if required by law or if it is a matter of sharing data for the purposes of negotiating a contract and its subsequent performance. Your data may also be processed by cooperating distributors and suppliers (data processors), if this is necessary to achieve any of the purposes listed above, especially if an external entity has the required competence and expertise in the given field. Some of our services are provided in collaboration with companies outside Ayvens. We are also required to provide your data to various state and international authorities, but always under the conditions stipulated by legislation.

2. What personal data do we process at Ayvens?

Personal data is any information that relates to an individual (natural person) on the basis of which it is possible to identify that individual. We are open about our activities at Ayvens, which is why it is important to us that you know how we process your personal data and the purposes it’s used for. The data that we process includes: your first and last name, national identity number (or business name, registration number and registered office in case of an entrepreneur), date of birth, contact details, information on your solvency, payment morale and credit history, socio-demographic data, information on the use of products and services, information from requests for products and services or other interactions between us, geolocation data, information from the internet browser or mobile applications you use and data that we process to meet our legal obligations or protect our legitimate interests. This includes data that we obtain directly from you, from public sources (including information that you post about yourself on the internet), from surveys and user testing or from cooperating third parties.

In the following section, we will explain what personal data we process, including examples:

Information identifying the data subject Identification data is part of every contract you enter into with us. This mainly includes your academic title, first and last name, national identity number and date or place of birth (this can also be your company registration number and business address if you run your own business), the number of submitted identification documents and their copies, identification of your designated representative or contact person, identification of the bill payer, your bank details and signature. This data is important to ensure that we are contacting the right person.

Address and contact details Your postal address, telephone number or e-mail are especially important for us to be able to communicate with you effectively.

Descriptive data

Sociodemographic data Descriptive data includes, among other things, socio-demographic data. This is standard statistical data, such as your age, place of residence, marital status (single, divorced), education, income, etc. You give us this data when ordering/purchasing products or we derive it from other data we have collected about you.

Financial status In order to create a financial picture of you, we collect information that tells us about your financial situation. You then inform us about your income and liabilities, such as other loans or leasing.

Tax residency and legal requirements As a leasing company, Ayvens is required to pass on information in certain cases of service provision by law. One example, is the requirement for us to collect data ascertained and verified in connection with risk assessment aimed at preventing the legalisation of the proceeds of crime and financing of terrorism.

Business characteristics of a non-financial nature In order to reliably help you with your business activities, we are interested in the environment and industry in which you do business.

Data from public registers Sometimes our own data is not enough. Therefore, we also use information from external sources, which mainly include public registers, such as the Commercial Register, Register of Economic Entities, the register of debtors, professional registers or the register of invalid documents.

Data processed for client service and from surveys We consider activities related to marketing as a suitable way to alert you to new products, services or benefits that we are preparing for you. Therefore, we use the personal data that we process, such as Basic Data, to take care of you as efficiently as possible.

Naturally, we are also interested in your opinions and needs. For example, when we are preparing a new product or service, we want to know what you think of our existing products, services or ads. So, we ask you, our clients, directly in various surveys. The output of these is the average results for the entire group of respondents, never at individual level, but we are also inspired by concrete statements. The development of new services is a bit different – in addition to asking respondents how they like a new application, we also conduct user tests with them. These tests allow us to determine whether an application is not only appealing, but also easy to use.

Information from the internet and networks Information collected when using our electronic applications also includes, among other things, geolocation data. This is data that identifies the precise address from which the application was accessed. We determine your location from logins to the online application. We also use geolocation data when you’re visiting our website in order to offer you contact information for a contractual partner near you based on your current location. We only collect all this information with your consent (see chapter "What types of consent do we use at Ayvens?").

Telematics In case of a service ordered by you, information from the use of our vehicles may include geolocation data determining the location of the vehicle during its use. Terms and conditions for the management and processing of geolocation data are governed by mutual agreement between you and Ayvens when ordering this service.

Sensitive data Sensitive data is a special category that includes data on racial or ethnic origin, political views, religious or philosophical beliefs, trade union membership, health condition, sexual orientation and criminal offences or convictions. This also includes genetic and biometric data. However, in the vast majority of cases, Ayvens does not collect and process this type of personal data at all.

Data from communication and interaction with the client

Client consent We process personal data on the basis of various types of consent at Ayvens. For example, you grant us special consent for communication with you and to process your personal data for marketing purposes. You can find more information in the chapter "What types of consent do we use at Ayvens?".

Claims and complaints If you were not satisfied with anything from us, you can file a claim or complaint. We process information related to the investigation of the claim or complaint in order to provide you with the best possible answer.

Electronic methods of communication used for authentication and authorization We also work with data on electronic methods of communication, which are primarily used for authentication, that is, to verify your identity and authorisation. An example of data that falls in this category is a digital signature, certificate, or commonly used login user name for applications, or the serial and manufacturing number of a device (MAC address).

Debt collection If a situation arises where you are unable to fulfil your obligations to us, we process information related to debt collection. We look for your current address, contact details and additional information, where applicable, from internal and external sources. We communicate with you by phone, in writing, through electronic channels or other methods of communication. We record and store all communication between you and Ayvens for the purposes of legal disputes.

Camera recordings We want you to feel safe with us, which is why we monitor the premises of our branches, as well as other Ayvens premises. We keep the recordings from these cameras for as long as necessary.

Data associated with ties to other entities We record and keep records of relationships, family members (e.g., for a guarantee relationship), as well as records of supplier and customer relations for the purposes of negotiating a contract, protecting our legitimate interests and on legal grounds. You know us, which is why we are also interested in knowing you - our client. That’s why we try to find out information about you and the ties between you and other individuals. You may also be the representative or statutory body of a legal entity. We may record these relationships when providing services.

Data associated with ties to products/services

Draft terms and conditions for leasing a vehicle If you want to lease a vehicle from us, we will identify you as the applicant, together with your co-applicant, if any. We will prepare a draft of the leasing terms and conditions for you, where we will specify all necessary parameters (type of vehicle, range of services, lease payments, etc.).

Assessment of a client’s credit risks Assessing the client's credit risk means an overall assessment of financial and non-financial factors affecting your ability to meet your obligations as a client.

Information on solvency, payment morale and credit history In some cases, if you apply to lease a vehicle from us, or in other words for financing, we are required to verify your solvency, payment morale and credit history in the relevant registers by law and according our internal regulations. This information together with the information stored in our systems (e.g., your transaction data) is the basis for determining your creditworthiness or ability to meet your financial obligations.

Data processed on the grounds of legal obligations and legitimate interests

Data that we process about you in order to meet our legal obligations Examples of data that we process on the grounds of legal obligations includes the sources and the origin of your income, capital ties, nationality, place of residence, political affiliation, etc.

Data that we process about you in order to protect our legitimate interests The data we process about you in order to protect our legitimate interests is typically designed to ensure the safe use of our products and services, manage our risks, assess solvency, payment morale and credit history, prevent and evaluate potentially fraudulent actions, etc.

3. What sources does personal data come from?

The data processed at Ayvens comes from various sources. Most often this data is provided by you, the client. In many cases, we create data for further processing ourselves (ratio indicators, analyses, reports, etc.). We also use other information about the client that we obtain from public sources that has been published in accordance with the law (for example, public lists and registers or other public information sources) or from cooperating third parties as part of our activities.

We may also provide your personal data to third parties or recipients, if such disclosure or provision is contractually agreed between Ayvens and you as the client, or you have given your consent to such a transfer of data as an Ayvens client.

Beyond the above, any other personal data voluntarily provided to us by you may also be processed. We reserve the right to destroy unsolicited personal data. We will inform the data subject of this procedure.

4. What legal reasons do we have for processing your personal data?

We can only process your personal data within the given scope, if at least one of the following conditions is met:

5. For what purposes do we process your personal data?

We process your data to the extent absolutely necessary for the relevant purpose, e.g., to be able to provide the given service. This includes negotiating a new contract or the performance of a previously concluded contract. Typically, it is about identifying you, the client.

Our obligation to process data is further prescribed by a number of legal regulations. For example, the law against money laundering stipulates the obligation to request your identification data. We are also required to process a lot of data for archiving purposes. We process some data because it is necessary to protect the rights and legally protected interests of both Ayvens and third parties. However, processing data for this reason is limited and we carefully assess the existence of a legitimate interest.

In other cases, we only process your personal data with your consent.

Examples of the purposes for which we process personal data at Ayvens are presented the following paragraphs in sample situations:

Provision of a product or service

Client identification In order to conclude a contract and provide you with our services, we need to know your Basic Data. When providing selected types of services, we need to identify you pursuant to the Anti-Money Laundering Act, which requires us to do so. Identification is also necessary if you wish to exercise your rights in matters of personal data protection. We manage your access data in order for you to be able to service your products through our applications and communicate with us electronically – this primarily concerns login names and passwords, which are used for secure authentication.

Preparation of a contract at your request We only collect and process essential data that is required to draft your contract. In order to conclude a contract with you, we need to know your name and contact details. The next group of data depends on the nature of the service that is the subject of the contract. For example, to lease a vehicle, we need information about your solvency and payment morale. Until the contract is signed, we only use the data to prepare a draft contract at your request. After signing the contract, we process this data for the purpose of its implementation; if the contract is not signed, we only process this data if this is covered by another purpose.

Use of products and services We process your personal data when you choose our products and use our services. This primarily concerns your Basic Data, data on products and services, and geolocation data. We record, manage and keep this data up-to-date. If you use our services using mobile devices or online applications, including telematics devices (if you require this from us), we collect data about your location. We display basic information about you and your products on the electronic portals you use to service your products, and we manage this information to make it easier for you to do so.

Maintaining client communication and improving client care

Customer relationship management We respect your needs and preferences. To this end, we try to create a comprehensive overview of what services you use and your wishes. We work with you on a variety of matters relating to the relevant product, including its implementation, setup, changes, information about the product and more. We also handle your requests, wishes and complaints at our branches, on our customer lines, websites, mobile applications and through other avenues. In addition to our products and services, these requirements may also relate to exercising your rights in matters of personal data protection. We want to know if you are happy with Ayvens and whether we can expect your continued support. If you visit a branch, we want to be able to identify you and offer you appropriate service. For these reasons, we particularly process the product and service data, profile data and data from our communication and interaction that you share with us.

Sending service messages As part of the provision of our services, we send you messages to help you service your product. For this purpose, we process your contact details.

Convenience of electronic channels For this purpose, we process information on which devices you access our services from electronically, your preferences for service settings and the data you fill in on our website, as we want to ensure the easy use of our website and applications. We store data on your device in the form of cookies. With them, we can respect your choice of language and also store the data you entered in web forms in case you want to return to them later. You are informed about processing cookies separately.

Risk management and protecting client, Ayvens, and third-party assets

Information for credit risk assessment We make decisions about risk management related to vehicle leasing and products based on a risk assessment, e.g., whether you will be able to pay the agreed lease payments or how likely it is that a certain insured event will occur. In order to be able to provide you with our services, we must act prudently according to legislation, and we therefore evaluate the risk of providing the service with the help of your data and using credit registers and internal databases that also contain negative information. Our duty to proceed with caution is also reflected in a number of other purposes in this category.

AML risk assessment We analyse your identification data, data about the transactions you carry out and other required data according to the Anti-Money Laundering Act to prevent money laundering, drawing some of this data from our internal databases.

Resolution of disputes and litigation In the event we are forced to collect our claims through legal channels, or if we are a party to legal proceedings and the proceedings concern you, we will use your Basic Data, data about products and services, data from our communication and interaction or other data required to protect our rights to the necessary extent. Improving client care

Customer relationship management

We respect your needs and preferences. To this end, we try to create a comprehensive overview of what services you use and your wishes. We work with you on a variety of matters related to the relevant product, including its implementation, setup, changes, information about the product and more. We also handle with your requests, wishes and complaints at our branches, on our customer lines, websites, mobile applications and through other avenues. In addition to our products and services, these requirements may also relate to exercising your rights in matters of personal data protection. We want to know if you are happy with Ayvens and whether we can expect your continued support. For these reasons, we particularly process the product and service data, profile data and data from our communication and interaction that you share with us.

Safeguarding essential Ayvens internal operation, including communication within the KB Group

Sharing information in the KB Group We transfer certain information within the KB Group, primarily for the purpose of risk management or information about the client's tax residency, based on legal grounds, other than your consent.

Testing software modifications In some cases, new software cannot be implemented without effective testing on our client data. Therefore, in essential cases where there is insufficient test data, we use your data stored in the relevant software to test this software, software modifications and to train our employees. Normally, however, we use completely anonymised data for these purposes, i.e., without the personal data of our clients.

Internal administration, reporting, information management, process optimisation, training Our employees process your personal data when fulfilling internal duties in the framework of Ayvens. For example, we have a comprehensive approval and reporting system for individual business cases. Your Basic data, profile data and data about products and services is used for the purposes of planning, evaluation and/or greater efficiency, e.g., we evaluate when clients usually use specific services. For these purposes, data is aggregated (summarisation of a large amount of individual data) and the result is a general profile, a summary number that is no longer directly linked to a specific person. We prepare various reports required by legislation and also report some data to the KB Group, especially Basic Data.

Statistical purposes Your data is also used for statistical purposes. However, aggregated or fully anonymised data is usually used in this case.

Marketing purposes As part of marketing activities, we send commercial messages regarding products and services in various forms, including paper correspondence, telephone calls, text messages, e-mails, via the internet, client portals and mobile applications. We understand processing data for marketing purposes as the recognition of your preferences and offering products tailored for you. For this purpose, we group and evaluate Basic Data, data on products and services and profile data. Based on the results of these analyses, we find the most suitable products for you. These activities are intended to help us avoid bothering you with irrelevant offers. However, processing for the purposes of direct marketing can be considered as processing on the grounds of legitimate interests (e.g., sending clients e-mails and text messages). Ayvens uses a suitable designation for commercial messages sent by Ayvens or third parties that makes it clear the given communication is a commercial message in the sense of applicable legislation. It is always clear from commercial messages sent by Ayvens that Ayvens is the sender. We can send commercial messages to you on your contacts based on our legitimate interests, but only until such time as you express your disagreement with the receipt of such messages, or on the basis of your express consent to process your personal data for marketing and business purposes. Commercial messages also include a contact for refusal to receive these messages.

Compliance with legal obligations

Control, prevention of money laundering and the financing of terrorism, embargos We check your data to prevent illegal practices such as money laundering. We use the data profile from the risk assessment process to prevent money laundering.

Accounting and Taxes We collect and process your identification and transaction data for the purpose of fulfilling our accounting and tax obligations to regulatory and state authorities under the Accounting Act, VAT Act and other accounting and tax laws and for mandatory reporting to regulatory authorities.

Security In this context, we protect both physical assets, e.g., by placing cameras at our business locations, as well as data. Camera systems are installed to protect people and property against illegal activity. We process camera recordings. We have strict mechanisms in place to protect your data.

Fulfilment of a contract with a contractual partner other than the client In addition to the cases mentioned above, Ayvens also processes personal data in relation to contractual arrangements with its business partners, e.g., private entrepreneurs - sole traders. In this context, Ayvens processes personal data for the purpose of fulfilling the contract, fulfilling legal obligations or legitimate interests. The scope of personal data is always limited by the specific purpose and the goal is always to fulfil the contractual relationship between Ayvens and the contractual partner, who is not an Ayvens client.

Insurance The personal data controller in relation to the Insurance Contract is Allianz pojišt'ovna, a.s., with registered office at Prague 8, Ke Štvanici 656/3, Postal Code 18600, ID No.: 47115971. The purpose is to process personal data for the fulfilment of the Insurer's obligation and its legal obligations under the Insurance Contract. Detailed information about the processing of personal data (in particular, the purposes, time, scope or manner of working with them) can be found on the website www.allianz.cz/ochrana-udaju (hereinafter referred to as "Insurer's Information").

6. What types of consent do we use at Ayvens?

In this chapter, we will look at the types of consent used at Ayvens.

What exactly is consent? Consent is any freely given, specific, informed and unambiguous indication of a person's wishes by which he or she, by statement or clear affirmative action, signifies agreement to the processing of his/her personal data. In general, we could divide the types of consent at Ayvens into marketing and general.

Consent is voluntary, you can refuse to give or revoke consent at any time.

Refusal to give consent or its revocation has no consequences with regard your contractual relationship with Ayvens. In the event you revoke consent, we will assume that you no longer wish us to continue processing your personal data for the purpose of the consent you have revoked.

Marketing consent We call marketing consent, consent to process client data for the purposes of conducting marketing activities, as well as improving client care.

Group Marketing Consent (hereinafter "Marketing Consent") If you have given us Marketing Consent, this is consent for the whole KB Group. In this case, all companies in the KB Group act as joint controllers of your personal data. Therefore, they can share and process the data specified in the consent for the purposes specified therein.

You can give your consent in person in the Komerční banka branch network, in the branch network of other subsidiaries, when signing contractual documents for KB Group products arranged through selected third parties and through direct banking channels (MojeBanka, Mobilní Banka).

It is not possible to choose which companies will be granted consent and which will not be granted consent when giving Marketing Consent or later. Any request with the inclusion of only some of the joint controllers listed, must and will be considered a refusal or revocation of Marketing Consent. You can revoke your consent at any branch in the KB Group distribution network. If you revoke your consent at one of the companies in the KB Group, this revocation will apply to all other members of the KB Group, which means that none of them will be able to process your personal data for the purposes specified in Marketing Consent after this date.

All data for which consent was granted is processed jointly by the KB Group and may also be transferred between controllers. This means, for example, that if you signed Marketing Consent, the information you provide about yourself to a KB bank advisor will also be available to other joint controllers, such as Modrá pyramida stavební spořitelna, a.s., for marketing purposes. At the same time, this means that we also share publicly available information about you between all KB Group companies. Marketing Consent is granted to the following companies, which we refer to as the “KB Group”:

The KB Group The "KB Group" includes the following companies:

• Komerční banka, a.s., Reg. (ID) No.: 45317054, • Modrá pyramida stavební spořitelna, a.s., Reg. (ID) No.: 60192852, • Komerční pojišťovna, a.s., Reg. (ID) No.: 63998017, • KB Penzijní společnost, a.s., Reg. (ID) No.: 61860018, • ESSOX s.r.o., Reg. (ID) No.: 26764652, • Ayvens s.r.o., Reg. (ID) No.: 61063916, • SG Equipment Finance Czech Republic s.r.o., Reg. (ID) No.: 61061344, • Factoring KB, a.s., Reg. (ID) No.: 25148290.

According to the legal definition, the controller of personal data is any entity that determines the purpose for which and means by which personal data is processed and, collects, processes and stores such data for the designated purpose. All the companies listed above act as joint controllers of your personal data. Therefore, they can share and process the data specified in your consent for the purposes specified therein.

How you can express your wishes regarding Marketing Consent Marketing Consent contains two checkboxes: "I agree" and "I do not agree"

By ticking the "I agree" box and signing the document, you consent to the processing of your personal data for marketing purposes by the KB Group.

By ticking the "I do not agree" box and signing the document, you disagree with the processing of your personal data for marketing purposes by the aforementioned companies to the extent defined in the document.

By crossing out, overwriting or otherwise amending the Marketing Consent form, consent will be treated as not granted (see option "I do not agree") You need only grant Marketing Consent once for one company in the KB Group. It remains valid and effective until the end of your last contractual relationship with at least one company in the KB Group and 1 year thereafter or until you revoke your consent.

In the event you grant Marketing Consent, for example, when inquiring about a product / service and ultimately decide not to become our client (i.e., no contractual relationship is established with a member of the KB Group), your consent will be valid for 1 year from the date it was granted, if you do not revoke it in the interim. On the expiry and effect of Marketing Consent, your personal data will be erased or only processed to the extent and for the purposes for which consent is not required by law.

Interaction with members of the KB Group In order to prevent us from contacting you more than once for the same reason, we record information about contacts between you and us. This mainly concerns data such as the date (or time) of contact, the reason and whether the contact was initiated by you or by us. This applies to contacts initiated via all channels such as by phone, text message, chat, post, e-mail, data box, advisory service or via electronic, web or other applications. If it was an offer from us, we always record your response - whether or not you liked the offer. We record responses so that we do not offer you a product that did not appeal to you again.

7. How long do we retain personal data?

We retain your personal data for as long as necessary; we usually archive data for 10 years, according to the periods prescribed by law.

We respect the rules of data minimalization when handling your data. This means we have strict internal archiving rules in place to ensure we don't keep data longer than we are authorised to do so.

We are required to implement anti-money laundering measures for some business relationships. Under this Act, we are required to retain relevant data, i.e., your identification and transaction data, for a period of at least 10 years from the completion of the transaction or termination of the business relationship with you. This period also applied to other legislation. According to the Value Added Tax (VAT) Act, we are required to keep tax documents and records detailing the services we have provided or received for a period of 10 years from the end of the tax period in which the transaction took place. In general, we are required to keep most Basic Data and data about products and services based on these laws.

Data with a shorter retention period includes, for example, data that we would be required to submit as evidence in a court case, taking into account statutory periods of limitation according to the current Civil Code.

We keep the data that we process with your consent for the period for which consent is granted. If you have given us consent to process and share data in the KB Group for marketing purposes, we process your personal data for the duration of our contractual relationship and for a period of 5 years after the termination thereof. If you do not become our client, i.e., no contractual relationship is concluded, we process your data for 1 year from the date of consent only. To avoid all doubt and based on our legitimate interests, we retain the original consent and any changes or revocation of consent for the entire period consent is valid and for a period of 10 years after the expiry thereof.

8. Who are the processors and recipients of your personal data?

The regulation of personal data protection allows the controller to entrust the processing of personal data to a processor. A personal data processor is any entity that processes personal data on the basis of special legislation or as delegated or authorised by the controller. In these cases, the same level of protection of your data as that provided by Ayvens is guaranteed by contract and regulation. Among the most important processors that Ayvens uses for personal data processing are:

• vehicle service providers • providers of supplementary services for vehicle leasing • service brokers, auto sales representatives (dealers) • IT service providers • providers of archiving services • debt collection agencies • marketing agencies • providers of products such as insurance • print and postal service providers, including couriers • providers of legal, tax, audit and financial services and consulting • entities cooperating with us in loyalty programmes • the KB group, under the conditions specified in this document

Credit registers In order to protect our rights consisting of the assessment of your ability and willingness to meet the obligations of the agreed service, Ayvens searches for information on matters that testify to your solvency, payment morale and credit history through credit registers based on a legitimate interest. We can process this data about you even without your consent, especially in the service negotiation phase. Data is processed from, for example, the Client Information Bank Register (CIBR), the Non-Bank Client Information Register (NBCIR) and the SOLUS Association database.

CIBR/NBCIR CIBR is a system that collects information about the solvency, credit history and payment morale of bank clients. CIBR is run by the joint-stock company, CBCB (Czech Banking Credit Bureau), whose website www.cbcb.cz contains all information about the register. Your consent is not required for the purpose of sharing data in the CIBR. NBCIR is run by the special interest association, CNCB – Czech Non-Banking Credit Bureau. Your consent is not required for the purpose of sharing data in the NBCIR. Because the CIBR and NBCIR are two separate registers, the mutual exchange of information between them is possible, even without your consent. (More in the Information Memorandum of the Client Information Bank Register [CIBR] and the Non-Bank Client Information Register [NBCIR])

SOLUS Pursuant to the Consumer Protection Act, your personal data may be kept in registers used to mutually share the identification data of consumers and matters indicating their solvency, payment morale and credit history. Your consent is not required for this information. As a member of SOLUS, a special interest association of legal entities, Ayvens shares information in its registers. (More in the INSTRUCTION on SOLUS registers, which can be found at www.solus.cz)

On request without consent Some public administration authorities and other organisations are entitled to request information about you. This mainly concerns the Police of the Czech Republic, courts or other branches of executive power. We only disclose data if the right to request this data is permitted by law.

9. Specifics of processing personal data for legal entities

When providing products and services to legal entities, we also obtain and process data on individuals/ natural persons who are authorised to represent Ayvens clients and other individuals whose personal data is processed in direct connection with the performance of their activities and which Ayvens must and/or is authorised to process for its own purposes. These are primarily owners, real owners or individuals providing security, as well as drivers, employees and other individuals connected thereto. We primarily obtain data from clients or their representatives, from publicly available sources or specialised databases from third parties.

This includes identification data, address and contact data, roles and positions in the company, which Ayvens is authorised to process in connection with the performance of its activities and provision of services.

This data is collected and processed:

If you have given your consent to processing your personal data for the marketing purposes of the KB Group, the above data may also be processed for these purposes.

10. What are your legal rights in relation to processing your personal data?

We process your data transparently, correctly and in accordance with the law and applicable legislation. You have the right to ask us for information about the personal data we process, the purpose and nature of processing personal data and the recipients of your personal data. If you find, or believe that your personal data is being processed in violation of the protection of your private and personal life or in violation of legislation, you have the right to demand an explanation from us, or to demand that Ayvens rectify the defective situation that has arisen in this way. You also have the right to contact the Office for Personal Data Protection in the event of a breach of our obligations with a request for remedial measures.

Your rights:

Right of access to personal data Pursuant to Article 15 of the GDPR, as the data subject, you have the right of access to your personal data, which includes the right to ask Ayvens for:

Right to rectification of inaccurate data Pursuant to Article 16 of the GDPR, as the data subject, you have the right to the rectification of inaccurate personal data that Ayvens processes about you. As an Ayvens customer, you are also required to report changes to your personal data and to document that such a change has taken place and to provide cooperation if it is found that the data we process about you is not accurate. Ayvens will rectify data without undue delay, but always taking the technical capacity into account. A request for the rectification of personal data can be sent to the Ayvens contacts provided in this article below, on the condition that the request is shown to be justified.

Right to erasure Pursuant to Article 16 of the GDPR, as the data subject, you have the right to the erasure of personal data about you, unless Ayvens can show legitimate reasons for processing this personal data. Ayvens has mechanisms in place to ensure the automatic anonymisation or erasure of personal data in the event it is no longer needed for the purpose for which it was processed. If you believe that your personal data has not been erased, you can contact us.

Right to restriction of processing Pursuant to Article 18 of the GDPR, as the data subject, you have the right to restrict the processing of your personal data until the resolution of a complaint contesting the accuracy of personal data, the reasons for processing this data or if you file an objection to its processing, through the Ayvens contacts listed in this article below.

Right to be notified of the rectification, erasure or restriction of processing of personal data Pursuant to Article 19 of the GDPR, as the data subject, you have the right to be notified by Ayvens in the event of the rectification, erasure or restriction of processing your personal data. We will notify individual recipients if personal data is rectified or erased, except where this proves impossible or requires unreasonable effort. We can provide information about these recipients on request.

Right to the portability of personal data Pursuant to Article 20 of the GDPR, as the data subject, you have the right to the portability of data about you that you have provided to the controller in a structured, commonly used and machine-readable format, and the right to request Ayvens to transfer this data to another controller on request.

If you provide us with personal data in connection with a contract for the provision of services or on the basis of consent and this data is processed automatically, you have the right to receive such data from us in a structured, commonly used and machine-readable format. Where technically feasible, the data can also be transferred to a controller designated by you, if the person acting on behalf of the relevant controller is duly identified and authenticated.

If exercising this right could adversely affect the rights and freedoms of third parties, your request cannot be granted. You can send your request to the Ayvens contacts listed in this article below.

Right to object to the processing of personal data Pursuant to Article 21 of the GDPR, as the data subject, you have the right to object to the processing of your personal data on the grounds of Ayvens's legitimate interests, by sending your objection to the Ayvens contacts listed in this article below, or by contacting Ayvens by phone. After submitting an objection, we will stop processing your personal data for these purposes without delay.

If Ayvens cannot show there is a serious legitimate reason for processing that outweighs your interests or rights and freedoms, Ayvens will cease processing your data based on the objection without undue delay. The objection can be sent in writing to the Ayvens contacts listed below.

Right to revoke consent to processing personal data You have the right to revoke your consent to processing your personal data for commercial purposes at any time. The revocation of consent must take the form of an explicit, comprehensible and specific expression of will to the Ayvens contacts listed in this article below. Consent to marketing communications granted for a specific electronic contact can be revoked at any time. Processing data from cookies can be prevented by setting your web browser.

In the context of consent to processing, you can also completely refuse to share your personal data with us.

Automated individual decision-making, including profiling As the data subject, you have the right not to be the subject of any decision based solely on automated processing, including profiling, which would have legal effects for you or significantly affect you in a similar manner. Ayvens states that it does not make automated decisions without human assessment of legal consequences for data subjects.

Right to contact the Office for Personal Data Protection In the event you are not happy with the processing of your personal data, you have the right to file a complaint with the supervisory authority, which is the Office for Personal Data Protection in the Czech Republic, with its registered office at Plk. Sochora 27, 170 00 Prague 7, www.uoou.cz.

Ayvens approaches all the above rights in the same way and always tries to comply with your requests. All rights can be exercised free of charge. Ayvens has a reasonable amount of time to process a request to exercise a right – usually 30 days. The request must include basic identification data so that we can trace all your processed data. In the event Ayvens does not receive a complete summary of identification data, it cannot guarantee that a final summary of all processed data can be found in all information systems managed by Ayvens. In the event we cannot find your personal data in Ayvens systems according to the identification data provided, you will be informed of this in writing.

You will be informed when your request has been processed in the form of a covering letter. You can exercise your rights both by letter addressed to Ayvens, at a branch directly or by e-mail. When exercising selected rights, it is possible Ayvens will need your cooperation during authentication. Rights can only be exercised in one's own name or in the name of a person in one’s care in special cases.

If you have any questions, please call the Ayvens Infoline on 955 525 000, go to www.ayvens.cz or write to us at osobniudaje@aldautomotive.com.

11. Who are we?

Ayvens Ayvens is a leading global provider of operating leasing for passenger and light utility vehicles up to 3.5t. The company is part of the strong financial group Société Générale. Ayvens specialises in leasing products for corporate customers, regardless of the number of vehicles in their fleet.

Clients include private individuals and small sole traders, but above all companies and large international corporations, which the company also takes care of on a global level. This is reflected in a wide range of products, which are designed to meet the individual needs of Ayvens customers.

Our flagship product is Full-Service operative leasing, which has already received numerous awards in the prestigious Zlatá Koruna or Fleet Awards. Other services and products ensure maximum comfort for Ayvens clients, including our pick-up service, assistance services in the event of a breakdown or accident, GPS monitoring of vehicle movements under the name Ayvens Car Monitor, as well as myAyvens application.

The Ayvens operates in 42 countries worldwide, managing almost 3,4 milion vehicles. Headquartered in Prague, Ayvens also looks after its clientele from offices in Brno, Ostrava, České Budějovice and Plzeň.

Société Générale Group Komerční banka has been an important part of international retail banking in the Société Générale Group, one of the largest European financial groups, since October 2001.

Société Générale has played a major role in the economy for 150 years. With more than 147,000 employees operating in 67 countries, the SG Group serves 31 million clients worldwide. Société Générale Group teams offer consulting and services to retail, corporate and institutional clients in three key areas:

12. Glossary

Sensitive data Data of a special nature, such as information about your health or biometric data enabling the identification of an individual.

Cookies A short text file that a visited web page sends to the browser, which allows the website to record information about your visit, such as your preferred language and other settings. Your next visit to the site can therefore be easier and more productive. Cookies are important. Without them, browsing the web would be much more difficult.

GDPR Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

Geolocation Information about the geographic location of an electronic device connected to the internet (whether at precise or country level).

Legitimate interest The interest of the controller or a third party, for example, when the data subject is a customer of the controller.

Personal data Information about a specific, identifiable person.

Product Means any service provided by Ayvens, in particular Operative Leasing of a vehicle, Full-Service leasing of a vehicle, Fleet Management and other products and services offered by Ayvens.

Profiling Automatic processing of your data used, for example, to analyse or predict behaviour in your personal and professional life, your financial situation and personal preferences.

Recipient An entity to whom data is transferred.

Service Means any of the services we offer you, including our products, services offered online and their support.

Consent Any freely given, specific, informed and unambiguous indication of a person's wishes by which the data subject, by statement or clear affirmative action, signifies agreement to the processing of his/her personal data.

Controller The entity who determines the purpose for which and means by which personal data is processed; the controller can entrust processing personal data to a processor.

Data subject The person/individual to whom the personal data relates.

Purpose The reason for which the controller uses your personal data.

Basic Data Data that includes identifying and contact information.

Processing Any operation or set of operations with personal data that is carried out with or without the aid of automated processes, such as collection, recording, organisation, structuring, storage, modification or alteration, retrieval, inspection, use, disclosure by transmission, dissemination or any other disclosure, organisation or combination, restriction, erasure or destruction of personal data.

Processor The entity that processes personal data for the controller.

13. Related legislation

EU General Data Protection Regulation – GDPR

Accounting Act

Anti-Money Laundering Act

Consumer Protection Act

Antispam Act

Civil Code

Income Tax Act

Value Added Tax Act