Principles of Personal Data Protection

The controller of personal data is the company Payment Institution Roger a.s., ID No.: 017 29 462, with registered office at Merhautova 327/1, Černá Pole, 613 00 Brno, registered in the Commercial Register kept at the Regional Court in Brno, file No. B 7900 (hereinafter referred to as "Roger").

Contact details of the administrator

Payment institution Roger a.s.

Delivery address: Merhautova 327/1, Černá Pole, 613 00 Brno

Contact e-mail: gdpr@rogeras.com

Roger has not appointed a data protection officer.

Identification data - title, name, surname, birth number, date of birth, sex, place of birth, place of residence, nationality, type and number of identity card, image on identity card

Contact details - e-mail, telephone number, delivery address, mailbox ID

Status and banking data - bank account number, information on political exposure, information on sanctions lists

Business and creditworthiness data - ID number, VAT number, data related to insolvency, enforcement proceedings, economic ratings

We process the above personal data for the following purposes and on the basis of the following legal grounds:

We process your personal data for the performance of a contract that we have entered into or intend to enter into between us. Without processing this personal data, Roger would not be able to provide you with its services. Such processing consists in particular of:

• Processing and delivering an offer to conclude a contract
• Concluding the contract
• Providing services in accordance with the contract

We also process your personal data for the purpose of fulfilling our legal obligations imposed by law. Without processing this personal data, Roger would not be able to provide you with its services. In particular, the following legal regulations are the basis for this processing:

• Act No. 253/2008 Coll., on certain measures against the legalization of the proceeds of crime and the financing of terrorism, as amended. This law obliges us to process personal data in order to carry out identification and control of our clients within the meaning of this law.
• Act No. 370/2017 Coll. on payment transactions, as amended. This law allows us to process your personal data without consent for the purpose of preventing payment fraud and its possible investigation and detection.

Roger may also process your personal data on the basis of consent. Any lack of consent to the processing of personal data for these purposes does not affect the provision of services by Roger. Based on your explicit consent, we may process personal data for the following purposes:

• Sending the Roger newsletter
• Sending informational emails regarding the Roger auction portal

We also process your personal data to protect our legitimate interests for the following purposes:

• Risk management on the Roger auction platform
• Protecting Roger's legal interests in the event that a dispute arises between us in the future

We process personal data mainly in Roger. However, in some cases we entrust external processors with the processing of personal data. We enter into contracts with these processors for the processing of personal data and only select those who meet strict requirements for technical and organisational safeguards. Outside of these processors, we may be required by applicable law to transfer certain personal data to public authorities.

We may provide personal data to the following categories of recipients:

• To Roger's subsidiaries.
• Invoice Financing s.r.o., ID No.: 053 08 135
• Roger Finance s.r.o., registration number: 095 46 511
• Cloud service providers
• Providers of advertising and marketing services
• Law firms
• Collection agencies, bailiff offices, auctioneers
• Payment service providers
• Postal service providers and couriers
• Public authorities (Czech National Bank, Financial Analysis Office, Data Protection Authority, courts, etc.)
• Insurance companies
• External partners Roger

No, we do not transfer your personal data to third countries or international organisations.

Vaše osobní údaje uchováváme v průběhu trvání smluvního vztahu, který nám umožňuje Vaše osobní údaje zpracovávat.

Po ukončení smluvního vztahu uchováváme Vaše osobní údaje zpravidla po dobu 10 let od ukončení smlouvy z důvodu plnění našich povinností vyplývajících z právních předpisů v oblasti předcházení legalizace výnosů z trestné činnosti a financování terorismu.

Pokud Vaše osobní údaje zpracováváme za účelem ochrany našich oprávněných zájmů, zpracováváme je po dobu, kdy tyto naše oprávněné zájmy trvají. To například znamená, že pokud mezi námi bude zahájen soudní spor, Vaše osobní údaje budeme zpracovávat po celou dobu trvání tohoto soudního sporu.

Osobní údaje, které zpracováváme na základě Vašeho souhlasu zpracováváme po dobu, na kterou nám byl souhlas udělen.

Right of access to personal data

You have the right to obtain confirmation from us that we are or are not processing your personal data. If we do process your personal data, you have the right to obtain from us a list of the personal data we process.

Right to rectification of personal data

You have the right to ask us to correct or complete inaccurate or incomplete personal data we hold about you.

Right to erasure of personal data

As a data subject, you have the right to have us delete your personal data concerning you without undue delay if:

• The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
• As a data subject, you withdraw the consent on the basis of which the data was processed and there is no further legal basis for processing the data.
• You object to the processing and there are no overriding legitimate grounds for processing.
• The personal data has been unlawfully processed.
• The personal data must be erased to comply with a legal obligation under EU or Czech law.
• Personal data has been collected in connection with the offer of information society services.

The right to erasure does not apply if the processing is necessary for:

• the exercise of the right to freedom of expression and information,
• to comply with a legal obligation imposed on us by EU law or the law of an EU Member State
• for the establishment, exercise or defence of legal claims

Right to restriction of processing

You have the right to ask us to restrict the processing of your personal data in any of the following cases:

• You dispute the accuracy of the personal data. In this case, we will restrict processing for the time necessary to verify the accuracy of the personal data.
• The processing of personal data is unlawful.
• We no longer need the personal data for processing purposes, but you require it for the establishment, exercise or defence of legal claims.
• You object to the processing. In this case, we will limit the processing to the time necessary to verify whether our legitimate interests to process outweigh your legitimate interests.

Right to data portability

If we process your personal data by automated means on the basis of your consent or on the basis of a contract you have entered into with us, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. You also have the right to ask us to transfer this personal data to another controller without any hindrance from us, provided that such transfer is technically feasible.

Right to object to processing

You have the right to object at any time to the processing of your personal data that we process on the grounds of our legitimate interest. On the basis of this objection, we will generally stop processing your personal data except where:

• we have compelling legitimate grounds for the processing
• we need your personal data to establish, exercise or defend our legal claims.

If we process your personal data for direct marketing purposes, you have the right to object to the processing of your personal data at any time and we will always stop processing your personal data on the basis of this objection.

Right to be informed in the event of a personal data breach

If a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we will notify you of the breach without undue delay.

Right to lodge a complaint with a supervisory authority

If you believe that our processing of personal data violates the data protection rules, you have the right to lodge a complaint with the supervisory authority. The supervisory authority is the Office for Personal Data Protection, located at Pplk. Sochor 27, 170 00 Prague 7, e-mail: posta@uoou.cz, tel.: 234 665 125.

Right to withdraw consent to the processing of personal data

If we process your personal data on the basis of your consent, you have the right to withdraw your consent to the processing of your personal data at any time. You must withdraw your consent to the processing of your personal data in writing to gdpr@rogeras.com.

We want our website www.roger.cz to be as intuitive and clear as possible for you as a user. Therefore, when you visit our website, we use text files that identify the user and record their user activity, so-called cookies. The text in this file is made up of a series of numbers and letters that identify the user's computer, but do not provide any specific information about the user. This enables us to continuously improve your user experience on our website.

So why do we use cookies and similar technologies?

• Login - In this case, we store cookies so that you are not forced to log in every time you click on a page of our website. When you log in to your personal account on www.roger.cz an encrypted cookie will be stored, allowing you to move between pages of the site without having to log in again. You can also save your login details so that you do not have to log in again each time.
• Tools for a clearer website - third party cookies may be placed on our website. This may be because Roger has commissioned this third party to analyse the website, for example, to make it clearer or to make the page load faster. Roger uses Google Analytics from Google, Hotjar and Pixel from Facebook.

Most web browsers accept cookies automatically. However, they provide controls that allow you to block or remove them, so you can have control over your data. Users of the www.roger.cz website are entitled to set their browser to restrict or prevent the use of cookies on their computer. However, the Roger's web interface may not function properly in this case and may not provide you with the necessary user experience. Instructions for blocking or removing cookies in browsers can usually be found in the help documentation of each browser.

We will update this privacy policy as necessary. The most current version of this Privacy Policy will always be available on the www.roger.cz website. We encourage you to review the Privacy Policy on an ongoing basis.

We hope you have found this document helpful and have found all the information you needed to know. If you have any questions, please do not hesitate to contact us.