Privacy policy

Preamble

We respect your privacy and treat your personal data in a responsible way.

The information contained in this document is primarily intended for those of you who, in relation to any of the
W.A.G. Group companies, act as one of the following:

  • customer (potential customer),
  • statutory representative or our (potential) customer’s employee,
  • another user of our products (e.g. a private entrepreneur working for our customer),
  • supplier, supplier’s statutory representative or employee, or person cooperating in another manner,
  • job/co-operation applicant, where applicable.

In accordance with the valid legislation, we would like to inform you that the W.A.G. Group companies (a list of which is available here) may process your personal data. This document describes what type of data we process and when and explains important terms (listed here) and your rights (listed here). Please read the document thoroughly. You can also find the full version at www.eurowag.com, where an updated version is always available.

The processing of your personal data is governed by the following principles:

  • we only process your personal data
    • for a purpose determined in a clear and comprehensible manner (i.e. we assess the purpose of your
      personal data processing),
    • to the extent necessary for the purpose, and
    • for such period as is necessary for the purpose;
  • we always inform you about the processing of your personal data;
  • your personal data are processed in a transparent manner (we e.g. inform you of your rights);
  • we protect your personal data against:
    • abuse, theft or other unauthorized processing; and
    • accidental change, destruction or damage;
  • we comply with the appropriate technical and organizational measures to ensure security of personal data.

If, after reading this document, you do not understand certain parts or terms or you are not sure whether and how
specific information about your personal data processing relates to you, please contact us at
compliance@eurowag.com.

Who holds your personal data?

The W.A.G. Group company that received your personal data from you or collected your personal data for one or
more purposes shall always be your personal data controller.

The personal data controller will collect and handle your personal data and be responsible for their due and
lawful processing. Please contact your personal data controller if you want to exercise any of your rights.

Your data are typically managed by the company that you are a client of or cooperate with, most often the company
that you have already signed a contract with. If the contractual cooperation involves multiple W.A.G. Group
companies, then each of them may use your personal data for predetermined purposes.

If you are not sure, ask us.

Who can your personal data be transferred to?

We may share your personal data within the W.A.G. Group especially for the purposes of ensuring top quality
customer service, internal management and reporting (if you change your address, you do not have to contact the
sales representative and the billing department separately).

The W.A.G. Group companies may act as controllers and processors of your personal data vis-?-vis each other,
especially when you use a large range of our products or you use our products in multiple countries.

By sharing selected personal data within the W.A.G. Group, we can ensure that your data always remain up to date.
Thanks to that, you will receive quick and high quality services because we will be able to properly identify
you and set up the products you use so as to suit your needs (e.g. a well-established billing system).

We may only transfer your personal data outside the W.A.G. Group if it is required by the offered service, if it
is stipulated by law, or if you allow us to do so. On the other hand, the W.A.G. Group companies may act as data
processors for other personal data controllers outside the W.A.G. group (drivers’ employers).

Some of our services may be provided in collaboration with entities (companies or individuals – controllers,
processors) outside the W.A.G. Group. If your personal data are shared with another entity, we always check what
type of personal data is provided and why. We also verify whether the other entity is able to provide sufficient
guarantees and has sufficient expert knowledge to handle the personal data.

If we entrust another party with the performance of a certain activity that constitutes part of our services, the
relevant personal data may be processed in the performance of such activity. In some cases, such suppliers may
become personal data processors. The processor may solely handle the data for the purposes for which the
processor was authorized by us. In such case, your consent is not required for the performance of the processing
activities.

If we use cloud repositories (see glossary of terms), we always strive to use those located within the EU and
always emphasize ensuring a high level of personal data security.

If you are our client’s employee, typically a driver, the W.A.G. Group company only acts as the processor of your
personal data for your employer who uses our products/services.

The following entities outside the W.A.G. Group may particularly act as personal data processors, controllers or
joint controllers:

  • toll service providers,
  • providers cooperating in securing tax refunds,
  • fuel point operators, washing service operators, parking service operators, etc. (contractual partners
    within the acceptance network),
  • IT and Telco service providers,
  • receivable collection entities,
  • lawyers, consultants,
  • marketing agencies,
  • providers of print and postal services, including courier services,
  • credit registers,
  • HR and accounting service providers.

Under certain circumstances, we may be bound to disclose your personal data to various governmental and
international authorities, but only to the extent required by the applicable legislation.

Your personal data may be processed on the territory of the Czech Republic and of other countries of the European
Union or, where applicable, on the territories of the countries in which the W.A.G. Group has its presence.
Concerning the countries outside the EU, we provide adequate safeguards of the protection of personal data.

What is our source of your personal data – do you have to provide us with the information?

Most often, we collect your personal data from you because their processing is necessary for the execution and
performance of the contract (the provision of products/services), the fulfillment of our legal obligations or
the protection of our legitimate interests. Depending on the situation, we may also process personal data that
are available from public sources and registers (trades, business, insolvency registers) and, in some cases,
data from third parties (about our customers’ employees, such as an accountant’s or dispatcher’s phone number or
selected personal data of drivers, as well as data from the state administration, or information from the
persons listed as references in your application in the selection proceedings). In all these cases, you are
required to provide us with your personal data because we would be unable to cooperate with you without such
data.

In some cases, you have provided us with your personal data based on your voluntary consent. A voluntary consent
means that you are not required to provide us with your personal data and that you may withdraw your consent at
any time.

Persons under the age of 18

Our customers or suppliers regularly do not include persons under the age of 18. Such persons may, however, be
willing to join us for internship training period or temporary job. Their personal data are therefore used for
restricted purposes.

Why do we hold your personal data and how do we use them?

We can process mainly the following categories of personal data, especially for the purposes listed below. Our
processing is governed by the valid legislation and always subject to verification of the legal grounds for
processing.

The scope of collected personal data varies according to the purposes for which the personal data are needed. You
can learn more from the examples provided further in this document.

Categories and scope of personal data:
Basic data = Identification and contact data

We need to identify you to make sure you are the person we are dealing with. That is why we may collect your
basic identification and personal contact data via electronic, phone, written or personal communication.

The basic data include especially the following information: first name, surname, other names, date of birth,
nationality, address, e-mail address, telephone number, identity card number, identity card photo, bank account
number, company identification number (IČO), tax identification number (DIČ), personal number, if it has been
assigned, vehicle registration plate number and VIN.

Data such as your name, surname, address, e-mail and account number may be part of the agreement you enter into
for the use of our products. Your name, surname and phone number may be recorded during a phone call. When
setting up an account on the client website, we may, in addition to contact and identification data, also
collect the IP addresses or URL. In e-mail communication, we may collect your e-mail address, IP address, or the
language you use.

Data relating to products/services

We may process personal data that are closely related to the manner in which you use our products/services or the
data that you communicate or otherwise make available to us during your use of the products/services and may
take this information into consideration in e.g. setting up the payment scheme.

We can, for example, investigate how often you use our services/products and for which fleet, or information
about your payment history demonstrating your creditworthiness and reliability.

These may include offers provided to you, financial limits, payment reports and other similar information.

Data from our communication

We may collect information about how you access our services, from what devices and for what purpose. This helps
us optimize and further develop our platforms, as well as improve the security of communication channels.

These data may include the IP address, device browser and hardware information, your chosen form of communication
– phone, email, mail, online chat, Facebook, Twitter, LinkedIn, whether it is a response to a business
communication, or information from surveys.

We are interested in hearing your opinion; we may therefore collect information that can be used to improve our
services, offer you products that are best suited for you and deliver these products in the manner that is most
convenient for you.

We can also process feedback, comments, suggestions and results of non-anonymous surveys as personal data.

Such information may include information on the use of our websites and applications, information about our
mutual contact via any contact point (for how long, which topic was

discussed and which communication channel was used), including settlement of complaints and service requests.

Profile data

In automatic data processing mode, we can process your basic characteristics, business information and risk data.
These data will enable us to offer you products/services that suit your needs and to ensure both our and your
safety.

We can use the data for profiling that involves tracking, analyzing and storing personal data in databases to
create
personal profiles, even in an automated mode. Thus processed personal data may serve to create business
recommendations so that we can offer you tailor-made products and services. Such information, particularly after
its
generalization, may also be used to create marketing campaigns. Such data also allow us to set up more
advantageous
services for you. Automated personal data processing does not mean that an automated decision was made having
specific consequences for you. Even automated data processing always involves a human factor, either initially
when
selecting the data or groups of data, or when controlling the output.

Such data may include, for example, the scope of services ordered, payment transactions or financial or cyber
risk
assessment.

Other data

The use of certain services is connected with the processing of geolocation data. These data are used to
determine
(or reverse verify) the current location of the device used for the provided service. Typically, we process
these
data for our customers and only serve as a data processor bound by the customers’ instructions.

These services mainly include Fleet Management Services (Telematics) and may constitute part of OBU units.
Geolocation data can be used by our customers to better plan fleet capacity or shifts or to prevent vehicle
theft.

For security reasons, we can record your movement from our Truck Parks and Truck Points, including payment point
records. Such records are used to protect our property. In some cases, these records can be made available to
our
customers if they want to protect their property (e.g. upon suspected employee fraud). Our role (as processors)
then
depends on the customers to whom personal data are made available.

If your car is damaged, the camera record may be provided to the police.

We may also make and keep records of phone calls and online chats, yet exclusively for our own needs.

We can use this information for the purposes of ensuring good quality customer service, especially for handling
your
requests or suggestions. Records may also be temporarily stored and used as evidence in the event of a
dispute.

What makes us authorized to process your personal data and what particular purposes your data can be processed
for.

You have signed or plan to sign a contract with us

  • o Conclusion and performance of a contract
    • Who may be concerned: Customers, suppliers
    • What type of personal data can be processed for particular types of contracts:
      • Supplier contract (we receive products/services) – name, surname, address, IČO number, DIČ number,
        account number,
        etc.
      • Customer contract (we provide products/services) – particularly the following data may generally be
        collected for
        all services: name, surname, address, IČO number, DIČ number, telephone number, e-mail, client
        section access data,
        account number, payment dates and amounts, information about other parties related to the customer
        (typically an
        accountant, dispatcher, driver …), etc.
        • In addition, depending on the type of service used:
          • Refueling of vehicles: fuel volumes, registration plate numbers of vehicles used by you,
            card identification
            features – number, name,
          • Toll: vehicle registration plate number, weight and VIN of vehicles used by you,
          • Fleet Management Services (Telematics): geolocation data (see the glossary of terms) about
            the location of the
            vehicles used by you (these may include information about the vehicle movement, whether it
            is a business or private
            journey, where and how fast the vehicle is moving);
          • EWMC: information on financial transactions,
          • o Tax Refund Service: Information on specific tax duties;
    • Service requirements and other individual requirement solutions
      • Who may be concerned: Customers, suppliers
      • What type of personal data, in particular, we process: financial transaction data, SIM
        identification from the
        toll unit, etc.
    • Processing of cash transactions under a contractual relationship
      • Who may be concerned: Customers, suppliers
      • What type of personal data, in particular, we process: name, surname, address, DIČ and registered
        office of
        private entrepreneurs, e-mail, telephone, bank account number, financial transaction data and
        authorization
        terminal
        data, data on the recipient of the funds, amounts, dates of processing, performance, e.g. entering a
        payment
        order,
        where the drawdown was made and how much was drawn, etc.
    • Ensuring access to our website client (non-public) sections and applications
      • Who may be concerned: Customers, suppliers
      • What type of personal data, in particular, we process: name, surname, address, DIČ and registered
        office of
        private entrepreneurs, e-mail, telephone, IP address, access data, etc.

We have a legitimate interest in processing personal data.
Business activities

  • Collection of receivables and protection of our other rights
    • Who may be concerned: Customers, suppliers, statutory bodies, employees and co-operating parties of our
      customers
      or suppliers
      • What type of personal data, in particular, we process: name, surname, address, DIČ and registered
        office of
        private entrepreneurs, e-mail, telephone, bank account number, and financial transaction data:
        amounts,
        performance,
        etc.
      • These are, for example, situations where a customer is in default and in order to recover the
        amount due, the
        customer’s identification and financial transaction data serve as a basis for a court action.
    • Business partner relations management
      • Who may be concerned: Customers, suppliers
      • What type of personal data, in particular, we process: name, surname, address, DIČ and registered
        office
        of
        private entrepreneurs, e-mail, telephone, bank account number, and financial transaction data:
        amounts,
        performance,
        financial limits, billing dates, etc.
      • We process personal data in order to improve our relationships. These are, for example, situations
        where
        we
        discuss the transition from prepaid services to services paid retrospectively.
    • Telemarketing
      • Who may be concerned: Customers
      • What type of personal data: name, surname, business name, telephone.
      • When customers are contacted via a telephone (voice) line by the W.A.G. Group with an offer of our
        products/services, yet only by the company with which the customer has already been in contact
        before.
    • Communicating other important information
      • Who may be concerned: Customers
      • What type of personal data, in particular, we process: selected personal data related to business
        information, such as changes in business conditions, etc.

Security activities / risk management

  • Assessment of financial risk and creditworthiness
    • Who may be concerned: Customers, suppliers
    • What type of personal data, in particular, we process: information from the insolvency register,
      checking open items in the internal system.
    • We can validate such data on a continuous basis. If no risk is identified, the data are disposed of
      after the assessment.
  • CCTV camera records
    • Who may be concerned: Customers, suppliers, future employees
    • What type of personal data, in particular, we process: records of faces or figures, vehicle registration
      plate
      number
    • You can come across CCTV camera records at our petrol stations, in buildings and in their vicinity; they
      serve to protect our rights and our property or the rights and property of third parties (customers,
      suppliers,
      employees).
      Voice records
    • Who may be concerned: Customers, future employees
    • What type of personal data, in particular, we process: name, surname, telephone, or more extensive data
      dependingon the particular situation.
    • Voice recordings are made in selected cases when communicating over the phone; you are always alerted to
      thepossibility that the call can be recorded. The records serve, in particular, to improve the quality
      of
      service and to protect both your and our rights.
  • Profiling for business use
    • Who may be concerned: Customers
    • What type of personal data, in particular, we process: name, surname, address, business name,
      transactionhistory, vehicle registration plate number, etc. These are situations where personal data are
      processed
      especially forthe
      purposes of analyzing changes in customer behavior. The output of the profiling process itself has no
      direct
      impact
      on the customer and serves, primarily, as the basis for our sales representatives who can, based on such
      output,
      tailor the services to your real needs.

Internal processes

  • Product and service development, simulation and testing
    • Who may be concerned: Customers, future employees
    • What type of personal data, in particular, we process: various combinations of personal data needed to
      set up future products/services or improve current products/services.
  • Internal analysis and training of predictive models over historical data
    • Who may be concerned: Customers, suppliers, future employees
    • What type of personal data, in particular, we process: various combinations of personal data, such as
      name,
      surname, DIČ number, vehicle registration plate number, financial transaction, card number.
  • Accounting and Taxes
    • Who may be concerned: Customers, suppliers
    • What type of personal data, in particular, we process: name, surname, address, DIČ and registered office
      of private entrepreneurs, e-mail, telephone, bank account number, and financial transaction data:
      amounts,
      performance, billing dates, etc.

Other

  • Communication
    • Who may be concerned: Customers, suppliers, future employees
    • What type of personal data, in particular, we process: name, surname, address, DIČ and registered office
      of private entrepreneurs, e-mail, telephone, social media profiles, etc.
    • We can use personal information to answer your questions, requests or complaints. We can use data about
      your personal visit or records from telephone communication.
  • Employment
    • Who may be concerned: future employees
    • What type of personal data, in particular, we process: name, surname, address, e-mail, telephone, CV
      data,
      other
      persons’ data in case of references, information you provide us during the interviews. We can keep this
      information
      for a period until the specific position is occupied and for a period until the selected candidate’s
      trial
      period
      expires. We need this information to evaluate your interest in a specific position and to inform you
      about the
      course and outcome of the selection process.

We have acquired your consent

If we need your consent, we always explain what type of data we would use and why. Your consent is absolutely
voluntary and it is up to you to decide whether you will provide your consent to us. Your failure to provide
your
consent to such processing shall not affect the scope of services you have ordered from us.

If we ask you to give us your consent to the use of your personal data, you may decide whether the reason for the
use of your personal data is important and acceptable to you and, based on the decision, you will/will not give
us
your consent.

If you grant us your consent, you are entitled to withdraw your consent at any time. The easiest way to withdraw
your consent is described below in the section concerning your rights.

  • Marketing activities
    • Who may be concerned: Customers
    • What type of personal data, in particular, we process: name, surname, business name, e-mail, telephone
      number.
    • We will endeavor to obtain your consent to share these personal data with all companies in the W.A.G.
      Group (a
      list of which is available here).
    • At the same time, we will endeavor to obtain your consent, in particular, to send emails and text
      messages
      with
      product/service offers of individual W.A.G. Group companies.
  • Storing cookies
    • For this purpose, we process information on the devices from which you electronically access our
      services,
      your
      service setting preferences and the data you fill in on our website in order to ensure your
      user-friendly and
      convenient use of our website. We store certain data on your device in the form of “cookies” (see the
      glossary
      of
      terms). Cookies allow us to respect your choice of language and maintain the data entered by you in our
      online
      forms
      in case you want to return later. You are specifically alerted to our request to process cookies. How to
      handle
      cookies can be found in a separate document.
  • Consent to make copies/scans of your identity cards
    • For some products/services, we may request your consent to obtain a copy or scan of your identity card.
      You
      are
      not obliged to give us your
      consent; your consent will serve to facilitate the provision of the service, yet will not affect the
      decision on
      the
      actual provision/non-provision or use/non-use of the service.
  • Employment
    • Who may be concerned: future employees
    • What type of personal data, in particular, we process: name, surname, address, e-mail, telephone, CV
      data,
      other
      persons’ data in case of references, information you provide us during the interviews, etc.
    • If you are not successful in a selection procedure for a specific position, yet you remain interested in
      potential
      cooperation with us in the future, we will keep your CV for a period of 3 years or until you withdraw
      your
      consent;
      otherwise your personal data will be erased upon the expiry of the trial period of the selected
      candidate as, on
      that date, our legitimate interest, as described above, will expire.

The processing of personal data is required pursuant to valid legislation

We present below the most important legislation stipulating what type of personal data, how and for how long we
may
or must process.

  • o Prevention, control, evaluation and detection of money laundering
    • o Who may be concerned: customers, their representatives, members of statutory bodies, actual owners of
      legal
      entities
    • o What type of personal data, in particular, we process: name, surname, address, DIČ and registered
      office of
      private entrepreneurs, e-mail, telephone, bank account number and financial transaction data: amounts,
      performance,
      performance recipients, etc. In addition, for this purpose, we collect information about actual business
      owners,
      members of the corporate governance structure, customers’ and their related parties’ political exposure;
      to the
      extent necessary we also use software tools for information and transaction analyses.
  • o Processing of accounting and tax information
    • o Who may be concerned: customers, suppliers, etc.
    • o What type of personal data, in particular, we process: name, surname, address, DIČ and registered
      office of
      private entrepreneurs, e-mail, telephone, bank account number and financial transaction data: amounts,
      performance
      recipients, dates, etc., i.e. information regularly found in invoices, tax returns or transaction
      statements. We are
      obliged to maintain such information for up to 30 years

How long we keep the data

We only store your data for the necessary period of time; after the completion of processing, we archive the data
in
compliance with the requirements of the applicable legislation, delete or anonymize the data. We continually
evaluate which data is still needed to be retained. For your information, we state below certain selected
periods:

  • We generally keep personal data obtained on the basis of a contract or in connection with the performance of
    a
    contract for at least 5 years from the date of termination of the contract.
  • We have to store certain personal data pursuant to the requirements of anti-money laundering legislation; we
    have
    the obligation to archive such data for 10 years from the termination of the contractual relationship with
    the
    customer.
  • Tax and accounting regulations require us to archive selected personal data for up to 30 years.
  • On the other hand, certain purposes require minimum retention period; the period of personal data retention
    is
    determined with regard to the actual necessary period of processing of the data. For example, camera
    recordings
    stored for the purposes of protection of our rights and your rights can be stored for a maximum of one month
    according to the technical capabilities of the specific site where the recording was made. Where personal
    data are
    processed for internal purposes, such as product development, simulation and testing, then these personal
    data are
    typically used only once and are then erased or anonymized. The CVs we receive can be processed and stored
    for the
    period described above, then they are deleted or archived for 3 years or until withdrawal of your consent,
    whichever
    occurs earlier. Data about visitors to our branches are stored for 5 business days; after that they are
    deleted.

What are your rights related to personal data protections?

Right to information means that you have the right to receive information about which companies,
how and why process
your personal data and information about other facts contained in this information memorandum.

Right of access means that you have the right to know what type of information we process about
you and why, who
they are shared with (if applicable) and what is our source of your personal data.

Right to rectification means that you are entitled to request correction as soon as you find out
that we do not have
your updated personal data or use inaccurate data (misspelled name, old address…).

Right to erasure, also known as the right to be forgotten means that your personal data will be
erased as soon as
permitted by other legislation, particularly if the purpose for which the personal data were used was met
(termination of contract, termination of selection procedure, etc.)

Right to restriction of processing means that we will not process your personal data in the
period in which we, at
your initiative, investigate the accuracy and completeness of your personal data, or if you explicitly wish that
we
do not delete your personal data for an important reason. This right may partly be exercised even without your
explicit instructions (particularly if we find out that your personal data are not accurate). As soon as the
reasons
for restriction of processing no longer exist, we will inform you of the same.

Right to portability of data means that, if needed, you can request us to transfer your personal
data to you or to
another data controller in an electronic form. This only applies to your personal data held in electronic form,
which we need to perform a contract with you or for the processing of which we received explicit consent from
you.

Right to object against processing. You can exercise this right if you do not wish us to use
your personal data for
the purposes of direct marketing, or if you believe that we are not entitled to process your data.

Right to withdraw consent. You can use this right at any time if you decide that you no longer
wish us to process
your data for the purpose for which you gave us your consent. Withdrawal of your consent shall not affect the
processing carried out prior to withdrawal of your consent.

Automated decision-making means that you have the right not to be the subject of a decision made
without any human
intervention, including in profiling.

We will do all that can be reasonably expected from us to allow you to exercise your rights. However, we are
unable
to meet your requirements in cases where we are unable to allocate the personal data to your person.

How can you exercise your rights?

You can exercise your rights with the W.A.G. Group company that carries out your personal data processing. Most
often, it is the company that you provided your personal data to.
You can exercise your rights via the W.A.G. Group’s joint email address:
compliance@eurowag.com or customercare@eurowag.com.

In the event that the W.A.G. Group breaches any of your rights relating to personal data protection, you have the
right to lodge a complaint with the data protection authority in the relevant country. You can find a list of
these
authorities at the following link
(http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm).

Glossary of terms

Personal data – all data which may serve to identify a particular individual.

Data subject – any particular natural person (including private entrepreneurs as a particular
person can be identified by certain data).

Controller – any person who collects, handles (processes personal or has personal data processed
by a processor) and bears responsibility for the personal data; the person with whom you exercise your rights.

Processor – any person who processes personal data for the purposes for which it has been
engaged by the data
controller.

Purpose – the reason why the personal data are processed.

Processing – any operations carried out on personal data for a particular purpose.

Customers – future, current and former – natural persons/companies/private entrepreneurs having
access to our client
website, and natural persons/companies/private entrepreneurs using any of our products.

Suppliers – future, current and former – natural persons/companies/private entrepreneurs
cooperating with the W.A.G.
Group

Future employees – persons who show interest in working for the W.A.G. Group, including under
agreements to complete
a job, agreements to perform work or as temporary staff.

Cloud repository – virtual space for storing large quantities of data.

Geolocation data – data concerning location and movement.

Cookies and similar technologies – cookies are data files that a web site sends to your browser
that stores it on
the device you use to view the website.

Správa