Personal data protection policy for clients/visitors - natural persons

according to:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter also referred to as "the Regulation" or "GDPR"

The Company:

Our fitness s.r.o.

ID: 05939682

with its registered office at Lazecká 421/122, Hejčín, 779 00 Olomouc, registered at the Regional Court in Brno under file No. C 99068/KSBR, represented by the Managing Director Bc. Jan Doležel and Eva Pohorelská

hereinafter also referred to as "the Company"

is the controller of personal data of data subjects, i.e. the entity which determines the purposes and means of processing personal data of the subject's clients, i.e. natural persons, visitors of Legends Gym Olomouc, members or non-members (hereinafter referred to as "clients").

Data subject means, within the meaning of Article 4(1) of the Regulation, the person whose personal data is processed, i.e. the clients defined above.

The Company has not appointed a data protection officer. Only a contact person in relation to client data protection issues.

Contact person:

Bc. Jan Doležel

Tel: 773185336

e-mail: fitnessour@gmail.com

The company processes the following personal data of clients:

title, name and surname

address of place of residence,

specification of the client's health insurance company,

the client's date of birth and birth number,

telephone number,

e-mail address,

as classic personal data.

The company also processes other data such as biometric data for diagnostic purposes, photographs of clients and their membership number if they are members falling under the designation of special category of personal data within the meaning of Article 9 of the GDPR.

The purpose and legal basis for the processing of clients' personal data is:

Article 6(1)(b) of the GDPR, i.e. that the processing is necessary for the provision of proper services of the Centre and the conclusion of a contractual relationship (i.e. performance of a contract) - it concerns the personal data specified in Article III, paragraph 1, point I. under: a), b), c), d), e), f), as well as the above-mentioned special categories of personal data.

The provision of the personal data specified in Article 4 of this Policy is a legal requirement; it is necessary for the purposes of the proper conclusion of the contractual relationship and the performance of the services offered by Legends Gym, i.e. the Company, and for the maintenance of the relevant contractual documentation (i.e. for the implementation of the relevant contract, etc.). If the Client refuses to provide the Company with this information, it is not possible to properly conclude the necessary contractual documentation and provide the required performance by the Company.

The Company processes the personal data of the clients for the entire duration of the contractual relationship. Once the contract has been fulfilled or terminated, the personal data of the Clients shall only be processed in the sense of archiving them in accordance with the following paragraph.

Clients' personal data contained in contractual documents or other written documents issued by the Company and stored with the Company are archived in accordance with the legal requirements of Czech law, usually for a period of one year after the termination of the contractual relationship. After this period, they will be shredded by the Company in a protocol.

Only authorized employees of the Company have access to the personal data of the clients, namely the receptionist of Legends Gym and their supervisors Bc. Jan Doležel and Eva Pohorelská, or other specifically authorized employees, only for the performance of their duties and by virtue of their job description for the fulfilment of the Company's object of activity. All such employees have a duty of confidentiality to which they have committed themselves in writing to the Company. This personal data contained in the contractual documentation is then stored electronically by the Company on a secure (encrypted) computer at the reception area.

Outside of the client - the data subject - their personal data may be passed on:

to a person designated by the client in his written informed consent,

to the Company's external legal counsel and/or tax advisor,

upon written request to the Police of the Czech Republic and to the public prosecutor's office,

upon written request to any general court in the territory of the Czech Republic,

upon written enquiry to the Tax Authority and the Tax Directorate,

upon written enquiry to the social security authorities and the locally and factually competent labour office.

Personal data such as name and surname and contact address may also be obtained by the Company from commonly accessible public registers such as the Commercial Register, Trade Register, remote access to the Land Registry, Insolvency Register, etc. In this case, the client's prior consent is not required.

The client's personal data is stored as follows:

The Company keeps a paper record of original contracts (or orders) of all kinds related to its business in a locked cabinet in the managers' office at the Company's headquarters. This room is under surveillance at all times, locked and protected by an alarm outside working hours. Access to the records is restricted to the Company's executives.

The Company also maintains electronic records of contractual documentation in an internal database on a secure (encrypted) computer. These data are handled by the managing directors on the company's encrypted computer stored at the reception desk.

The client has the right of access to personal data within the meaning of Article 15 of the Regulation. This includes the right to obtain confirmation from the Company as to whether his personal data is being processed and, if it is, the right to access this data and the following information:

a list of the personal data that is being processed,

the purpose of the processing of that personal data,

the recipients or categories of recipients to whom the clients' personal data have been or will be disclosed,

the sources of the personal data, if not obtained directly from the clients,

the duration of the processing of the personal data or how it is determined,

the existence of the right to request the Company to rectify personal data within the meaning of Article 16 of the Regulation, the right to request the erasure of personal data (right to be forgotten) within the meaning of Article 17 of the Regulation, the right to restrict the processing of personal data within the meaning of Article 18 of the Regulation, the right to lodge a complaint with a supervisory authority within the meaning of Article 77 of the Regulation and the right to judicial protection of clients within the meaning of Articles 78 and 79 of the Regulation.

A request to exercise the data subject's right under this Article shall be sent by the data subject to the Company's email address info@legendsgym.cz or to the Company's Data Protection Officer (if one has been appointed by the Company), provided that the Company shall send the requested data to the client's email address from which the request was sent. If the Client sends the request in paper form and at the same time requests that the information under this Article be sent to him in paper form (or if he does not provide a contact e-mail address where the information under this Article can be sent to him in electronic form), the Company will charge him an administrative fee of CZK 100.

The Company is obliged to respond to the Client's request under this Article in writing without undue delay, no later than one (1) month from the date of receipt of the request; in cases where special circumstances warrant, no later than two (2) months from the date of receipt of the request. If the reply within the meaning of the preceding sentence after the semicolon is delayed, the Company shall inform the data subject thereof within one (1) month from the date of receipt of the request, including the reasons for such delay.

If the Client so requests, the Company shall also provide the Client with a copy of the personal data it processes, primarily in electronic form. However, if the data subject requests that copies be provided in paper form or does not provide the Company with an email address for this purpose, the Company shall provide copies in paper form. The Company shall charge an administrative fee of 100,-CZK for the provision of copies.

The Client has the right to request the Company to correct or supplement personal data within the meaning of Article 16 of the Regulation, namely:

in person at the company's premises at Sokolovská 80/4 in Olomouc between 08.00 and 20.00 daily,

by written submission (letter) addressed to the Company's registered office,

by telephone to 727 857 657 (reception) or to the contact person specified in Article II, paragraph 1.

to the e-mail address of the Data Protection Officer specified in Article II, paragraph 1.

If the Client requests a written response from the Company, he/she must send the request to exercise the right under this Article in writing - see above - with the understanding that the Company will make the correction or addition and the Client will send a confirmation of the correction/addition to the Client's e-mail address from which the request was sent. If the Client sends the request in paper form and at the same time requests that the confirmation of the correction/addition according to this article be sent in paper form (or if he does not provide a contact e-mail address where the confirmation according to this article can be sent to him in electronic form), the Company will charge him an administrative fee of 100 CZK.

The Company is obliged to provide, upon the Client's request, information on the measures taken in connection with the Client's request under this Article without undue delay, no later than one (1) month from the date of receipt of the request; in cases where special circumstances justify it, no later than two (2) months from the date of receipt of the request. If there is a postponement of the reply within the meaning of the preceding sentence after the semicolon, the Company shall inform the Client thereof within one (1) month from the date of receipt of the request, including the reasons for such postponement.

Furthermore, the Client has the right to request the Company to delete his/her personal data (right to be forgotten) within the meaning of Article 17 of the Regulation, but only:

if the data are no longer necessary for the purpose for which they are processed,

there is no legal basis for processing the data,

if the personal data have been unlawfully processed,

if it is necessary to erase the personal data in order to comply with a legal obligation.

Even if the above conditions are met, the client does not have the right to have the personal data erased if the processing is necessary:

for the exercise of the right to freedom and information,

for the performance of a legal obligation under applicable and effective law, or for the performance of a task carried out in the public interest,

for archiving purposes in the public interest or for statistical purposes,

for the establishment, exercise or defence of legal claims.

The request to exercise the Client's right under this Article shall be sent by the Data Subject to the Company's e-mail address info@legendsgym.cz, provided that the Company shall send the requested data to the Client's e-mail address from which the request was sent. If the Client sends the request in paper form and at the same time requests that the information pursuant to this Article be sent to him in paper form (or if he does not provide a contact e-mail address where the information pursuant to this Article can be sent to him in electronic form), the Company will charge him an administrative fee of CZK 100.

The Company shall be obliged to provide the Client, upon request, with information on the measures taken in connection with his/her request under this Article without undue delay, no later than one (1) month from the date of receipt of the request; in cases where special circumstances justify it, no later than two (2) months from the date of receipt of the request. If there is a postponement of the reply within the meaning of the preceding sentence after the semicolon, the Company shall inform the Client thereof within one (1) month from the date of receipt of the request, including the reasons for such postponement.

The Client shall have the right to request the Company to restrict the processing of its personal data within the meaning of Article 18 of the Regulation, but only:

if he/she contests the accuracy of the personal data, for a period of time until the accuracy is verified by the Company; such personal data may then be processed for the duration of the restriction of processing only for the purpose of storage for the establishment, exercise or defence of legal claims, in the important public interest, for the protection of the interests of another natural or legal person, or only with the consent of the Client,

if the processing of personal data is unlawful and the client does not wish to exercise the right to be forgotten within the meaning of Article 17 of the Regulation, but does not wish to exercise this right,

The company no longer needs the client's personal data for the purposes of processing, but the client needs it for the establishment, exercise or defence of legal claims.

If the client exercises this right, the Company is obliged to inform the client before the expiry of the period for restricting the processing of his/her personal data that the restriction on processing will be lifted.

The Company is obliged to inform all recipients of the Client's personal data (see Article 10 of this Policy) of the rectification, erasure or restriction of the processing of specific personal data.

A request to exercise the Client's right under this Article shall be sent by the Client to the Company's email address info@legendsgym.cz and/or the Company's Data Protection Officer, provided that the Company shall send the requested data to the Client's email address from which the request was sent. If the Client sends the request in paper form and at the same time requests that the information pursuant to this Article be sent to him in paper form (or if he does not provide a contact e-mail address where the information pursuant to this Article can be sent to him in electronic form), the Company will charge him an administrative fee of CZK 100.

The Company is obliged to provide, upon request of the data subject (client), information on the measures taken in connection with his/her request under this Article, without undue delay, no later than one (1) month from the date of receipt of the request; in cases where special circumstances justify it, no later than two (2) months from the date of receipt of the request. If there is a postponement of the reply within the meaning of the preceding sentence after the semicolon, the Company shall inform the Client thereof within one (1) month from the date of receipt of the request, including the reasons for such postponement.

If the Company does not take the action requested by the Client, the Company shall again inform the Client of the reasons within one (1) month from the date of receipt of the request.

The Company shall have the right to the portability of the Client's personal data only in the cases specified in the Regulation, and only within the scope of its business and only to Our fitness Ltd.

The Client has the right to lodge a complaint with the Office for Personal Data Protection (hereinafter also referred to as: "the Office") within the meaning of Article 77 of the Regulation if he/she believes that the processing of his/her personal data by the Company has violated the Regulation. The Client is entitled to seek judicial protection against a binding decision of the Authority or if the Authority fails to deal with the complaint or fails to inform the Client of the progress of the matter within three (3) months from the date of the complaint.

The contact details of the Office are as follows:

Registered office: Pplk. Sochor 27, 170 00 Prague 7

Tel.: +420 234 665 111

website: www.uoou.cz

The Client has the right to judicial protection, both against the Office and against the Company as a personal data controller. More detailed information on the exercise of the right to judicial protection is specified in Articles 78 and 79 of the Regulation.

Only the managing directors of Our fitness s.r.o. work with personal data. Furthermore, the data is used by external partners who provide their services at Legends Gym and is in the legitimate interest of the clients/visitors of Legends Gym for the purpose of providing full and proper services related to the operation of the centre.

The controller transfers personal data to other processors for the purpose of accounting, personnel and payroll, fitness services, group activities and diagnostics

The company has implemented the following measures in terms of data protection:

Clients, members of OmegaClub - chipping on the basis of membership card.

Creation of a discreet zone in the reception area

Rapid system s.r.o. - Rapid system - anonymization, encryption, logging of authorized persons to access personal data (creation of a separate authorization for receptionists allowing access to unencrypted personal data due to the legitimate interest of providing services to clients, quality of check-in and reduction of errors in the system)

New clients - transfer of personal data to the Rapid system by a receptionist who has a duty of confidentiality and is properly trained

Legends Gym reception desk phone - device encryption

Other contact details for the Company:

Company reception phone number: 727 857 657

In Olomouc on 1 June 2021

On behalf of Our fitness s.r.o.:

Bc. Jan Doležel

Managing Director