Protection of personal data

P2P Investments s.r.o.

Privacy Statement

Privacy Statement processing of personal data pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and the instruction of data subjects (hereinafter " GDPR ").

Data controller / processor

Company: P2P Investments sro, IČ: 070 19 505, with registered office: Pražská 84/15, Vnitřní Město, 301 00 Plzeň

entered in the Commercial Register kept at the Regional Court in Pilsen, Section C, Insert 38802 (hereinafter referred to as the “ Administrator ”)

I. Scope of processing of personal data

Personal data are processed to the extent that the competent data subject has provided them to the controller, in connection with the conclusion of a contractual or other legal relationship with the administrator or otherwise collected by the administrator and processed in accordance with the generally binding regulations in force in the Czech Republic or to fulfill the legal obligations of the administrator

II. Sources of personal data

• directly from data subjects

• registration as a loan applicant

• registration as an investor

• publicly accessible registers, lists and records (eg Administrative Register of Economic Entities, Trade Register, Real Estate Cadastre, etc.)

III. Categories of personal data that are subject to processing

• address and identification data used to uniquely and unmistakably identify the data subject (eg names, surnames , date of birth, birth number, etc.) and data enabling contact with the data subject (contact details - eg contact address, telephone number, e-mail address, etc.)

• descriptive data (eg bank account number)

• other necessary data for the performance of the contract

• data provided in addition to the relevant laws processed in the framework of the consent given by the data subject (processing of photographs, use of data for examination in the Central Register of Executions, Insolvency Register, etc.)

IV. Categories of data subjects

• client interested in a loan

• client investor

• employee of the administrator (including a former employee)

• a service provider (lawyer, bailiff, assignor or assignee of a claim) in the context of settling outstanding loans

• another person in a contractual relationship with the administrator

V. Categories of recipients of personal data

• financial institutions

• lawyers in resolving non-performing loans

• courts in resolving non-performing loans

• bailiffs in resolving non-performing loans

• insolvency administrators in insolvency proceedings

• assignors and assignees in referral receivables

• state authorities in the framework of fulfilling legal obligations stipulated by relevant legal regulations

VI. Purpose of personal data processing

• for those interested in a loan to find a potential investor

• for investors, an offer to finance a person interested in a loan

• arising from performance under the contract

• protection of the rights of the administrator, beneficiary or other persons concerned and their enforcement (eg recovery of the administrator's receivables, resolution of complaints or complaints)

• compliance with legal obligations by the administrator

VII . Method of processing personal data

The processing of personal data is carried out by the administrator and is carried out at its registered office and premises by individual authorized employees of the administrator. The processing takes place through information and communication technologies, or manually for personal data in paper form in compliance with all the necessary security principles for the management and processing of personal data. For this reason, the administrator took measures of a procedural - technical nature in order to prevent unauthorized access to personal data, their change or loss, unauthorized transfer, unauthorized processing or other misuse of personal data.

A more detailed description of specific ways of processing and handling personal data can be found on the administrator's website.

VIII. Time of processing of personal data

In accordance with the relevant internal regulations of the administrator and the relevant generally binding legal regulations of the Czech Republic, personal data will always be processed for a period necessary to safeguard the rights and obligations arising from those legal documents

IX. Instructions

The controller processes personal data with the knowledge of the data subject, except in cases stipulated by law where the processing of personal data is not specifically required (eg consent).

In accordance with Article 6 (1) of the GDPR, the controller may process the following data without further consent if:

• the data subject has already given consent for one or more specific purposes

• the processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of measures taken before conclusion contracts at the request of that data subject

• processing is necessary to fulfill a legal legal obligation applicable to the controller

• processing is necessary to protect the important interests of the data subject or another natural person

• processing is necessary for the performance of a task carried out in the public interest

• processing is necessary for the purposes of the legitimate interests of the controller or a third party concerned, except where fundamental rights and freedoms of the data subject requiring the protection of personal data

X. Rights of data subjects

• in accordance with the provisions of Article 12 of the GDPR, the controller shall, at the request of the data subject, inform the data subject of the right of access to personal data and the following information:

• purpose of the processing

• the category of personal data concerned

• the recipients or categories of recipients to whom the personal data have been or will be disclosed

• the necessary time for which the personal data will be stored

• all available information on the source of the personal data

• if it is not obtained from the data subject, whether there is an automated decision, including profiling

• any data subject who discovers or believes that the controller (or processor) carries out the processing of his personal data which is contrary to the protection of privacy and personal life the data subject or in breach of the law, in particular if the personal data are inaccurate with regard to the purpose of their processing, may:

• ask the controller for an explanation

• Require the administrator to delete the condition. In particular, it may be a matter of blocking, correcting, supplementing or deleting personal data

• if the data subjects' request under the previous sentences is found to be justified, the controller shall immediately remove the defective condition

if the data subject's request controller according to the previous sentences, the data subject is entitled to turn to the supervisory authority, which is the Office for Personal Data Protection

• the procedure according to the previous sentences does not preclude the data subject from contacting the supervisory authority the Office directly

• the controller shall provide the data subject, at his request, with one copy of the personal data processed free of charge. For additional copies, the administrator is entitled to claim reimbursement of administrative costs.

This statement is publicly available on the administrator's website www.jbank.cz .

In Prague on 17.05.2020

P2P Investments Ltd.