(“Principles”)

This document provides detailed information informing about how we process personal data with which we, that is, the companies associated with the point mark smpl_, we come into contact within our business, namely on the client side.

Processing is always carried out by a particular Company (as defined below), in particular because you are our clients, visit our website, are interested in our publications, participate in educational events, or interact with us on social networks or otherwise.

This Policy is primarily normative in nature and will apply even if the conclusion of a contract between you and one of the smpl_ companies has not yet been concluded.

In the Principles you will learn:

• who is the controller of personal data,
• what personal data we process
• how we deal with them,
• from what sources do we get them,
• for what purposes and for what period of time we use them,
• to whom we may provide them,
• where you can obtain information about your personal data that we process;
• what are the security options for your personal data and what rights you have in relation to the processing of personal data.

The specifics regarding the processing of personal data of our business partners, job seekers, employees or other cooperating persons are dealt with in separate internal documents, which we do not disclose in this way. With the communication that reaches us through smpl.cz/careers and the personal data contained therein, we treat the same as any other request or offer of services.

For the purposes of the Policy, it means:

• By companies (also referred to in the Principles as”we“)
  
  • troupe smpl_legal s.r.o., ID number 06664652, registered in the Commercial Register maintained by the Municipal Court in Prague under sp. no. C 389367, i.e. the law firm through which we provide legal consultancy and who runs the website smpl.cz and organises educational events (unless otherwise specified in the application form);
  • troupe smpl_tax s.r.o., ID number 04149726, registered in the Commercial Register maintained by the Municipal Court in Prague under the registration number no. C 388034, through which we provide tax advice;
  • troupe smpl_accounting s.r.o., Company ID 19384327, registered in the Commercial Register maintained by the Municipal Court in Prague under sp. no. C 385776, through which we provide bookkeeper services;

all with registered office at Bubenská 1158/17, Holešovice, 170 00 Praha 7, by single contact e-mail info@smpl.cz. Exceptionally, processing may also be carried out by a company smpl_start s.r.o., Company ID 05679087, registered in the Commercial Register maintained by the Municipal Court in Prague under sp. no. C 387945, we would nevertheless inform you in advance about its involvement in the processing.

• By client (also referred to in the Policy as “you”) any natural person interacting with any of the activities described in the introduction to this Policy, whose personal data we obtain primarily from that person and we are in the position of controller of personal data with respect to them (in particular, those who use our services, participants in educational events, if they participate on their own initiative, etc. );
• The person concerned any other natural person whose personal data reaches us through intermediation, primarily as a result of the fact that their personal data are included in the transmitted data and we are thus in the position of a processor of personal data towards them (in particular, they are contractual partners or other persons entering into contractual relations with the Client, their family members, etc.).

We obtain personal data exclusively from the Clients themselves and persons on the Client's side — persons representing the Client or authorized by the Client to communicate with us and share selected materials or information with us. We also obtain personal data from publicly available sources, typically public registers, and also from persons with whom we come into contact as a result of the services provided (your counterparties, employers, business partners and others).

We assume that the data transmitted is always complete, true and up to date. If you transfer the data of the Data Subject to us, you are solely responsible for the fact that you have handled it lawfully, that you have been authorized to transfer it to us, and that there is no interference with the rights of such Data Subjects.

‍

1. Companies as controllers of personal data

As administrators, we act towards all our Clients who are natural persons and also all potential interested individuals — natural persons who are interested in becoming Clients, browse our website or communicate with us through any of the available communication channels.

The administrator is always the Company that provides the selected services. Therefore, if we provide legal advice, your personal data is processed by smpl_legal s.r.o., if tax advice, then smpl_tax s.r.o., etc. In the case of multidisciplinary consulting, such as the processing of expert opinions affecting both law and taxes, the processing may take place by a combination of Companies or all Companies at once. If in doubt, you can contact us at any time for details.

The personal data processed then correspond to the extent of the specific relationship between us and you. The data processed include, in particular, the following:

• general identification data (name, surname, title, function, business name, birth number, ID number, VAT number, date and place of birth, etc.)

• contact details (registered office, place of residence, delivery address, billing address, e-mail, telephone number and possibly other identifiers according to the selected means of communication such as handle etc. );
• payment details (in particular, bank account number and cryptocurrency wallet address and information about payments made);
• the data contained in the communication, whether before or in the course of the cooperation;
• data obtained in the framework of cooperation (content of tax or other files, information about studies and family members for the application of tax benefits, etc. );
• data captured in photographs, audio and audiovisual recordings of our educational events, which may also capture the participants of the event;
• the data we are obliged to obtain (type, number and period of validity of the identity card, etc. );

and any other data you provide to us on your own initiative or for the specific processing purposes described below.

The processing of your data takes place mainly through the collection and organization, structuring, storage (including cloud storage), inspection, use in the provision of services, disclosure by transmission to our processors, joint administrators and employees, creation of new documents, erasure, destruction and other processing operations necessary according to the individual purposes of the processing.

We process your personal data for the following reasons:

• we need to know such data in order to enter into a contract with each other or for subsequent performance of obligations under the contractincluding cases where the fulfilment is entirely of a one-off nature (e.g. isolated consultations or opinions or occasional participation in an event), processing for this purpose taking place during cooperation negotiations and during the provision of services;
• We are required to process the processing by a specific law and we must process personal data to Comply with our legal obligation, e.g. according to Act No. 85/1996 Coll., on Advocacy, No. 499/2004 Coll., on Archiving and File Service, No. 253/2008 Coll., on Certain Measures Against Legalization of Proceeds of Crime and Financing of Terrorism, Act No. 235/2004 Coll., on Value Added Tax, Act No. 586/1992 Coll., on Income Taxes, Act No. 280/2009 Coll., Tax Code and Act No. 563/1991 Coll., on accounting, the processing period then corresponding to the time specified by the relevant law;
• we have legitimate interest We process your personal data, typically because:
  
  • we have provided you with legal and tax advice or accounting services, in which case we process the selected personal data for up to 10 years from the end of the provision of services so that we can defend any legal claims and, where appropriate, defend claims made by you; or
  • we have provided you with any services and would like to keep in touch with you on the relevant topic, in which case the duration of the processing is always based on the circumstances of the cooperation, but we never process the data for this purpose for more than 2 years after the termination of the cooperation; or
  • you have participated in an event that we organize or in which we participate, and we process personal data for the period necessary to ensure your participation in the event and, on the other hand, for up to 3 years from the event, for the purpose of keeping statistics and records, as well as promotion, which includes photographs, audio and audiovisual recordings;
• you have granted us to process consenting, especially in the form of a tickbox, e-mail or other active step on your part (confirmation email, newsletter subscription, etc.), typically in connection with receiving one of our promotional materials or sending marketing communications. We then process personal data for the period necessary to achieve the purpose, usually for a maximum of 5 years from receipt of consent, but always up to the moment before you withdraw your consent.

Transfer of data to other persons

In the provision of legal services, education, publishing activities and organizing events, the Company may instruct other persons to process your data, in particular other companies, our suppliers (e.g. experts, auditors, notaries, translators, etc.), IT technology providers (hosting and mailing services, online calendars, accounting software providers, etc.), any other third parties involved in the services, This includes the organizers of individual events or seminars. Other processors are our cooperating attorneys, tax advisors, accountants and administrative reinforcements who help our clients provide quality and specialized services or provide selected services for us. Such persons are our processors. The transfer always takes place only within the scope of the purposes described above and only if such transfer is necessary for the fulfilment of the individual purposes.

Your personal data may also be transferred to other administratorstypically where the transfer is required by law (e.g. as part of the performance of our AML obligations or in the case of duly requested cooperation by law enforcement authorities) and in cases where such transfer is due to the nature of the services provided (e.g. when we have to disclose the personal data collected in a lawsuit and are thus transferred to the counterparty and the court) or is necessary in connection with our defence rights. The transfer of selected personal data to individual operators of online platforms for the purposes of our promotion is also not excluded. These controllers then decide for themselves how they handle your personal data and the processing of personal data is governed by their own terms and conditions.

In cases of multidisciplinary consulting, they may be in the role Joint administrator locate Companies involved in the provision of a particular service or provision of a common purpose or objective. However, this does not have a factual effect on you and you may exercise your rights with any of the Companies in the manner set out below.

Of course, following your instructions, your personal data may also be transferred to other entities that are not listed in this section of the Policy.

Although our processors are typically located directly in the EU or at least in the EU provide servers and we always use them preferentially, in some cases personal data may also be transferred to countries outside the European Economic Area. However, such a transfer is always conditional on compliance with the standard contractual clauses issued by the European Commission and available hereunder, where appropriate, on the basis of other measures ensuring an adequate level of protection of personal data.

Your rights in the processing of personal data

If you have any questions or wish to exercise any of the following rights, you may contact us at any time in person, such as during a meeting, or by email at info@smpl.cz.

We will endeavour to resolve any of your requests immediately and, if this is not possible, within a maximum of 30 days of receipt. In exceptional cases, you can extend the period up to another 2 months. However, we will inform you about this at least in advance.

Thanks the right of access to personal data you can at any time obtain information about their processing, or request a copy of the personal data relating to them. You should already have the necessary answers to questions of this type from this Policy, but if you are not clear about anything, you can contact us

Right to rectification of personal data allows us to contact us if we have inaccurate or out of date information so that we can correct it. You can also apply the right to restrict processingif you feel that we are processing more data or to a greater extent than necessary, or if you request rectification or object to the processing. The purpose of exercising the right to restriction of processing is (temporarily) to prevent the selected personal data from being subject to further processing.

You can also ask for erasure of personal data. If there is no legal reason for their further processing, we will gladly comply with your request. Such grounds for further processing include, for example, our archiving or other obligations, or defending our legal claims.

If you decide to use the right to the portability of personal data, we will make available to you all personal data that we process automatically in electronic form, and which we process for the purpose of fulfilling the contract. For example, this right does not include the transmission of any documentary evidence.

If we terminate our cooperation, we will archive the necessary data for as long as possible and for the purposes described above. If we have received original documents from you on file, we will return them to you.

You also have the right to process personal data on the basis of a legitimate interest object to processing. We will prevent further processing unless we have another compelling reason for processing them.

If you feel that we are processing your data unlawfully or otherwise violating your data protection rights, you can also contact directly Office for the Protection of Personal Data with his complaints.

2. Companies as processors of personal data

In the provision of selected services, we may also process the data of the Data Subject, thereby placing us in the role of processor. Therefore, together with the conclusion of the contract for the provision of services, we also conclude the following agreement on the processing of personal data within the meaning of Article 28 (3) of the General Regulation (GDPR), by which we undertake to process their personal data on the basis of the instructions of our Clients, who in this case are themselves controllers of the personal data of the Data Subject.

The categories of personal data processed by the Data Subjects are then practically identical to the categories mentioned above in the case where we are the Controller, but the scope of the processed data is determined Exclusively by the Client.

Therefore, we will collect, store the personal data of the affected persons in paper form and on data carriers, modify and modify, view, make copies, transfer to third parties, search, sort and combine, create new derived documents, delete unnecessary data and perform other operations based on the instructions of our Clients and for a period determined by our Clients.

As a Client, you acknowledge that we use different processors, which we have already informed you about in the section “Transfer of data to other persons” above. With the involvement of sub-processors in the processing of personal data of the Data Subject you expressly agree. That provision is then a general power within the meaning of Article 28 (2) of the Regulation. We will bind sub-processors with at least the same obligations as those stipulated in this contract. However, we are not responsible for their handling of the entrusted personal data of the affected persons. As a Client, you have the right to object to the sub-processors.

The processing of personal data on the basis of this contract is gratuitous. However, this does not affect charging some of our actions related to the processing of personal data in cases where you require us to cooperate with the fulfilment of your own obligations to data subjects or public authorities. Of course, we will always provide you with the necessary synergies and supporting documents to ensure the implementation of this contract. When processing personal data, we will always be guided by this Agreement, the Service Agreement and the Client's instructions.

The client always responds for the timeliness and correctness of the personal data of the Data Subject, for the existence of a legal basis for its processing and for the fulfilment of any other obligations arising from the Regulation and other legal regulations. We don't answer data subjects for harm caused by breach of obligations regarding the protection of personal data by the Client.

At the same time, we also declare that we are aware of our obligations under the Regulation and undertake to ensure their fulfilment by, for example, obliging sub-processors to confidentiality obligations, if they do not arise from professional legislation, by separating data from data processed for other purposes, by allowing an audit or inspection regarding the processing of personal data after a request sent by the customer at least 30 working days in advance with notification Taking into account our other legal obligations.

Upon detection of a breach of the protection of the processed personal data, unauthorized or accidental access to personal data, destruction or loss, unauthorized transfer, or other unauthorized processing or misuse, we will promptly inform the Client to take measures to eliminate the defect.

We undertake to take such technical, personnel and other necessary measures to prevent unauthorized or accidental access, alteration, destruction or loss of personal data, unauthorized transfers, other unauthorized processing, as well as other misuse of personal data, and we will document these measures. This obligation applies even after the termination of the provision of services, as long as we have personal data at our disposal.

We will ensure, by issuing our own internal regulations, or through special contractual arrangements, that employees and sub-processors process personal data on the basis of a contract and only under the conditions and to the extent determined by us and corresponding to the Principles and legal regulations. We will maintain confidentiality about security measures, the disclosure of which would compromise the security of personal data.

3. Common and final provisions

The text of the Policy may be amended or supplemented. If you are an existing client or a client for whom we are currently providing selected services, we will inform you of the change in the manner we normally use to communicate with you.

Personal data will be processed in electronic form mainly by manual or automated means. However, personal data is never subject to individual automated decision making or profiling.

All legal relations arising on the basis of or in connection with the processing of personal data are governed by the legal order of the Czech Republic. The general court of the company in the Czech Republic is competent to resolve any disputes arising in connection with the protection of privacy between the customer, the client or another person concerned and the company, which will apply Czech law.

As amended on 20 April 2025

‍