Privacy Policy

We, Škoda Auto a.s., with our registered office at tř. Václava Klementa 869, Mladá Boleslav II, 293 01 Mladá Boleslav, Czech Republic, corporate ID: 00177041, tax ID: CZ00177041, recorded in the Commercial Register held by the Municipal Court in Prague, file no. B 332, have prepared this Privacy Policy to inform you how we collect, process, use and protect your personal data. Our aim is to provide clear and transparent information to help you understand how we safeguard your privacy.

We handle all your personal data in line with the applicable legislation, in particular Regulation (EU) 2016/679 (the General Data Protection Regulation – “GDPR”), Act No. 110/2019 Coll., on Personal Data Processing, Act No. 127/2005 Coll., on Electronic Communications, and Act No. 480/2004 Coll., on Certain Information Society Ser-vices, as amended.

With his Privacy Policy, we also aim to clarify the key terms and processes we use when handling your personal data and answer questions you may have in connection with the collection, processing and storing of your personal data. To fully understand how we protect your personal data, we recommend that you read this Privacy Policy carefully.

If you come across any term in this Privacy Policy that you feel is not fully clear, you may find its explanation in the glossary section at the end of this document.

Depending on the context in which we handle your personal data, we may act either as a controller or, in some cases, as a processor.

When you provide your personal data to us — for example when purchasing our products or services, communi-cating with us, or submitting enquiries or complaints — we act as the controller. As the controller, we determine the purposes and means of processing your personal data and are responsible for ensuring that all processing com-plies with applicable data protection laws. Processing includes any operation performed on personal data, such as collection, storage, use, or deletion. In certain situations, we may also act as a processor on behalf of another controller.

In such cases, we process per-sonal data strictly in accordance with that controller’s instructions and under a written data processing agreement.

We are also responsible for safeguarding your personal data. If a personal data breach occurs, and where required by law, we will inform you directly.

If you have any questions, comments, or concerns regarding this Privacy Policy or the protection of your personal data, you can contact our

Data Protection Officer: Data Protection Officer (DPO) of Škoda Auto
dpo@skoda-auto.cz

If you believe that the processing of your personal data does not comply with applicable data protection laws, you also have the right to lodge a complaint with the supervisory authority:

Office for Personal Data Protection
Pplk. Sochora 27
170 00 Prague 7
Czech Republic
+420 234 665 111
www.uoou.cz

We consider the protection of personal data to be essential, and we handle your personal data with due care and in line with applicable data protection laws.

To ensure that your personal data is processed lawfully and securely, we follow these key principles set out in the GDPR:

• Principle of lawfulness which requires us to process your personal data always in line with applicable laws and pursuant to no fewer than one valid legal basis.
• Principle of fairness and transparency that requires us to process your personal data in an open and transparent manner. We inform you about how and why your personal data is processed, and, where legally required, about any serious data breaches.
• Principle of purpose limitation which allows us to collect your personal data only with a specific, explicit, and legitimate purpose.
• Principle of data minimisation which requires us to process only personal data that are necessary, relevant and adequate in relation to the intended purpose.
• Principle of accuracy which requires us to take reasonable steps to ensure your personal data is accurate and, where needed, kept up to date.
• Principle of storage limitation which requires us to store your personal data only for the period that is necessary for the specific purpose for which they are processed. Once the retention period expires, or the purpose no longer applies, we delete or anonymise the data.
• Principle of integrity and confidentiality which requires us to secure your personal data and protect them against unauthorised access, loss, misuse or damage. For these reasons, we implement appropriate technical and organisational security measures for the protection of your personal data. Concurrently, we ensure that access to your personal data is limited to authorised personnel only.
• Principle of accountability which requires us to be able to document compliance with all the conditions referred to above.

Personal data are any information that allows us to identify you – either directly or indirectly. Therefore, it includes information that can be linked to you as an individual.

Personal data do not include anonymous or aggregated data, meaning data that can no longer be associated with you.

To provide clarity and transparency, we group personal data into several categories. These categories cover all types of personal data that may be potentially processed, including special categories of personal data.

Below you can find an overview of these categories together with examples of the specific data they include. The exact categories currently processed by us are always specified in the respective Information on Personal Data Processing.

Identification data: residence address (city, street, house number, ZIP, country), passport number, diplomatic pass-port number, journalist accreditation number, identity card number, health care insurance number, driving license number, social security number, employee card number, date of birth, date of death, document issue date, date of creation / cancellation of the record, VAT ID, reference number of the insured person, photo from an identity card, CIN, personal identifier (assigned by company), language, name of child, place of birth, permanent residence ad-dress (city, street, house number, ZIP, country), document place of issue, salutation, document expiration date, signature, sex, position within the company, surname, personal identification number, birth name, birth year, citizen-ship, title, document type, employer

Contact information: workplace address (city, street, house number, ZIP, country), data box, delivery address (city, street, house number, ZIP, country), email address, billing address (city, street, house number, ZIP, country), fax, contact information within social media, mailing address (city, street, house number, ZIP, country), work email ad-dress, work phone number, phone number

Psychological characteristics: any information about nature/personality/disposition/mood

Physical characteristics: physical characteristics (e.g., hair color, eyes, height, weight, etc.)

Risk profiles: AML risk, CFT risk, other security risk, cybernetic risk, PEP, embargo risk, anti-fraud risk

Data about family and other persons: child date of birth, household information, information about another per-son (kinship and other relationships), name of child, marriage, partnership, number of children, surname of child, marital status, family status since

Descriptive data: EHIC ID number, insurance data, skills, rank, information about the area where data subject lives, information on housing, health insurance code, sick note copy, qualification, left-handed / right-handed, position and work experience, profile, segmentation, social status (e.g. student, employee, self-employed, no income), im-portant moments in the life of the subjects (e.g. moving, obtaining a driving license), education, record of events in calendar, fierarms license (yes/no), lifestyle, habits, free time and travel, membership (e.g. charitable or voluntary organizations)

Feedback: evaluation records, reaction and/or responses in surveys, complaints / suggestions / proposals / requests / inquiries, their handling and the information obtained

Copy of a personal document or other public document: passport copy, diplomatic passport copy, ID card copy, copy of achieved qualification certificate, copy of achieved education certificate, copy of ZTP card, ZTP/P, copy of birth certificate, copy of public authority decision, copy of court decision, driving license copy, copy of vehicle reg-istration certificate, copy of death certificate, copy of a public document (e.g. Certificate of Ownership, document from the Land registry, etc.

Data on race or ethnic origin: racial of ethnic origin

Data on religious or philosophical beliefs: religion or philosophical beliefs

Data on trade-union membership: membership in unions

Genetic data: genetic data

Biometric data: biometric data (e.g. signature, photo)

Data relating to criminal convictions and offences or related security measures: data relating to criminal con-victions and offenses or related security measures

Health condition data: mental health, physical health, blood group, risky situations and risky behavior, healthcare data, ZTP, ZTP/P

Data on sex life or sexual orientation: data about sexual life or sexual orientation

Payroll and similar data: bonuses / benefit draws, private account number, taxes and levies, tax returns and docu-ments, wage/reward, wage compensation, expenses, insurance, tax declaration of taxpayer, average earnings, con-sumption of internal resources, wage deductions, employee assets data, way of sending wages

Curriculum vitae, motivation letters and records from the selection process: CV, cover letter, records and re-sults from selection process

Work performance data: completed trainings, daily program / timesheets, attendance, leave of absence, category of employment, home office, teleworking, information on business trips and other changes in employment, infor-mation on how the work tool is used, internal sanction, work categories, accident book, maternity/parental leave, superior, cost center, sick leave, personal goals and KPI, designation/abbreviation of the organizational unit, number of hours worked, working hours, work position / functional position, career break, received and handed gifts, self-assessment, employee status (active/inactive), entrusted devices and other values, ICT assets, events, calendar, performance of working for third person

Transaction data: autorization / power of attorney, bank account number, debet/credit card number, date of trans-action, cost of provided services, transaction amount

History of trading: information about group trading, offers/demand of business opportunities, subject, date, place of transaction, transactions and contracts, including related information, reminders

Trading profile: business profile, designation “Key Customer” and similar, preferred dealer, solvency, interest in test drive, intention to buy the car (when, what, financing)

Internal control and investigation data: reports from the whistleblowing systems, records from internal investiga-tions

IT and information security data: application, system and/or user logs, passwords of internal IT systems, logs re-lated to the use of telecommunication devices / traffic, login to application, access rights, user role, user ID

Data related to the security and management of the facility: guestbook data, records from camera systems, records from entry devices

Photos / videos: photo, video

Voice records: voice recordings

Information about mutual communication and interaction: email communication, chat (instant messaging) con-versations, behavior, clicking, searching, listening or browsing related to the Internet, e-mail, media or applications, consent/disagreement with the type or form of communication

Technical information on the product: current vehicle status, information about damage on the vehicle, infor-mation about maintenance / service visits / warranty, information on how the item is used (e.g. vehicles), driving data, personalised vehicle settings, license plate number, technical description of the vehicle, ownership vehicle, VIN

Localization data: location data based on GPS, location data based on technology other than GPS

Network identifiers: cookies or similar technology, browser information, IP address, MAC address, device finger-print

Data about study progress: student evaluation, field, practice, class, grades.

We process your personal data only when we have a lawful reason to do so. GDPR defines several legal bases that permit such processing.

The most relevant legal bases to our activities are the following:

• Consent can be a legal basis if you give it to us for one or more specific purposes (for example, to receive marketing communications). Consent is always voluntary, specific, informed, and based on your active confirmation. It is never part of the text of a contract, and no boxes will be pre-filled for you. You provide consent separately for each purpose and we make sure that the wording of the consent is clear and easy to understand.
• Performance of the contract is a legal basis in cases when we need your personal data to conclude and fulfil a contract with you, or to take steps at your request before its conclusion (e.g. an order placed prior to the conclusion of a purchase contract, enabling the use of Škoda Connect services).
• Compliance with the legal obligation is used as a legal basis when we need your personal data in order to comply with our legal obligations as a controller (for example, coordination of vehicle recall campaigns).
• Legitimate interest is used as a legal basis when the processing of your personal data is necessary for our legitimate interests, provided that these interests are not overridden by your interests or your fundamen-tal rights and freedoms (for example, storage of necessary cookies on our website).

In more limited situations, we may rely on the following legal bases:

• Protection of interests of data subjects is a possible legal basis if the processing is necessary for the protection of your vital interests or those of another person.
• Public interest is a possible legal basis if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

For detailed information on the specific legal bases used in a particular context, please refer to the respective In-formation on Personal Data Processing.

We obtain your personal data primarily directly from you — for example when you purchase our products or ser-vices, communicate with us, or use customer portals and digital tools. We may also receive personal data from third parties, such as authorised dealers, importers, and service partners who interact with you in connection with our products or services.

In some cases, personal data is generated automatically when you use certain connected vehicle features, online services, or digital applications. Where permitted by law, we may also obtain personal data from publicly available sources or official registers.

We may share your personal data with third parties (“recipients”) where this is necessary. When doing so, we al-ways ensure that personal data is shared only with recipients who have a justified need to access it, and only to the extent necessary for the relevant purpose. We also ensure that appropriate contractual, technical, and organisa-tional measures are in place to keep your personal data secure.

A processor is a third party that processes personal data on our behalf and strictly in accordance with our instruc-tions — for example, external partners who support us with marketing or technical services. When sharing person-al data with processors, we ensure that we share personal data for a specific purpose, transfer only a clearly defined and necessary scope of personal data and sharing is made in a secured manner. We conclude a written data pro-cessing agreement with each processor to ensure that your personal data is handled lawfully, securely, and in ac-cordance with data protection requirements.

The rules used for sharing your personal data with our processors are divided into two basic categories.

The first category includes sharing personal data in the European Union and European Economic Area, where the same data protection standards apply.

The second category includes sharing with recipients located outside the European Economic Area (“third coun-tries”). Such transfers take place only where necessary and only if the recipient ensures an adequate level of data protection. Where no adequacy decision of the European Commission is in place, we rely on appropriate safe-guards, such as Standard Contractual Clauses, together with additional technical and organisational measures, to ensure that your personal data remains protected.

We take the protection of your personal data seriously and apply appropriate technical and organisational measures to safeguard it against unauthorised access, loss, misuse, or alteration. These measures include, in par-ticular:

• Physical access control - We secure locations where personal data is stored and processed through ap-propriate physical protection and restrict access only to authorised personnel.
• Access and identity management – Access to systems containing personal data is granted only to au-thorised users and is protected through authentication mechanisms such as passwords and multi-factor verification.
• Data access control – We implement measures that prevent unauthorised reading, copying, modification, or removal of personal data.
• Protection during transfer – Electronic transfers of personal data are secured to prevent unauthorised access, alteration, or loss.
• Pseudonymisation and minimisation – Where appropriate, we process personal data in a way that reduc-es direct identifiability, for example by using pseudonymisation techniques.
• Monitoring and regular testing – Our systems, processes and security measures are tested and moni-tored to ensure ongoing personal data protection.
• Employee awareness and trainings – Employees who are entrusted with handling personal data receive regular training to ensure that data protection and our security requirements are met.

You have several rights that allow you to understand and control how your personal data is processed. Below is an overview of these rights together with a practical explanation of what they mean for you.

• Right for the provision of information on personal data processing – You have right to receive clear in-formation about who processes your personal data, for what purposes, on what legal basis, for how long and to whom your personal data may be disclosed.
• Right to access personal data – You can ask us whether we process your personal data and, if so, you al-so have a right to ask for a copy of the personal data we hold about you. You may also request, information about the purposes of processing, categories of data, recipients, and other relevant details.
• Right to rectification – This right allows you to ask us to update or correct any of your personal data that we process if it is inaccurate or no longer up to date (for example, a change of surname or address).
• Right to erasure – Also called the “right to be forgotten” requires us, as the personal data controller, to liquidate your personal data, in cases when the purpose for which the data were processed no longer ap-plies (e.g. termination of the contract), you withdraw your consent (e.g. withdrawal of the marketing con-sent), you object to personal data processing and overriding grounds exist, or we are required by law to erase your data.
• Right to object – This right is analogous to the right for withdrawal of the consent and will apply when personal data are processed pursuant to a legitimate interest. If your objection is justified, we will stop processing your personal data. You may also object at any time to the processing of your personal data for direct marketing purposes.
• Right for personal data portability – You may ask us to transfer your personal data to you or to another controller in a structured, commonly used and machine-readable format. You may exercise this right only when the processing is based on the consent or contract and concurrently it is automated, i.e. processing solely made using technical means based on a pre-determined algorithm and without any human interven-tion.
• Right not to be subject to a decision based solely on automated processing in automated decision-making – Means that you have the right to request human intervention whenever a decision concerning you is made solely on automated processing of your personal data, without any human involvement.

Anonymous Data
Personal data that has been irreversibly altered so that an individual can no longer be identified, directly or indirect-ly. GDPR does not apply to anonymous data.

Automated Decision-Making
A decision made solely by automated means, without any human involvement, which may significantly affect the individual (e.g., automated evaluations or profiling).

Data Breach
A security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

Data Protection Officer
A person appointed by an organisation to oversee compliance with data protection laws, provide guidance, and serve as a contact point for supervisory authorities and data subjects.

Data Subject
Living person to whom personal data relate. You are a data subject solely as the natural person; legal regulation regarding personal data protection does not apply to legal persons, cooperatives, associations, etc. Goods Physical product that you buy from us, typically a vehicle, but also an application for your mobile phone.

Pseudonymous Data
Personal data that has been processed in a way that makes it impossible to attribute it to a specific individual with-out using additional information kept separately. Unlike anonymous data, it is still personal data under GDPR.

Purpose
The specific, legitimate reason for which personal data are being processed.

Service
Any of the services that we offer to you, including our products, services offered online and their promotion.

Special Categories of Personal Data
Types of personal data that are particularly sensitive and require strengthened protection (e.g., data revealing health, biometrics, ethnicity, political opinions, or religious beliefs).

Supervisory Authority
An independent public authority responsible for monitoring the application of data protection laws, handling com-plaints, and enforcing compliance within its jurisdiction.

Third Country
A country outside the European Economic Area where personal data may be transferred, subject to appropriate safeguards.