Dear clients,

in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council
of 27 April 2016 on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data (hereinafter the “General Regulation”),
inform you that our healthcare facility IVF Clinic a.s., as a personal data manager (the “administrator”),
processes your personal data, and the rights and obligations associated with them.

Personal data is considered to be all information about an identified or identifiable natural person
(also referred to as the “data subject”); an identifiable natural person is a natural person that
can be identified directly or indirectly, in particular by reference to a particular identifier such
as name, identification number, location data, network identifier or one or more specific elements of
physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person.

Scope and purpose of processing personal data

The administrator processes personal data to the extent to which it was provided to it by the data
subject in connection with the conclusion of a health care contract with the administrator or in
connection with the provision of health services in accordance with Act No 372/2011, on health
services and the conditions of their provision (the Health Services Act), its implementing regulations
and other regulations governing the provision of health services. The administrator also processes
personal data that was not provided to it by the data subject, but which it obtains in the provision
of health services, e.g. as results of specific examinations. The administrator processes personal
data in accordance with the valid and generally binding legal regulations of the Czech Republic and
to fulfil its legal obligations.

Your personal data is processed for the following purposes:

• the provision of health services (the fulfilment of legal obligations by the administrator);
• the purpose of negotiating the contractual relationship under consideration (for the purpose of concluding a health care contract);
• the purpose following from the performance of a health care contract between you and the administrator;
• determination, exercise or defence of legal claims;
• to the extent necessary, provision to legal, economic and tax advisors and auditors, for the purpose of providing advisory services to the administrator;

Sources of personal data

The administrator processes personal data it obtains:

• in connection with the provision of health services within the meaning of
  Act No 372/2011 on health services and conditions of their provision, and
  Act No 373/2011 on specific health services;
• directly from data subjects in connection with complaints handling;

Categories of personal data and category of data subjects

The following categories of personal data are subject to processing:

• address and identification data used to identify clearly and unambiguously data subjects, such as name, surname, date of birth, permanent address and others;
• contact details such as contact address, phone number, e-mail address and others;
• other data, such as bank details;
• other data necessary for the performance of a health care contract, in particular data on the health of the data subject.

The data subjects whose data are processed by the data administrator and to whom this information is addressed are:

• client/patient;
• potential client/patient;

Method of processing and protection of personal data

Personal data is processed in particular in the patient’s medical file in full
compliance with applicable laws. Their security and protection is ensured in accordance
with these regulations and in accordance with the General Regulation.

Processing is done manually in paper and electronic form or automated by
computer technology, subject to all security principles for managing and processing personal
data. To this end, technical and organizational measures have been taken by the administrator,
in particular those to prevent unauthorized or accidental access to personal data, alteration,
destruction or loss, unauthorized transmission, unauthorized processing and other misuse of
such personal data. All subjects to whom personal data may be made available respect the rights
of data subjects to privacy protection and are required to comply with applicable data protection laws

Period of processing of personal data

The administrator shall process personal data for the time necessary for the fulfilment
of the given purpose and in accordance with the time limits specified in the relevant
generally binding legal regulations of the Czech Republic for discarding and archiving
of documents, or as long as it needs them for the determination, exercise or defence of legal claims.

Categories of recipients of personal data

The recipients of personal data of data subjects are:

• other health service providers as part of expanding or follow-up health care and providers of selected health services, in particular external laboratories;
• public institutions, especially health insurance companies;
• on the basis of a contract with the administrator, processors to the extent of data needed for the purpose of processing, e.g. companies managing electronic health records systems, data storage and archiving personnel, and others;
• persons providing legal consultancy;
• public authorities in the course of fulfilling the legal obligations laid down by the relevant legislation.

Lessons learned about the data subject’s rights

As a personal data administrator, you are entitled to do the following in our company:

1. request access to personal data processed by the administrator, which means the right to obtain
   from the administrator a confirmation whether the personal data concerning you are processed
   or not and, if so, you have the right to access these personal data and other information referred to in Article 15 of the General Regulation,
2. request the correction of personal data processed for you if they are inaccurate. Taking into account
   the purposes of processing, you may in some cases also request that incomplete personal data be supplemented,
3. request the deletion of personal data in cases covered by Article 17 of the General Regulation,
4. request the restriction of personal data processing in cases covered by Article 18 of the General Regulation,
5. obtain personal data about you that we process in an automated manner to perform a contract concluded
   with you in a structured, commonly used and machine-readable format, and you have the right to require
   the administrator to pass this information to another administrator under the conditions and limits set
   forth in Article 20 of the General Regulation; and
6. you have the right to object to processing within the meaning of Article 21 of the General Regulation on grounds relating to your particular situation.

If we receive your request, we will inform you about the measures taken without undue delay and,
in any case, within one month after the receipt of the request. This time limit can be extended by another two
months if necessary and given the complexity and number of requests. In certain cases laid down in the General
Regulation, our company is not obliged to comply with the request in whole or in part. This will be the case
in particular if the request is clearly unreasonable or disproportionate, in particular because it is repeated.
In such cases, we may (i) impose a reasonable fee, taking into account the administrative costs associated with
providing the requested information or communication or with making the requested actions, or (ii) refuse to comply with the request.

If we receive the above request, but we will have reasonable doubt as to the
identity of the applicant, we may ask him/her to provide the additional information necessary to confirm his/her identity.

In addition, you have the right to contact the Office for Personal Data Protection directly if you believe
that personal data are not processed in accordance with legal regulations, in the place of your habitual residence,
place of employment, or where there was an alleged violation. If, as a result of the processing of your personal data,
you incurred damage other than property damage, a special law applies to the claim.

We also inform you that our company has appointed a Data Protection Officer. Contact details of the Officer: Ing. Anna Mityashina, email: dpo@akdap.cz.

Providing patient’s personal data is a statutory requirement and the patient has an obligation to
provide them as well as a healthcare professional has the right to require them. Failure to provide them may mean
that the administrator will not be able to provide the patient with a healthcare service, thereby damaging the patient’s health or directly endangering his or her life.