Personal data protection
1. The intermediary (hereinafter referred to as the "Provider") processes personal data in accordance with the relevant legal regulations, in particular Regulation (EU) No. 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the "GDPR") and Act No. 18/2018 Coll. on the protection of personal data.
2. The processing of personal data of the Operator (hereinafter referred to as the "Client"), its employees, statutory bodies and other persons connected to it, such as name, surname, residential address, e-mail, telephone number, date of birth, is carried out on a legal basis, when the processing of personal data is necessary for the performance of a contract to which the Client is a party, or in order to take measures prior to concluding a contract at the request of the data subject pursuant to Article 6 point 1 letter b) of the GDPR.
3. The Provider undertakes to process personal data for the purpose of bookkeeping, payroll accounting, tax, accounting, related economic consulting, etc. within the scope of the flat rate agreed in the Service Agreement concluded between the contracting parties for the period of validity of this Agreement.
4. The provider undertakes to process personal data:
 process lawfully, fairly and transparently;
 collect and process to the extent reasonably and limited to what is necessary
with regard to purposes;
 be collected only for specific purposes and not processed in a manner that is not
compatible with these purposes;
 not to provide personal data to third parties beyond the scope necessary for the specified purposes;
 correctly, as needed and update the information provided;
 which are incorrect in relation to the purposes for which they are processed, to be deleted without delay
or repair;
 processed in a manner that ensures appropriate security, including protection against
unauthorized or unlawful processing and accidental loss, destruction or damage, through appropriate technical and organizational safeguards.
5. The Provider processes personal data on behalf of the Client pursuant to Article 28(3) of Regulation (EU) No. 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and pursuant to Section 34 of Act No. 18/2018 Coll. on the Protection of Personal Data.
6. The Provider processes personal data only on the basis of the Client's documented instructions and in accordance with the service provision contract, including with regard to the transfer of personal data to a third country or international organization, except where required by Union law or the law of a Member State to which the Provider is subject, in which case the Provider shall notify the Client of this legal requirement prior to processing, unless such law prohibits such notification for compelling reasons of public interest.
7. The Provider undertakes to ensure that persons authorised to process personal data undertake to maintain the confidentiality of information or are bound by an appropriate obligation to maintain the confidentiality of information arising from the statute.
8. The provider is obliged to protect personal data from damage, destruction, loss, unauthorized access, provision or disclosure.
9. The provider shall implement appropriate technical and organizational measures taking into account the nature, scope, context and purposes of the processing as well as the potential risks in order to ensure an adequate level of security. The measures may include:
 pseudonymization and encryption of personal data;
 encryption of sent payroll files;
 the ongoing confidentiality, integrity and resilience of processing systems and services;
 recoverability and availability of personal data and access to them in the event of physical
or technical incident;
 a process of regular testing, assessment and evaluation of effectiveness
technical and organizational measures to ensure the security of processing.
10. The Provider shall not engage another Provider (subcontractor) without the prior written consent of the Client. In the event of written consent being granted, the same personal data protection obligations as those established between the Provider and the Client shall be contractually imposed on the other Provider (subcontractor).
11. The Provider processes personal data for the duration of the contract between it and the Client, until the limitation period for exercising rights from the contractual relationship, as well as for the period necessary to comply with the Provider's obligations under the relevant legal regulations.
12. After the termination of the provision of services related to processing, the Provider will delete or return all personal data to the Client and delete existing copies, unless they are necessary for the further performance of the contract or for compliance with a legal obligation.
13. The Provider shall provide the Client with all information to demonstrate compliance with obligations and shall allow audits and inspections carried out by the Client or an auditor appointed by the Client.
14. Taking into account the nature of the processing, the Provider assists the Client with appropriate technical and organizational measures in fulfilling its obligation to respond to requests for the exercise of the rights of the data subject set out in Chapter III of Regulation (EU) No. 2016/679 of the European Parliament and of the Council.
15. The Provider helps the Client to ensure the fulfillment of obligations under Articles 32 to 36 of Regulation No. 2016/679:
 ensure the security of processing;
 notification to the Personal Data Protection Office and to the data subjects, if applicable
personal data breach;
 assessment of the impact on personal data protection and consultation with the Office for
personal data protection.
16. If the Provider discovers inappropriate instructions or a violation of applicable legislation, it shall immediately inform the Client.
17. The Provider shall immediately inform the Client in the event of a breach of personal data security.
18. In accordance with the provisions of Article 13 of Regulation (EU) No. 2016/679 of the European Parliament and of the Council, the Client is notified of the following information:

 identification data of the BD Sales Provider:
BD Sales sro, Rustaveliho 4, 831 06 Bratislava, Company ID 53 412 711
 contact details: bdsales@outlook.sk
 Responsible person: Adam Bališin
 The provider processes personal data for the following purposes:
– concluding, recording and managing contracts related to the scope of activities of BD Sales, in particular – for the purposes of accounting; for the purposes of maintaining labor and payroll records, providing tax and other advice; providing services related to the establishment, changes and liquidation of limited liability companies;
– providing customer services
– statistical processing
– processing requests for information pursuant to the law
– litigation and extrajudicial debt collection
– occupational health and safety protection
 The obtained personal data will be processed to a limited extent by an external company acting as the Provider:
BD Sales sro, Rustaveliho 4, 831 06 Bratislava, Company ID 53 412 711
and contractually secured subcontractors of the Provider's services
 Categories of recipients to whom personal data may be provided:
– IT providers
– lawyers
– experts
– auditors
- Slovak POST OFFICE
– persons authorized to perform activities for BD Sales
 The client has the right to:
– access to personal data relating to the data subject;
– correction and addition of personal data;
– erasure of personal data concerning him/her, provided that the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
– restriction of processing of personal data;
– data portability, obtaining the data provided; – object to the processing of personal data;
– filing a complaint with the supervisory authority.
 If the Client/data subject does not provide personal data, it is not possible to conclude a contractual relationship and the subsequent performance of contractual relationships. The data subject is obliged to provide his/her personal data and update it immediately in the event of any change.

19. Client:
 The data subjects are the Clients, their employees, statutory officers and all persons contractually connected with the Client whose personal data is available to the Provider
 The client fulfills all information obligations towards the data subject set out in the Regulation and the Personal Data Protection Act.
 The Client, in accordance with the relevant legal regulations, obtains personal data from the data subjects, which he subsequently provides to the Provider.
 The Client shall implement appropriate technical and organizational measures taking into account the nature, scope, context and purposes of the processing, as well as the potential risks, in order to ensure an adequate level of security.
 The Client is entitled to request the Provider to provide the processed personal data.
 The Client is entitled to request from the Provider written documents proving compliance of the processing of personal data with applicable legislation.
20. The data subject has the right to:
 Access to your personal data;
 Correction and addition of personal data;
 Erasure of personal data concerning him/her, provided that the personal data
they are no longer necessary for the purposes for which they were collected or otherwise processed;
 Restriction of processing of personal data;
 Data portability, obtaining data provided to the Client/Provider;
 Object to the processing of personal data;
 Filing a complaint with the supervisory authority;
 The data subject has the right to withdraw his/her consent to the processing of personal data,
if the processing was based on consent. Lawfulness of processing
personal data based on the consent granted is not affected by its withdrawal.
 If the data subject requests the deletion of personal data, the Client/Provider will delete the data after assessing that the request is justified. And it is not
lawful reason for further processing/storage of personal data.
 If the data subject requests restriction of processing of personal data, the Client/Provider will not perform any processing operations, except
storage.
The aforementioned rights of the data subject are further specified in Articles 15 to 21 of the GDPR. The data subject exercises the aforementioned rights in accordance with the GDPR and other relevant legal regulations. The data subject may exercise his or her rights against BD Sales by means of a written request or by electronic means. If requested by the data subject, the Provider may also provide information orally, provided that the data subject proves his or her identity in another way.