Privacy Policy

Privacy Policy concerning the processing of personal data
pursuant to Act. No. 18/2018 Z.z. Personal Data Protection 
in connection with the articles 13-14 of (EU) Regulation 2016/679

Controller´ s contact details:


Mlynské luhy 76 / A

821 05 Bratislava

ID No: 31368891

VAT ID: SK2020353225


(hereinafter referred to as the,,Controller“)

The processing of personal data is carried out accordance with Regulation of the European Parliament and of the Council of EU 2016/679- on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the “Regulation of GDPR”) and  in accordance with Act. No. 18/2018 Z. z. Personal Data Protection (hereinafter referred to as the “Act”).

  1. Terms

Controller: Business company BAULI SLOVAKIA & CZECH REPUBLIC s.r.o., which alone or jointly with others determines the purpose and means of and realizes the processing of Personal data. The Controller is responsible for proper and lawful processing of the personal data.

Cookies:  Short text files that web or mobile browser of data subject saves. Most cookies have a unique identifier, Cookie ID. This is a string of characters assigned by the website and servers to the browser that saved the cookie. This allows websites and servers to distinguish and identify individual browsers. Cookies are used to improve the operation of websites, evaluate their traffic, and to better target marketing activities. Cookies files do not include any Personal Data and any personal information. 

Data subject:     Any natural person whose personal data are processed by the Controller.

Personal data:  Any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. For the purposes of processing personal data by the Controller, there are personal data provided by a natural person (Data subject) for the defined purposes listed in point 4 of this document.

Processing of Personal Data: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor: The entity, which processes personal data on behalf of the Controller.

Purchase contract: Contract in which Data subject is a goods Buyer and Controller is a goods Seller. In connection with herein mentioned goods, it means any products offered by Controller through a Website.

Purpose of Personal data processing: The reason why Personal data are processed. In this Policy, the purposes are described and identified in hereinbelow Provision No. 4

Recipients: The entities, to which the personal data are disclosed but they do not process Personal data on behalf of Controller and they are not allowed to process Personal data without any further agreements of Data subject.

Third countries: States outside the European Economic Area, which mainly include European Union Member States and Iceland, Liechtenstein and Norway.

Website: Official websites available at,

through which Data subject can find and buy Controllers products within the territory of Slovak Republic and Czech Republic. 

    2. Defined categories of Personal data

The Controller and the Processor process the following Personal data and/or categories of Personal data, based on their respective legal title and purpose of processing (purchase agreement and/or direct marketing):

  1. identification and address data: eg name, surname, delivery or other contact address;
  2. electronic contact details: eg. phone number, email address;
  3. other electronic data: IP address, cookies;
  4. other Personal data related to the contractual relationship: bank account number, order history;

    3. What is the origin of Personal data?

The Controller processes Personal data, provided by Data subject for example when ordering goods, registering a user account, communicating with the Controller or subscribing to newsletters. 

The basic Data are the following:

  • identification and address data;
  • electronic contact details;
  • other Personal data related to the contractual relationship;

In all the above cases, the Personal data will be provided by a Data subject directly and intently. The Controller also obtains other further data, which are obtained by the Controller automatically on the basis of browsing the Website by the Data subject and/or other customers. 

Provided or visible Personal data from which we clearly identify a Data  subject should be distinguished electronic data e.g. IP address, search queries and http code or https response code, cookie files do not contain basic personal data of the Data subject, but through these electronic data it is possible to identify the user – natural person of concrete IP address.  These electronic data may leave traces which, in particular in combination with unique identifiers or other information, may be used to profile the natural person concerned and to identify him or her.

    4. Purposes of Personal data determines by Controller

Your Personal data may be processed only for the following purposes:

4.1.Performance of a Purchase contract

Performance of a purchase contract to which the Data subject is a party or in order to take steps at the request of the data subject before entering into a contract. These purposes also include:

  • Customers account management,
  • Customers Management (e.g. communication with customers, customers satisfaction survey, publish reviews, arrangement and settlement of suggestions, complaints and claims of the customers, etc.)
  • Accounting and tax purposes.

Processing shall be lawful for the purpose of performance of a Purchase contract to which the data subject is party or in order to take steps at the request of the data subject before entering into a contract.

In connection with this purpose, the Controller states the following. When the Data subject uses the e-shop purchase service of the Controller and orders some goods, Data subject - in the position of the buyer - provides his name and surname, residential address or other delivery address including postal code, telephone number, e-mail address to the Controller in the position of the seller. The bank account number will be provided by Data subject when making a purchase through a payment gateway. Data subject provides Personal data voluntarily and freely. Without the Personal data of the Data subject, it is not possible to conclude a Purchase Contract and fulfill the all legal obligations contained and estimated in the Purchase Contract. The purpose of processing Personal data is to issue a tax document, pre-contractual relations, identification of the Data subject, order confirmation (by phone or email), delivery of goods, registration in the online e-shop on the Website. Data subject is obliged to provide correct and true Personal data voluntarily.

The legal basis for the processing of Personal data is the performance of the Purchase Contract.

4.2.Marketing and advertising activities, which also include:

  • Sending newsletters and offering our goods, products or services,
  • Direct marketing and creation of personalized content and advertising,
  • Improving the quality of our products and services, analysing the traffic to Website and your behaviour on the Website.

The Controller processes the Personal data of the Data subjects for the purposes of discount programs, receiving the newsletter, which is considered as direct marketing and also for the purposes of public opinion survey but only after a clear and voluntary consent of Data subject in accordance with § 13 para. 1, par. a) of the Act and Art. 6 of the Regulation of GDPR. The Data subject shall give his consent or dissent to the processing of Personal data by ticking the appropriate option on the Website and/or during the registration or during the ordering the goods on Website or by any other appropriate means. In the case that Data subject does not tick the consent spot, the Controller is not authorized to process Personal data for marketing purpose or public opinion survey. The Data subject is entitled to revoke this consent any time after that consent to the processing of Personal data for marketing or public opinion survey has been granted. The Controller shall immediately ensure that Personal data of the Data subject are not further processed for that purposes. The Personal data provided so far will be deleted from the marketing database and from the research of public opinion database according to Data subject’s right to be forgotten. The legal basis for the processing of Personal data is consent.

4.3.Cookies file:

Thanks to cookies, the website keeps information about your steps and preferences (such as login name, language, font size and other display settings) for a certain period of time, so you do not have to re-enter them the next time you visit the site or browse its individual pages and therefore your site visit. it will be easier and more efficient.

Processed cookies can be divided according to validity to:

  • temporary cookies (session cookies) that remain stored in Data subject‘s browser until he/she close your browser,
  • persistent cookies that remain stored in your browser for a long time until they expire or until Data subject manually delete them (the time it takes to store cookies in your browser depends on the settings of the cookie itself and your browser settings). They help the Website remember your page settings as well as how you customized the page. They allow us to collect and process anonymous aggregate information for statistical analysis, which helps us understand how users use our website and its individual elements. We can use this data to subsequently improve the structure of the website.

And by function on:

  • essential, which are essential for the functionality of the Website,
  • preferential, which allows our Websites to remember information that changes how the Website behaves (e.g. your preferred language or region where you are), these cookies are not necessary for the functioning of the Controller’s Website, but increase functionality and the practicality of using them,
  • analytics that helps us analyse the experience of Data subject on Website of the Controller (called „User Experience”) to understand how Data subject uses the website of the Controller.

Controller does not use third-party cookies that track multiple websites to provide Data subject with personalized content and advertising on third-party websites.

The Controller needs clear and voluntary consent of Data subject in accordance with § 13 para. 1, par. a) of the Act and Art. 6 of the Regulation of GDPR. All about the cookies and Cookie policy is placed on Website. 

    5. How long have Personal data been processed?

Personal data of the Data subject are processed:

  • for the period of time necessary to exercise the rights and obligations arising from the contractual relationship between the Data subject and the Controller and to assert claims arising from these contractual relations (for the purposes of the claiming any damages and other claims for a max of three (3) years);
  • for the period of time necessary to fulfill the legal obligations of the Controller (accounting documents for a max of five (5) years, tax documents for a max of 10 years) ;
  • for the period of time of the legitimate interest of the Controller (sending newsletters provided that the consent has been given by Data subject (for max of two (2) years from the receiving the newsletter);

The Controller is obliged to fulfil all his legal obligation and process Personal data only during a reasonable time.

    6. To whom are Personal data disclosed?

The following categories of the Controller´s  partners (Processors and/or Recipients) may have access to Personal data of the Data subject and can be divided into the following groups:

  • Goods transport providers – Processors with a valid business contract with the Controller
  • Providers of accounting and tax advice - Processors with a valid business contract with the Controller
  • IT and hosting providers (cloud computing) -  Processors with a valid business contract with the Controller
  • Providers of security and integrity of our services and websites - Recipients.
  • Analytical service providers - Processors with a valid business contract with the Controller
  • Payment gateway providers (payment card providers) – Recipients.
  • Legal service providers, attorneys – Processors with a valid contract

Controller enters into a contract with Processors with carefulness. During the pre-contractual negotiations with Processor, the Controller shall ensure its professional, technical, organizational and personnel competence and its ability to guarantee the security of the processed Personal data and to protect the rights of the Data subjects. 

    7. Are Personal data transferred outside the EU?

The controller will provide Personal data within the European Union, if necessary, as the transfer of Personal data to EU Member States is fully guaranteed by the Act and the Regulation of GDPR without any restrictions. During this period of time (pursuant to point 5 of this document of Privacy Policy), the Controller provides Personal data only within the Slovak and Czech territory. The Controller does not transfer the Personal data of the Data subject outside the European Union and the European Economic Area.

    8. How are Personal data processed?

Personal data is processed manually and automatically. The Controller records of all processing activities in accordance with Act.

Data subject is not subject to any decision based solely on automated processing, including profiling, that would have legal effects or be of significant concern to Data subject. The Controller does not create profiles from Personal data of the Data subject to analyse or predict preferences, interests, economic situation, reliability, location or movement of the Data subject.  

    9. Fundamental Rights of Data subject:

1. Right of access to Personal data:

The Data subject is entitled to be informed prior to the processing of Personal data as well as any time during the processing of his / her Personal data whether his / her Personal data is processed, if so, the extent and categories of his/her Personal data, the purpose of the processing, identification of the recipient, processing time as well as other rights, such as mentioned below (such as the right to erasure and liquidate, the right to rectification). The Data subject is entitled to request a confirmation of the above-mentioned fact. The first confirmation is not charged and it will be provided to the Data subject in the manner and form according to his/her requirements. Any further confirmation will be for a fee of 5 Euros. The confirmation will be provided to the Controller only if it does not have unfavourable consequences for the rights of other natural persons.

2. Right to information of the Data subject, if this person had not provided Personal data:

The Data subject has the right to be informed before the processing of Personal data by the Controller if he has not obtained the Personal data directly from the Data subject, about the Controller as a person, scope and categories of his/her Personal data, the purpose of processing, identification of the recipient, identification of the source from which he had received the Personal data of the affected person, the period of their storage as well as other rights, such as those listed below (right to erasure and liquidation, right to rectification). Information will be provided within one month from the receipt of personal data at the latest or during the first communication with the Data subject if Personal data could be used to communicate with this person. If the Controller intends to use Personal data for purposes other than they had been obtained for, he is obliged to inform the Data subject about it and to ask him/her for consent with this new purpose of the processing of his/ her Personal data.

3. Right to rectification:

The Controller shall, without undue delay, rectify and / or modify incorrect Personal data of the Data subject or add any incomplete Personal data. The data subject has the right and the possibility to update or request to correct his/her Personal data directly in the online mode on the Controller 's Website after logging into the Data subject's account.

4. Right to erasure:

The Data subject is entitled that the Controller erases his/her Personal data without undue delay. The Controller has to ensure the erasure of Personal Data if

- Personal data is no longer needed for the purpose for which they had been acquired or processed

- Data subject revokes the consent given to the Controller

- Data subject objects to processing and Controller does not have any other legitimate reason to process the personal data

- Personal data are processed illegally.

This does not apply if the processing of Personal data is necessary for the exercise of a legal right of the Controller.

5. Right to restrict the processing:

The Data subject has the right to ask the Controller to restrict the processing of Personal data if:

- Data subject complains about the correctness of the Personal data during the period that allows the Controller to verify the accuracy of the personal data,

- The processing of Personal data is illegal and the Data subject objects to the erasure of Personal data and asks, instead, to limit their use,

- The Controller no longer requires Personal data in order to process them but the Data subject needs them in order to exercise a legal claim, or

- Data subject objects to the processing of Personal data in accordance with, up until the verification whether legitimate reasons on the part of the Controller surpass the legitimate reasons of the affected person.

If there is a restriction, with the exception of storing, the Controller may process Personal data only with the consent of the Data subject or to exercise a legal claim. The Controller must inform the Data subject that the restriction to the Personal data processing has been cancelled.

6. Right to object to the processing:

The Data subject has the right to object to the processing of his or her Personal data due to his / her particular situation if he/she is not certain of the lawfulness of processing under § 13, section 1, letter f) (relating to the Controller's legitimate interests), including profiling based on that provision. The Controller must not further process Personal data unless he demonstrates the necessary legitimate interests in the processing of Personal data that outweigh the rights or interests of the Data subject or the grounds for exercising a legal claim.

The Data subject has the right to object to the processing of Personal data relating to him/her for a direct marketing purpose, including profiling to the extent it relates to direct marketing. If the Data subject objects to the processing of Personal data for direct marketing purposes, the Controller may not process Personal data for these purposes.

7.The right of the Data subject to file a motion to initiate proceedings under § 100 of Act No. 18/2018 Coll. on Personal Data Protection

The Data subject has the right to file a motion to initiate a procedure to verify whether his/her Personal data are being processed legally and safely. The proceedings shall be initiated upon a proposal from the Data subject or a person claiming to be directly affected in terms of his/her rights.

The Controller shall notify the Data subject of his/her rights at the first contact with him/her and, if the Controller has obtained his/her Personal data from a third party, the Controller shall promptly notify him/her of this, request his/her consent and inform him/her.

If the Controller processes the Personal data of the Data subject on the basis of the provided consent, the Data subject has the right to withdraw such consent at any time.

The Data subject has the right to file a complaint with the supervisory authority in Slovak republic, which is the Office for Personal Data Protection, with registered address Hraničná street No. 4826/12, Bratislava, postal code: 820 07, Slovak republic, telephone number: 00421 323 132 14, web:

    10. Conclusion

Legislation, as well as our business strategy and related ways of processing your Personal data, may change. If we choose to update this privacy policy, we will post changes to our website and inform you of these changes. The Controller declares that processing of Personal data undertake in accordance with the Act and Regulations of GDPR and under the good manners and will act in a manner that does not contradict the Act or other generally binding legal regulations.