Personal Data Policy

In accordance with Article 13(1) and (2) of the European Parliament and Council Regulation (EU) 2016/679 of 27 May 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “Regulation”), the Controller provides the Data Subject, from whom the Controller obtains personal data concerning them, with the following information:

Identity and contact details of the Controller: The Controller is the company: BOASO s.r.o., with registered office at Kapicova 6, 85101 Bratislava, identification number: 46239561, represented by: Ing. Natália Trybulová, managing director, email address: info@myninadesign.com.

These privacy information serve to help you understand our privacy protection practices, including what Personal data we collect, why we collect it, how we handle it, how we protect it, as well as to provide you with information about your personal rights in this context.

Processed personal data The Controller processes the following personal data:

  • Name
  • Surname
  • Email
  • Phone number
  • Address
  • IP address

Identity and contact details of the Controller’s representative:

Not specified

Contact details of the responsible person:

Ing. Natália Trybulová, email address: info@myninadesign.com

The purposes of processing the Personal data of the Data subject are:

Processing and recording of customer orders and their archiving in accordance with applicable legislation and accounting regulations.

Legal basis for processing the Personal data of the Data subject:

The legal basis for processing the Personal data of the Data subject will be, depending on the specific personal data and the purpose of their processing, the consent of the Data subject to the processing of personal data or the legitimate interests of the Controller.

Specification of legitimate interests pursued by the Controller or a third party:

Not applicable.

Recipients or categories of recipients of personal data: Recipients of the Data subject’s personal data may include or at least be (i) statutory bodies or members of the statutory bodies of the Controller, and (ii) employees of the Controller, (i) sales representatives of the Controller, and other individuals collaborating with the Controller in fulfilling the Controller’s tasks. For the purposes of this document, all individuals performing dependent work for the Controller based on an employment contract or agreements for work performed outside an employment relationship will be considered as employees of the Controller.

Recipients of the Data subject’s personal data may also include the collaborators of the Controller, its business partners, suppliers, and contractual partners, especially: an accounting company, a company providing software development and maintenance services to the Controller, a company providing legal services to the Controller, a company or individual providing advisory services to the Controller, as well as the employees of the aforementioned entities.

Tax authorities and other state authorities may also be recipients of personal data in cases prescribed by law.

Information about the intended transfer of personal data to a third country: Not applicable – The Controller does not intend to transfer personal data to a third country.

Retention period of personal data:

Personal data will be retained for the necessary period in accordance with legal regulations for the purposes of:

compliance with a legal obligation that applies to us, determining whether retention is appropriate in light of our legal position (e.g., in relation to applicable restrictions, legal proceedings, or regulatory investigations).

Security of personal data:

To protect Personal Data within our organization, we employ appropriate organizational, technological, and administrative measures. However, no data transmission or storage system can guarantee 100% security. If you have reason to believe that your interaction with us is not secure, please notify us immediately at the email: info@myninadesign.com.


Information about the existence of relevant rights of the Data Subject:

The Data Subject has, among others, the following rights:

a) The right of the data subject according to Article 15 of the Regulation, the content of which is as follows:

The right to obtain from the Controller confirmation as to whether or not personal data concerning the data subject is being processed;

If the data subject’s personal data is being processed, the right to access the processed personal data and the right to obtain the following information:

  • Information on the purposes of the processing;
  • Information on the categories of personal data concerned;
  • Information on the recipients or categories of recipients to whom the personal data have been or will be disclosed, particularly in the case of recipients in third countries or international organizations;
  • Where possible, information on the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • Information on the existence of the right to request from the Controller rectification or erasure of personal data concerning the data subject or restriction of processing and the right to object to such processing;
  • Information on the right to lodge a complaint with a supervisory authority;
  • If the personal data were not collected from the data subject, any available information about their source;
  • Information on the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the Regulation and, in these cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject;
  • The right to be informed about the appropriate safeguards pursuant to Article 46 of the Regulation relating to the transfer of personal data to a third country or an international organization;
  • The right to obtain a copy of the personal data undergoing processing, provided that the right to obtain such a copy must not adversely affect the rights and freedoms of others;

(b) The right of the data subject according to Article 16 of the Regulation, the content of which is as follows:

  • The right to have the Controller rectify inaccurate personal data concerning the data subject without undue delay;
  • The right to have incomplete personal data completed, including by means of providing a supplementary statement by the data subject;

(c) The right of the data subject to erasure of personal data (the so-called “right to be forgotten”) according to Article 17 of the Regulation, the content of which is as follows:

  • The right to obtain from the Controller the erasure of personal data concerning the data subject without undue delay if one of the following grounds applies: 


The personal data is no longer necessary for the purposes for which they were collected or otherwise processed; The data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing of personal data; The data subject objects to the processing of personal data pursuant to Article 21(1) of the Regulation, and there are no overriding legitimate grounds for the processing of personal data, or the data subject objects to the processing of personal data pursuant to Article 21(2) of the Regulation; The personal data have been processed unlawfully; The personal data must be erased to fulfill a legal obligation under the European Union law or the law of a Member State to which the Controller is subject; The personal data were collected in relation to the offer of information society services as referred to in Article 8(1) of the Regulation; The right for the Controller who has made the personal data of the data subject public to take reasonable steps, including technical measures, considering the available technology and the cost of implementation, to inform other controllers processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copies or replications of, those personal data; It is understood that the right to erasure of personal data with the content of the rights under Article 17(1) and (2) of the Regulation [i.e., with the content of the rights under (i) and (ii) of this point c) of this document] shall not arise if the processing of personal data is necessary for:

The right to freedom of expression and information; To fulfill a legal obligation that requires processing under the law of the European Union or the Member State to which the Controller is subject, or to perform a task carried out in the public interest or in the exercise of official authority vested in the Controller; For reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) of the Regulation, as well as Article 9(3) of the Regulation; For archival purposes in the public interest, for scientific or historical research purposes, or for statistical purposes in accordance with Article 89(1) of the Regulation, where the right referred to in Article 17(1) of the Regulation is likely to render impossible or seriously impair the achievement of the objectives of such processing of personal data; or To establish, exercise, or defend legal claims; (d) The right of the data subject to the restriction of processing of personal data pursuant to Article 18 of the Regulation, which includes: (i) The right to have the Controller restrict the processing of personal data in the following cases:


The data subject challenges the accuracy of the personal data during a period allowing the Controller to verify the accuracy of the personal data; The processing of personal data is unlawful, but the data subject objects to the erasure of the personal data and instead requests the restriction of their use; The Controller no longer needs the personal data for processing purposes, but the data subject needs them to establish, exercise, or defend legal claims; The data subject has objected to the processing under Article 21(1) of the Regulation, pending verification of whether the legitimate grounds of the Controller override those of the data subject; The right to have the personal data that has been restricted pursuant to point (i) of this letter d) of Section J of this document processed only with the data subject’s consent or for establishing, exercising, or defending legal claims, or protecting the rights of another natural or legal person, or for reasons of important public interest of the European Union or a Member State; The right to be informed in advance about the lifting of the restriction on processing of personal data; (e) The data subject’s right to fulfill the obligation to notify recipients under Article 19 of the Regulation, which includes: The right for the Controller to notify each recipient to whom the personal data have been disclosed of any rectification or erasure of personal data or restriction of processing carried out in accordance with Articles 16, 17(1), and 18 of the Regulation, unless this proves impossible or involves disproportionate effort; The right for the Controller to inform the data subject about these recipients if the data subject requests it; (f) The data subject’s right to data portability under Article 20 of the Regulation, which includes: (i) The right to receive personal data concerning the data subject, which they have provided to the Controller, in a structured, commonly used, and machine-readable format, and the right to transmit those data to another controller without hindrance from the Controller, where:


The processing is based on the data subject’s consent under Article 6(1)(a) of the Regulation or Article 9(2)(a) of the Regulation, or on a contract under Article 6(1)(b) of the Regulation, and at the same time; The processing is carried out by automated means, and at the same time; The right to receive personal data in a structured, commonly used, and machine-readable format and the right to transmit these data to another controller without hindrance from the Controller shall not adversely affect the rights and freedoms of others; (ii) The right to have personal data transmitted directly from one controller to another controller, where technically feasible.

g) The right of the data subject to object, in accordance with Article 21 of the Regulation, which includes:

  • The right to object at any time, for reasons relating to their particular situation, to the processing of personal data concerning them, which is carried out based on Article 6(1)(e) or (f) of the Regulation, including profiling based on these provisions of the Regulation;
  • In case of the exercise of the right to object, the data controller shall no longer process the personal data of the data subject unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims;
  • The right to object at any time to the processing of personal data concerning the data subject for direct marketing purposes, including profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

In relation to the use of information society services:

  • The right to exercise the right to object to the processing of personal data using automated means using technical specifications.
  • The right to object, for reasons relating to their particular situation, to the processing of personal data concerning them, if the personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the Regulation, except where the processing is necessary for the performance of a task carried out for reasons of public interest.

h) The right of the data subject related to automated individual decision-making, including profiling, according to Article 22 of the Regulation, which includes:

  • The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, except where the decision is: (a) necessary for entering into, or performance of, a contract between the data subject and the data controller, (b) authorized by Union or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, or (c) based on the data subject’s explicit consent.

Note on the right of the data subject to withdraw consent to the processing of personal data: The data subject has the right to withdraw their consent to the processing of personal data at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

The data subject is entitled to withdraw their consent to the processing of personal data at any time – either in whole or in part. Partial withdrawal of consent may concern a specific type of processing operation(s), while the lawfulness of processing personal data for the remaining processing operations remains unaffected. Partial withdrawal of consent may also pertain to specific purposes of processing personal data, while the lawfulness of processing personal data for other purposes remains unaffected.

The right to withdraw consent to the processing of personal data can be exercised by the data subject in written form to the address of the data controller, as recorded in the commercial register at the time of withdrawing consent, or in electronic form through electronic means (by sending an email to the data controller’s email address provided during the identification of the data controller in this document or by completing an electronic form published on the data controller’s website).

Note on the data subject’s right to lodge a complaint with the supervisory authority: The data subject has the right to lodge a complaint with the supervisory authority, particularly in the Member State of their habitual residence, place of work, or the place of the alleged infringement, if they believe that the processing of personal data concerning them is in breach of the Regulation, without prejudice to any other administrative or judicial remedies.

The data subject has the right to be informed by the supervisory authority to which the complaint was lodged about the progress and the outcome of the complaint, including the possibility of seeking a judicial remedy under Article 78 of the Regulation.

The supervisory authority in the Slovak Republic is the Office for Personal Data Protection of the Slovak Republic.

Information about the obligation of the data subject to provide personal data: The data controller informs the data subject that providing their personal data is not a legal or contractual requirement, nor is it a requirement necessary to enter into a contract with the data controller. The data controller informs the data subject that they are not obliged to provide personal data or give consent for its processing. As a consequence of not providing personal data and/or not giving consent for its processing, the data controller will not process the personal data, and these personal data will not be used for the purposes specified in point D. of this document.

Information related to automated decision-making, including profiling: Not applicable. – As the Data Controller does not engage in processing the personal data of the data subject in the form of automated decision-making, including profiling, as described in Article 22(1) and (4) of the Regulation, the Data Controller is not obligated to provide the information as specified in Article 13(2)(f) of the Regulation, i.e., information about automated decision-making, including profiling, the procedures used, as well as the significance and envisaged consequences of such processing of personal data for the data subject.

Finally, we emphasize that we genuinely care about protecting your personal data. You have shown us your trust through your interactions with the website www.myninadesign.com, and we value that trust. This means that we are committed to safeguarding your privacy.

If you have any questions regarding this Privacy Notice or how BOASO, s. r. o. uses your personal data, please contact us at the email: info@myninadesign.com.

Shopping Cart