Information on the processing of personal data

INFORMATION ON THE PROCESSING OF PERSONAL DATA OF CONTACT PERSONS IN SUPPLIER-CUSTOMER RELATIONS

under the Article 13 and 14 of the Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter referred to as the ˮGDPRˮ) in connection with § 34 of the Act no. 18/2018 Coll. on Personal Data Protection and on change and supplement of certain acts as amended (hereinafter referred to as the ˮActˮ)

Preliminary provisions

We have prepared this Privacy Policy (hereinafter referred to as the “Policy“) for the purpose of informing you how we process personal data within our companies TPA AUDIT, s.r.o., TPA TAX, s.r.o. and TPA GetFinDone s.r.o., all with registered seat at Námestie Mateja Korvína 1, 811 07 Bratislava, Slovak Republic (hereinafter referred to as the “Controller“).

If you have any questions, you may contact us by email at [Maria.Farkasova@tpa-group.sk] or by post at our registered office address.

The term “Controller” or the pronoun “our”, including all of its respective grammatical forms, as used in these Policy shall be deemed to refer to the term Controller, i.e. our Company.

The term “data subject” or the pronoun “your”, including any of its relevant grammatical forms, as used in these Policy shall be deemed to refer to the term data subject.

For the purposes of these Policy, the terms “data subject“, “processor“, “recipient” and “processing” shall have the meanings ascribed to those terms in the official text of the GDPR..

1. Identity and contact details of the controller:

TPA AUDIT, s.r.o., with registered seat at Námestie Mateja Korvína 1, 811 07 Bratislava, Slovak Republic, ID 36 714 879, registration in OR MS Bratislava III, Section Sro, Insert No. 43738/B;

TPA TAX, s.r.o., with registered seat at Námestie Mateja Korvína 1, 811 07 Bratislava, Slovak Republic, ID 35 685 115, registration in OR MS Bratislava III, Section Sro, Insert No. 169949/B;

TPA GetFinDone s.r.o., with registered seat at Námestie Mateja Korvína 1, 811 07 Bratislava, Slovak Republic, ID 55 155 235, zápis v OR MS Bratislava III, Section Sro, Insert No. 167409/B;

2. Contact details of the person in charge of the data protection agenda:

E-mail: [Maria.Farkasova@tpa-group.sk] Tel. No.: [+421 910 851 139]

3. Purposes, legal bases for the processing of personal data, categories of personal data concerned and type of data subject:

Purpose Legal basis Categories of personal data Type of data subject Duration of processing
The provision of our services, namely:

 

Audit services

Tax consultancy services

Accounting

Article 6(1)(b) GDPR

(performance of contract)

common clients (party to the contract) For the duration of the provision of the services, including the aftercare of the client, including the period for the exercise of claims arising from the relevant contract, but not less than 10 years from the start of the contract and not more than 10 years from the termination of the contractual relationship, unless otherwise provided for in a specific regulation
Securing our business activities (providing our operational needs, providing training, performance appraisals, organising events for employees, etc.) Article 6(1)(f) GDPR

(legitimate interests)

common authorised persons for the duration of the employment or other similar relationship
Ensuring and controlling the proper performance of all your and our duties (internal control and record-keeping, in particular record-keeping of assigned work aids, record-keeping of payments made, record-keeping of services rendered, record-keeping and shift planning, control of compliance with work and other legal or contractual obligations, etc.) Article 6(1)(f) GDPR

(legitimate interests)

common, special clients, business partners, other contracting parties for the duration of the contractual relationship
Protecting our legal claims (so that we can defend our own legal claims or defend ourselves against claims made against us by others in judicial, extrajudicial or enforcement proceedings) Article 6(1)(f) GDPR

(legitimate interests)

common, special clients, business partners, other contracting parties one year after the expiry of the relevant limitation or prescription period in the event of a possible legal claim against our company at the end of the limitation or prescription period
Ensuring security and asset protection (physical and IT security, asset protection) Article 6(1)(f) GDPR

(legitimate interests)

common persons with access to the premises or infrastructure of the controller 10 years (in the case of identification of intentional conduct and the occurrence of damage, where the limitation period is 10 years)
Promotion and brand strengthening

for business partners: Article 6(1)(f) GDPR (legitimate interest)

for potential business partners: Article 6(1)(a) GDPR (consent)

common clients, potential clients, business partners for business partners: for the duration of the contractual or other similar relationship

for potential business partners: 3 years

Accounting and tax purposes Article 6(1)(c) GDPR GDPR

(legal obligation)

common, special clients, potential clients, business partners for the period resulting from generally binding legal regulations

4. Recipients or categories of recipients of personal data:

We only disclose your personal data in justified cases and to the extent necessary to the following recipients:

  • employees and persons carrying out work on the basis of agreements outside the employment relationship;
  • contractors and service providers (including self-employed persons (persons providing services to or for the controller to its customers);
  • service providers (e.g. Google, Microsoft, Zoom, LinkedIn);
  • the administrator of our website and IT infrastructure;
  • the provider of insurance services;
  • telecommunications service provider;
  • legal service providers;
  • a provider of postal and courier services;
  • public authorities, law enforcement authorities and courts;
  • counterparties and other parties to the proceedings.

5. Information that the controller intends to transfer the personal data to a third country or an international organisation:

Please note that your personal data is not primarily transferred to third countries, such transfers may only occur when using cookies, software and other solutions from providers located outside the European Economic Area (e.g. Google, Microsoft, etc.).

On 10 July 2023, the European Commission confirmed the Data Privacy Framework (DPF) on the transfer of personal data between the EU and the US by adopting an adequacy decision. Companies that register under the DPF are deemed to be secure recipients of personal data, guaranteeing an adequate level of protection under the provisions of Article 45 of the GDPR. Thus, transfers of personal data to such companies no longer require a transfer impact assessment (TIA), local assessments (LLA) or contractual clauses.

For more information on the European Commission’s decision, see HERE.

Standard contractual clauses for the transfer of personal data to third countries were adopted by decision of the European Commission on 04.06.2021 with effect from 27.06.2021. More info: Commission Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

6. Retention period of personal data (criteria for determining it):

We retain personal data for no longer than is necessary for the purposes for which the personal data is processed.

Please note that we have endeavoured to set out all relevant and appropriate retention periods for your personal data in the tabular section above in this Policy.

The following is only a demonstrative list of the possible retention periods of your personal data by our company:

  • for the duration of the employment or other similar relationship with the data subject;
  • for the period necessary for the exercise of rights and obligations arising from the employment or other similar relationship or arising from another contractual relationship with the data subject;
  • for as long as the limitation or prescription periods in relation to claims arising out of or in connection with the employment relationship or other similar relationship or arising out of another contractual relationship with the person concerned expire, and one year after the expiry of the relevant limitation or prescription period in the event of a possible legal claim against our company at the end of the limitation or prescription period;
  • for the duration of judicial, administrative or other proceedings to the extent necessary for the duration of such proceedings and the remaining part of the limitation or prescription period after their conclusion;
  • for the purposes where we process personal data as part of the performance of our legal obligations, for the period of time required by the applicable law;
  • for purposes where we are processing personal data on the legal basis of your consent, until such time as you withdraw your consent to the processing of your personal data, or for such time as is implied by the consent itself and of which the data subject was informed prior to giving consent;

7. Identification of the rights of the data subject:

a) the right to object to the processing of personal data of the data subject,

in particular, to object to processing carried out on the legal basis of Article 6(1)(f) GDPR (legitimate interests); in such a case, we will not further process your personal data for that purpose unless we have compelling legitimate grounds for continuing such processing;

b) the right of access to personal data relating to the data subject

you may ask us for access to the personal data we process about you; if your request is granted, we will provide you with a copy of the personal data we process about you;

c) the right to rectification of personal data of the data subject

you may ask us to correct inaccurate or incomplete personal data we process about you;

d) the right to erasure of personal data of the data subject

you may ask us to erase your personal data if any of the following situations occur:

  • personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
  • you have previously provided us with consent to the processing, which you withdraw, and we are not entitled to process that personal data without your consent;
  • you object to processing carried out in specific situations under the GDPR (a task carried out in the public interest, a legitimate interest of the controller or profiling) and no legitimate grounds for the processing outweigh your interests, rights and freedoms as a data subject;
  • you object to processing for direct marketing purposes;
  • personal data have been unlawfully processed;
  • personal data must be erased in order to comply with a legal obligation under European Union law or the law of a Member State to which the controller is subject;
  • personal data has been collected in connection with the offering of information society services under the GDPR;

e) the right to restrict the processing of personal data of the data subject

You may ask us to restrict the processing of your personal data if any of the following situations occur:

  • you have denied the accuracy of the personal data, for the time necessary for us to verify the accuracy of the personal data;
  • the processing of your personal data is unlawful, but you refuse to erase this data and instead request that we restrict its use;
  • we no longer need the personal data for the purposes of the processing, but you need it to establish, exercise or defend legal claims;
  • you have objected to the processing of your personal data in specific situations under the GDPR (a task carried out in the public interest, a legitimate interest of the controller or profiling) until it is verified that our legitimate grounds outweigh your legitimate grounds;

f) the right to portability of personal data of the data subject

If we process your personal data on the basis of:

  • your consent or
  • it is necessary for the performance of a contract to which you are a party and at the same time it is processed by automated means,

you have the right to request the transfer of your personal data to another controller. This applies if you have provided us with personal data in a structured, commonly used and machine-readable format and the rights and freedoms of others are not adversely affected by this right;

g) the right to lodge a complaint (petition to initiate proceedings) with the Office for Personal Data Protection, Hraničná 12, 820 07 Bratislava 27, Slovak Republic; http://www.uoou.sk;

8. Existence of the data subject’s right to withdraw consent to the processing of personal data at any time:

If you, as the data subject, have given us your consent to the processing of your personal data, you have the right to withdraw your consent to the processing of your personal data at any time, in writing to the address of our registered office or by e-mail to the e-mail address [Maria.Farkasova@tpa-group.sk] (unless another method of withdrawal of consent results from another agreement or declaration of the data subject). Withdrawal of consent does not affect the lawfulness of the processing prior to withdrawal of consent.

9. Information about whether the provision of personal data is a legal or contractual requirement or a requirement that is necessary for the conclusion of a contract (including whether the data subject is obliged to provide the personal data and the possible consequences of not providing the personal data):

  • in the case of processing of personal data on the legal basis of Article 6(1)(b) GDPR (performance of a contract), the provision of personal data and their processing by the controller is necessary for the performance of the contract (if the data subject did not provide the personal data, the controller would not be able to perform the contract);

 

  • in the case of processing of personal data on the legal basis pursuant to Article 6(1)(c) of the GDPR (performance of a legal obligation), the processing of personal data about you by the controller is necessary for the performance of the controller’s legal obligation under generally applicable law;

 

  • in the case of processing of personal data on a legal basis pursuant to Article 6(1)(f) GDPR (legitimate interests), you are not obliged to provide your personal data and you are entitled to object to the processing of your personal data (in the event that you exercise your right to object to the processing of your personal data, we will no longer process your personal data in such case unless we have compelling legitimate grounds for continuing such processing);

 

  • in the case of processing of personal data on a legal basis pursuant to Article 6(1)(a) of the GDPR (consent), you are not obliged to provide your personal data and, if you have given consent to the processing of your personal data, you are entitled to withdraw your consent at any time;

10. From what sources do we obtain personal data?

In most cases, we obtain personal data directly from the data subjects by providing it to us (e.g. in contract documentation, by sending a CV, e-mail message, etc.). This does not exclude that we also learn about the personal data of data subjects in other ways, e.g. by providing them from the client, obtaining them from publicly available sources (registers), etc.

11. Information about the existence of automated individual decision-making, including profiling:

The controller does not carry out automated individual decision-making, including profiling.

12. Use of cookies:

Cookies and similar technologies collect and store information as you browse our website. They are small text files that can be used for a variety of purposes. If you visit our website, a drop-down box called “This website uses cookies” will appear at the top of your screen to tell you what cookies we use and for what purpose. Unless they are “Necessary” cookies, their use is only possible with your consent. You have the option to refuse cookies, allow a selection or allow all cookies. We regularly update information about what cookies we use so that you always have accurate and up-to-date information.

This information on the processing of personal data is updated regularly. Last update: [31.1.2023].

 

TPA-Poučenie-EN