DATA MANAGEMENT POLICY ANNOUNCEMENT RELATED TO RIGHTS OF INDIVIDUALS REGARDING MANAGEMENT OF THEIR PERSONAL DATA
CONTENTS
INTRODUCTION
CHAPTER I – DATA CONTROLLER
CHAPTER II – DATA PROCESSORS
-
IT service provider of our Company
-
Ticket system programmer of our Company
CHAPTER III – ENSURING DATA MANAGEMENT COMPLIANCE WITH LAWS
-
Data management based on consent from the data subjects
-
Data management based on fulfilling legal obligations
-
Promotion of rights of the data subjects
CHAPTER IV - MANAGEMENT OF VISITORS' DATA ON COMPANY'S WEBSITE – COOKIE USAGE NOTICE
CHAPTER V – NOTICE OF RIGHTS OF DATA SUBJECTS
INTRODUCTION
Under Regulation 2016/679 of the European Parliament and Council (EU) (hereinafter: Regulation), concerning the protection and free flow of personal data of individuals, repealing Regulation 95/46/EC, the Data Controller must undertake appropriate actions to ensure that individuals whose data is collected are provided with all necessary information regarding the management of their personal data, in a concise, clear, transparent, understandable, and easily accessible form, and to ensure conditions for exercising the rights of such individuals.
The obligation to inform individuals in advance about the right to informational self-determination and freedom of information is also prescribed by Law CXII of 2011.
In the following text, we fulfill our obligations as mandated by the aforementioned laws and regulations.
The notice should be prominently displayed on the company's website or sent to the individual whose data is collected upon their request.
CHAPTER I
DATA CONTROLLER
The issuer of this notice, also the Data Controller:
Company Name: SAMOSTALNA ZANATSKA RADNJA DOBES NENAD MARJANOVIĆ PR, ČAČAK
Headquarters: Čačak
Company Registration Number: 56344128
Tax Identification Number: 103254331
Representative: Nenad Marjanović
Phone Number: +381 63 512 543
Phone Number: +381 32 333 093
Email Address: dobes@ptt.rs
Website: alatnica-dobes.mysellvio.com
(hereinafter: Company)
CHAPTER II
DATA PROCESSORS
Entity processing data: natural or legal person, public authority, agency, or any other body which processes data on behalf of the data controller; (Regulation Article 4, Clause 8.)
The use of data processors is not contingent upon prior consent from individuals, but it is necessary that individuals be informed. In accordance with these regulations, the following notice is provided:
- IT service provider of the Company
The Company utilizes the services of a data processor to maintain and manage its website, providing IT services (hosting services) and within these services - in accordance with the contract between the two parties - processes personal data left on the website by storing them on a server.
Name and data of the data processor:
Company Name: ErdSoft doo
Headquarters: 24000 Subotica, Somborski put 33a, Serbia
Company Registration Number: 21354619
Tax Identification Number: 110478829
Representative: Daniel Erdudac
Phone Number: +381 60 44 60 555
Fax: none
Email Address: daniel.erdudac@erdsoft.com
Website: erdsoft.com
CHAPTER III
ENSURING DATA MANAGEMENT COMPLIANCE WITH LAWS
- Data management based on consent from the data subjects
(1) If the Company wishes to manage data based on consent, it is necessary to request consent for the processing of personal data of individuals through a form whose content is specified in the data management policy.
(2) Consent is also deemed to be given if the user checks the box related to consenting to data processing on the Company's website, performs related technical settings related to the use of information society services, or any other statement or action clearly indicating consent to the planned management of their personal data. Silence, pre-checked boxes, or failure to take any action shall not constitute consent.
(3) Consent extends to all actions related to data management carried out for the same purpose or purposes. If data management serves multiple different purposes, consent must be obtained for all purposes related to data management.
(4) If an individual provides consent as part of a written statement that also pertains to other purposes - e.g., sales, service contract conclusion - consent must be requested in a manner that is clear, simply expressed, understandable, accessible, and clearly distinguishable from other purposes. Parts of such statements that contain consent from individuals that do not comply with the Regulation are not enforceable.
(5) The Company cannot condition the conclusion or performance of a contract on consent to manage personal data that is not necessary for the performance of the contract.
(6) Withdrawal of consent must be as simple as giving consent.
(7) If personal data are recorded with the consent of the individual, the data controller may use the recorded data in the absence of regulations differing from the law, for the purpose of fulfilling legal obligations, without the specific consent and after the withdrawal of consent by the individual.
(8) The website does not intentionally collect data from minors (under 16 years of age). If data of a minor are retained, upon becoming aware of this fact, the data of the minor are promptly deleted.
- Data management based on fulfilling legal obligations
(1) In the case of data management based on fulfilling legal obligations, the scope of data, the purpose of data management, the retention period of data, and the data recipients are determined by the regulations of the law.
(2) Data management based on fulfilling legal obligations is not dependent on consent from individuals, as data management is determined by law. In this case, individuals must be informed before data collection that data collection is mandatory, and they must be detailed and clearly informed about all facts related to the management of their data, with particular reference to the purpose and legal basis of data processing, the data controller's rights, the duration of data management, the fact that personal data are managed in accordance with legal provisions, and who may access the data. The notice must also include rights of individuals and possibilities for using rights related to managing personal data. In the case of mandatory data management, the notice may be considered as publishing calls for all legal regulations containing the above-mentioned information.
- Promotion of rights of the data subjects
The Company is obliged to ensure that individuals can exercise their rights in all activities related to data management.
CHAPTER IV
MANAGEMENT OF VISITORS' DATA ON COMPANY'S WEBSITE – COOKIE USAGE NOTICE
-
Visitors to the website must be informed about the use of cookies, and except for technically necessary session cookies, consent of visitors must be obtained.
-
General information about cookies
2.1. A cookie is data that a visited website sends to a visitor's browser (in the form of a value variable) for storage, and later the same website may populate the content of the cookie. Cookies can be valid (active) until the browser is closed, but also for an unlimited period of time. Later, with each HTTP(S) request, the browser sends this information to the server, thus modifying data on the user's device.
2.2. The essence of cookies is to identify and recognize the user (e.g., their entry to the website), and in all subsequent cases, treat the user accordingly. The risk lies in the fact that the user is not always aware that cookies identify them, which allows tracking by the website owner or another provider whose content is embedded in the website (e.g., Facebook, Google Analytics). During tracking, a profile is created about the user, and in these cases, the content of cookies is treated as personal data.
2.3. Types of cookies:
2.3.1. Technically necessary session cookies: Without them, websites are simply not functional; they are used to identify users when they enter the website, what they put in the cart, etc. In this case, usually only the session ID is stored, while other data is stored on the server, making them more secure. From a security perspective, when the value of the session cookie is not properly generated, there is a risk of session hijacking, so it is necessary to generate these values correctly. Other terminologies for session cookies call every cookie that is deleted when the browser is closed (the session is the use of the browser from start to exit).
2.3.2. Facilitating use cookies: These cookies remember user choices – e.g., in what form they want to view the page. These cookies essentially indicate setting data stored in cookies.
2.3.3. Performance cookies: Although not directly related to "performance," this is the name for cookies that collect information about user behavior, clicks, and time spent on the page they visit. These are usually applications from independent manufacturers (such as Google Analytics, AdWords or Yandex.ru cookies). They are suitable for profiling visitors.
Learn more about Google Analytics cookies here: Analytics-cookies
Learn more about Google AdWords cookies here: Google support
2.4. Accepting or enabling cookies is not mandatory. Browser settings can be adjusted to automatically reject all cookies, or to notify the browser when the system sends cookies. Most browsers automatically accept cookies as default, but settings can usually be changed to prevent automatic acceptance and to offer the user a choice between acceptance and rejection of cookies each time.
Check the links below for cookie settings for popular browsers:
• Google Chrome: Chrome support
• Firefox: Firefox support
• Microsoft Internet Explorer 11: Microsoft support
• Microsoft Internet Explorer 10: Microsoft support
• Microsoft Internet Explorer 9: Microsoft support
• Microsoft Internet Explorer 8: Microsoft support
• Microsoft Edge: Microsoft support
• Safari: Apple support
However, it must be noted that certain site features or services may not function properly without cookies.
- Information about cookies used on the Company's website and data generated during visits
3.1. Data managed during visits
The Company's website may use a web page to record and manage the following visitor or device information:
- Visitor's IP address,
- Browser type,
- Characteristics of the device's operating system that the visitor is using (configured language),
- Visit time,
- Subpages, features, or services that you visit,
- Clicks.
These data are stored for up to 90 days and are primarily used for testing security incidents.
3.2. Cookies used on the website
3.2.1. Technically necessary session cookies
The purpose of data management is to ensure the proper functioning of the website. These cookies are necessary to enable visitors to browse the website without issues and to fully utilize all features and services available through the website, including - in particular - visitor comments on a specific site or the identity of a logged-in user during the visit. The duration of managing these cookies is limited to the current visitor session; this type of cookie will automatically be deleted from the user's computer when the session ends or when the browser is closed.
Legal basis for data management is Article 13/A. § (3) paragraph CVIII of the Act on Electronic Commerce Services and Information Society Services from 2001, according to which service providers may manage personal data that are technically necessary to provide the service. If other conditions remain unchanged, service providers must choose and use tools used to provide information society services in a manner that personal data is processed only if strictly necessary to provide the service and to fulfill other necessary purposes specified in this law, but even then only to the extent and time required.
3.2.1. Cookies that facilitate usage
These cookies remember the user's preferences, such as in what form the user wants to see the page. These types of cookies are essentially setting data stored in a cookie.
Legal basis for data management is visitor consent.
The purpose of data management is to increase service efficiency, enhance user experience, and provide more convenient website usage.
This data resides on the user's computer; the website only accesses it and recognizes the visitor based on it.
3.2.2. Performance cookies
This type of cookie collects information about user behavior, time spent, and clicks on the page the user views. These cookies typically track third-party applications (e.g., Google Analytics, AdWords).
Legal basis for data management: consent of the data subject.
The purpose of data management is website analysis and sending promotional offers.
V. CHAPTER
STATEMENT OF RIGHTS OF THE DATA SUBJECT
I. Rights of the data subject, summarized:
-
Transparent information, communication, and modalities for exercising the rights of the data subject
-
Right to prior information provided - if personal data are collected from the data subject
-
Information provided if personal data are not obtained from the data subject
-
Right of access by the data subject
-
Right to rectification
-
Right to erasure ("right to be forgotten")
-
Right to restriction of processing
-
Obligation to notify rectification or erasure of personal data or restriction of processing
-
Right to data portability
-
Right to object
-
Making automated individual decisions, including profiling 12. Restrictions
-
Notification of the data subject about personal data breach
-
Right to lodge a complaint with the supervisory authority
-
Right to an effective judicial remedy against the supervisory authority
-
Right to an effective judicial remedy against the controller or processor
II. Rights of the data subject, in detail:
- Transparent information, communication, and modalities for exercising the rights of the data subject
1.1. The controller takes appropriate measures to provide the data subject with all information regarding processing in a concise, transparent, understandable, and easily accessible form, using clear and simple language, especially for all information explicitly intended for children. Information is provided in writing or in other ways, including electronically when appropriate. If the data subject requests, information can be provided orally, provided that the data subject's identity is otherwise determined.
1.2. The controller facilitates the exercise of the rights of the data subject.
1.3. Upon request, the controller provides the data subject with information about the actions taken without undue delay, and in any case no later than one month from the receipt of the request. This period may be extended by an additional two months as necessary, and the controller must inform the data subject of any such extension within.
1.4. If the controller does not comply with the data subject's request, the controller informs the data subject immediately or no later than one month from the receipt of the request of the reasons for not complying with the request and of the possibility of lodging a complaint with the supervisory authority and seeking a legal remedy.
1.5. Information provided, all communications, and measures taken are provided free of charge, but in certain cases prescribed by the Regulation, a fee may be charged.
Detailed rules can be found in Article 12 of the Regulation.
- Right to prior information provided - if personal data are collected from the data subject
2.1. If personal data of the data subject are collected from the data subject, the controller, when collecting personal data, provides the data subject with all of the following information:
a) identity and contact details of the controller and, where applicable, the representative of the controller;
b) contact details of the data protection officer, if applicable;
c) purposes of the processing for which personal data are intended, as well as the legal basis for the processing;
d) if processing is based on the exercise of legal rights, legitimate interests of the controller or a third party;
e) users or categories of users of personal data, if any;
f) if applicable, the fact that the controller intends to transfer personal data to a third country or international organization.
2.2. The controller, when collecting personal data, provides the data subject with the following additional information necessary to ensure fair and transparent processing:
a) the period for which personal data will be stored or, if not possible, the criteria used to determine that period;
b) the existence of the right to request access to personal data and correction or deletion of personal data or restriction of processing regarding the data subject or the right to object to processing, as well as the right to data portability;
c) if processing is based on the data subject's consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before withdrawal;
d) the right to lodge a complaint with the supervisory authority;
e) information on whether providing personal data is a legal or contractual obligation or a necessary condition for concluding a contract, and whether the data subject is obliged to provide personal data and what are the possible consequences if such data are not provided;
f) the existence of automated decision-making, including profiling, and at least in those cases, substantive information about the logic used, as well as the significance and envisaged consequences of such processing for the data subject.
2.3. If the controller intends to further process personal data for a purpose other than that for which the personal data were collected, the controller provides the data subject with information about that other purpose and any additional relevant information before such further processing.
All additional rules regarding the right to prior information are contained in Article 13 of the Regulation.
- Information provided if personal data are not obtained from the data subject
3.1. If personal data are not obtained from the data subject, the controller is obliged, no later than one month from the date of obtaining the data, to inform the data subject of the facts and information described in point 2 about the category of personal data, the source of personal data or, in certain cases, whether the data stem from publicly accessible sources: if they use personal data to contact the data subject, at least on the first contact with the person; or if they intend to transfer the data to other users, no later than the first transfer.
3.2. Other rules apply to the facts and obligations set out in point 2 (Right to prior information).
Detailed rules of this notice are contained in Article 14 of the Regulation.
- Right of access by the data subject
4.1. The data subject has the right to obtain confirmation from the controller as to whether personal data concerning him or her are being processed and, if such personal data are being processed, has the right to access personal data and information specified in points 2 and 3 (Article 15 of the Regulation).
4.2. If personal data are transferred to a third country or international organization, the data subject has the right to be informed about appropriate safeguards under Article 46 that apply to the transfer.
4.3. The controller provides a copy of the personal data being processed. For any additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.
Detailed rules regarding the data subject's right of access are contained in Article 15 of the Regulation.
- Right to rectification
5.1. The data subject has the right for the controller to promptly correct inaccurate personal data concerning him or her without undue delay.
5.2. Considering the purposes of processing, the data subject has the right to supplement incomplete personal data, including by providing an additional statement.
These rules are contained in Article 16 of the Regulation.
- Right to erasure ("right to be forgotten")
6.1. The data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without undue delay if one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
d) the personal data have been unlawfully processed;
e) the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
f) the personal data have been collected in relation to the offer of information society services directly to a child.
6.2. The right to erasure shall not apply to the extent that processing is necessary:
a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
c) for reasons of public interest in the area of public health;
d) for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, where erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
e) for the establishment, exercise, or defense of legal claims.
Detailed rules concerning the right to erasure are laid down in Article 17 of the Regulation.
- Right to restriction of processing
7.1. The data subject has the right to obtain from the controller restriction of processing where one of the following applies:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims; or
d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
7.2. Where processing has been restricted under paragraph 7.1, such personal data shall, with the exception of storage, only be processed with the data subject's consent, or for the establishment, exercise, or defense of legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.
7.3. The data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is lifted.
Detailed rules concerning the right to restriction of processing are laid down in Article 18 of the Regulation.
- Obligation to notify rectification or erasure of personal data or restriction of processing
The controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
Detailed rules concerning the controller's obligation to notify rectification or erasure of personal data or restriction of processing are laid down in Article 19 of the Regulation.
- Right to data portability
9.1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2), or on a contract pursuant to point (b) of Article 6(1); and
b) the processing is carried out by automated means.
9.2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
9.3. The exercise of the right to data portability shall be without prejudice to Article 17 (right to erasure, or "right to be forgotten"). That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. It shall not adversely affect the rights and freedoms of others.
Detailed rules concerning the right to data portability are laid down in Article 20 of the Regulation.
- Right to object
10.1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.
10.2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
10.3. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
10.4. The data subject shall have the right to object to processing of personal data concerning him or her for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), on grounds relating to his or her particular situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Detailed rules concerning the right to object are laid down in Article 21 of the Regulation.
- Automated individual decision-making, including profiling
11.1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
11.2. Paragraph 1 shall not apply if the decision:
a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
b) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
c) is based on the data subject's explicit consent.
11.3. In the cases referred to in paragraph 2, points (a) and (c), the controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view, and to contest the decision.
Additional rules concerning automated individual decision-making, including profiling, are laid down in Article 22 of the Regulation.
12. Limitations
Based on Union law or the law of the Member State applicable to the controller or processor, the scope of obligations and rights under Articles 12 to 22 and Article 34, as well as Article 5, may be restricted by a legislative measure, provided that such restriction respects the essence of fundamental rights and freedoms.
Detailed conditions for these limitations are set out in Article 23 of the Regulation.
13. Notification of Personal Data Breach to Data Subjects
13.1. When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall notify the data subjects without undue delay of the personal data breach. The notification to the data subject shall describe the nature of the personal data breach in clear and plain language and include at least the following information and measures:
a) the name and contact details of the data protection officer or other contact point where more information can be obtained;
b) a description of the likely consequences of the personal data breach;
c) a description of the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
13.2. Notification to the data subject is not required if any of the following conditions are met:
a) the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize;
c) it would involve a disproportionate effort. In such a case, a public announcement or similar measure shall be used to inform data subjects in an equally effective manner.
Additional rules are provided in Article 34 of the Regulation.
14. Right to Lodge a Complaint with a Supervisory Authority
Any data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or the place of the alleged infringement, if the data subject considers that the processing of personal data relating to them infringes this Regulation. The supervisory authority to which the complaint has been lodged shall inform the complainant of the progress and the outcome of the complaint, including the possibility of a judicial remedy.
These rules are contained in Article 77 of the Regulation.
15. Right to an Effective Judicial Remedy against a Supervisory Authority
15.1. Without prejudice to any other administrative or non-judicial remedy, any natural or legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
15.2. Without prejudice to any other administrative or non-judicial remedy, any data subject has the right to an effective judicial remedy if the supervisory authority does not handle a complaint or inform the data subject within three months of the progress or outcome of the complaint, pursuant to Articles 55 and 56.
15.3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority has its seat.
15.4. Where proceedings are initiated against a decision of the supervisory authority which was preceded by an opinion or decision of the Board in the consistency mechanism, the supervisory authority shall submit that opinion or decision to the court.
These rules are provided in Article 78 of the Regulation.
16. Right to an Effective Judicial Remedy against a Controller or Processor
16.1. Without prejudice to any other available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, any data subject shall have the right to an effective judicial remedy if they consider that their rights under this Regulation have been infringed as a result of the processing of their personal data in non-compliance with this Regulation.
16.2. Proceedings against a controller or processor shall be brought before the courts of the Member State where the controller or processor has its main establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State exercising its public powers.
These rules are contained in Article 79 of the Regulation.