Annex 1 of the Rulebook on Data Management
NOTICE ON DATA MANAGEMENT REGARDING THE RIGHTS OF AN INDIVIDUAL PERSON REGARDING THE MANAGEMENT OF HIS PERSONAL DATA
CONTENT
INTRODUCTION
CHAPTER I – NAME OF THE ENTITY HANDLING THE DATA
CHAPTER II - NAME OF ENTITIES WHO PROCESS DATA
1. IT provider of our Company
2. Developer of our company's map system
CHAPTER III - ENSURING COMPLIANCE OF DATA MANAGEMENT WITH LAWS
1. Data management based on approval from the person to whom the data refers
2. Data management based on the performance of legal obligations
3. Promotion of the rights of persons to whom the data refer
CHAPTER IV - MANAGEMENT OF VISITORS' DATA ON THE COMPANY'S WEBSITE - NOTICE ON THE USE OF COOKIES
CHAPTER V - ANNOUNCEMENT ON THE RIGHTS OF PERSONS TO WHOM THE DATA REFER TO
INTRODUCTION
Based on REGULATION 2016/679 OF THE EUROPEAN PARLIAMENT AND COUNCIL (EU) (hereinafter: Regulation), which refers to the protection and free flow of data when managing personal data of natural persons, i.e. to the repeal of Regulation 95/46/EC, the Data Controller must carry out appropriate actions, in order to ensure that the person, whose data is collected, provides all the necessary information regarding the management of personal data, in a concise, clear, transparent, understandable and accessible form, as well as to ensure the conditions for the fulfillment of the rights of the person, whose data collect.
The obligation to inform the person in advance about the right to informational self-determination and freedom of information is also rewritten by Law CXII from 2011.
With the text below, we fulfill our obligations, which are required by the aforementioned laws and regulations.
The notification should be displayed on the website of the company, or should be sent to the person, whose data is collected, at his request.
CHAPTER I
NAME OF THE ENTITY HANDLING THE DATA
The issuer of this notice, also the Data Controller:
Company name: ATI-TERMING DOO
Headquarters: Kucurski Put BB, 25230, Kula, Serbia
Identity number: 20816414
PIB: 107504969
Representative: Branislav Banatski, Director
Phone number: 063 833 09 84
E-mail address: termingkula@gmail.com
Website: termingkula.rs
(hereinafter: Society)
CHAPTER II
NAME OF THE ENTITIES PROCESSING THE DATA
Subject, which processes the data: natural or legal person, state authority, agency or any other authority, which manages the data on behalf of the data controller; (Regulation 4, Article 8)
The use of the entity that processes the data is not related to the prior consent of the person, but it is necessary to inform the person. In accordance with these regulations, we are giving the following notice:
1. IT provider of the Company
For the maintenance and management of its website, the company uses the services of the subject, which processes data, which provides IT services (hosting services) and within these services - in accordance with the content of the contract between the two parties - manages personal data, which are left on the website, so , which saves them on the server.
Name and data of the subject, which manages the data:
Company name: ErdSoft doo
Headquarters: 24000 Subotica, Somborski put 33a, Serbia
Identity number: 21354619
PIB: 110478829
Representative: Daniel Erdudac
Phone number: +381 60 44 60 555
Fax: none
E-mail address: daniel.erdudac@erdsoft.com
Website: erdsoft.com
III. CHAPTER
ENSURING DATA MANAGEMENT COMPLIANCE WITH LAWS
1. Data management based on approval from the person to whom the data refers
(1) If the Company wants to manage data on the basis of approval, it is necessary that the consent for the management of personal data of the person, whose data will be managed, be requested using the form, the content of which is determined in the rulebook on data management.
(2) Approval is also considered if the user checks the box, which refers to requesting consent for data processing on the Company's website, if he makes the related technical settings in connection with the use of information society services, as well as any other statement or act, which clearly indicates consent of the person to the planned management of his personal data. Silence, a pre-ticked box or taking no action is not considered consent.
(3) Consent refers to all actions related to data management, which is carried out with the same goal or goals. If data management serves the purpose of several different purposes, consent must be requested for all purposes related to data management.
(4) If the person gives his approval as part of a written statement, which also refers to other goals - e.g. sale, concluding a service contract - consent must be requested in a way that is clear, simply expressed, comprehensible, accessible and clearly distinguished from other purposes. Parts of such statements, which contain the person's consent, and which are not in accordance with the Regulation, are not legally binding.
(5) The company cannot condition the conclusion or performance of the contract by consenting to the management of those personal data, which are not necessary for the performance of the contract.
(6) Withdrawing consent should be as simple as giving consent.
(7) If personal data is recorded with the consent of the person, hand
the data controller can use the recorded data in the absence of regulations that differ from the law, in order to fulfill legal obligations, without special consent, and after withdrawal of consent by the person.
(8) The site does not specifically collect data from minors (under 16 years of age). If the data of a minor is saved, after learning about this fact, the data of the minor is deleted without delay.
2. Data management based on the performance of legal obligations
(1) In the case of data management based on the fulfillment of legal obligations, the scope of data, the purpose of data management, the time of data storage and the users of data are determined by legal regulations.
(2) Data management based on the fulfillment of legal obligations does not depend on the consent of the person, since data management is determined by law. In this case, before data collection, the person must be informed that data collection is mandatory, and must be informed in detail and clearly about all the facts related to the management of his data, with special reference to the purpose and legal basis of data processing, to the subject, which has the right to data management, the duration of data management, about personal data being managed in accordance with legal provisions and about who can have access to the data. The notification must also include the rights of the person and the possibilities of using the rights related to the management of personal data. In the case of mandatory data management, the notification can also be considered the publication of a call to all legal regulations, which contain the above-mentioned information.
3. Promotion of the rights of persons to whom the data refer
The company is obliged to ensure that the person can exercise his rights in the case of all activities related to data management.
CHAPTER IV
MANAGEMENT OF VISITORS' DATA ON THE COMPANY'S WEBSITE - NOTICE ON THE USE OF COOKIES
1. The website visitor must be informed about the application of cookies and for all, except technically necessary sessions (cookies), the visitor's permission must be requested.
2. General information about cookies
2.1. A cookie is data that a visited web page sends to the visitor's browser (in the form of a value variable) for storage, and later the same web page can fill in the content of the cookie. Cookies can be valid (valid) until the browser is closed, but also for an unlimited period of time. Later, with each HTTP(S) request, the browser will send this information to the server, thus changing the data on the user's device.
2.2. The essence of cookies is to mark and identify the user (eg his entry to the page) and to treat the given user accordingly in all subsequent cases. The risk lies in the fact that the user is not always aware that cookies identify him, and this provides an opportunity for the user to be tracked by the owner of the page or another provider whose content is embedded in the page (eg Facebook, Google Analytics). During tracking, a profile is created about the user, and in these cases the content of the cookie is treated as personal data.
2.3. Types of cookies:
2.3.1. Technically necessary session cookies: without them, websites are simply not functional, they are used to identify the user, when he entered the page, what he put in the basket, etc. In this case, the session ID is usually stored, while other data is stored on the server, making it more secure. From a security point of view, when the session cookie value is not well generated, there is a risk of session smuggling, so it is necessary that these values are generated correctly. Other terminologies call session cookies any cookie that is deleted at the moment of exit from the browser (a session is the use of the browser from start to exit).
2.3.2. Cookies, which facilitate the use: this includes those cookies, which remember the user's choices - eg. in which form he wants to view the page. These cookies essentially mark the settings data, which is stored in cookies.
2.3.3. Performance cookies: Although they have little to do with "performance", this is the name for cookies, which collect information about user behavior, clicks and time spent on the page they visit. These are usually third-party applications (such as Google Analytics, AdWords or Iandek.ru cookies). They are suitable for visitor profiling.
Learn more about Google Analytics cookies here: Analytics-cookies
Learn more about Google AdWords cookies here: Google support
2.4. Accepting or enabling cookies is optional. In the browser settings, it can be set to automatically reject all cookies, or to notify the browser when the system sends cookies. Most browsers automatically accept cookies by default, but settings can usually be changed to prevent automatic acceptance and to offer the user a choice between accepting and rejecting cookies each time.
See the links below for the cookie settings of the most popular browsers:
• Google Chrome: Chrome support
• Firefox: Firefox are
port
• Microsoft Internet Explorer 11: Microsoft support
• Microsoft Internet Explorer 10: Microsoft support
• Microsoft Internet Explorer 9: Microsoft support
• Microsoft Internet Explorer 8: Microsoft support
• Microsoft Edge: Microsoft support
• Safari: Apple support
However, it must be noted that certain features of the site or service may not function properly without cookies.
3. Information about cookies used on the Company's website and data generated during the visit
3.1. Data, which are managed during the visit
Our Company's website may use the website to record and manage the following information about the visitor or the device they are using:
• IP address of the visitor,
• browser type,
• characteristics of the operating system of the device used by the visitor (configured language),
• time of visit,
• (sub)sites, functions or services you visit,
• clicks.
This data is stored for up to 90 days and is used primarily for testing security incidents.
3.2. Cookies used on the website
3.2.1. Technically necessary session cookies
The purpose of data management is to ensure the proper functioning of the website. These cookies are needed to enable visitors to browse the website without problems and to fully use all the functions, services available through the website, including - in particular - the comments of visitors on a particular site or the identity of the logged-in user during the visit. The duration of this cookie management is limited to the current visit of the visitor, this type of cookie will be automatically deleted from the user's computer when the session ends or when the browser is closed.
The legal basis for managing this data is 13/A. § (3) paragraph CVIII of the Law on Electronic Commerce Services and Information Society Services from 2001, according to which the service provider in order to provide the service can manage personal data, which are technically necessary for the provision of the service. If other conditions remain unchanged, service providers must choose and use the tools used to provide information society services, in such a way that personal data is processed only if it is strictly necessary to provide the service and to fulfill other necessary purposes specified in this law. but even in that case only to the extent and time that is necessary.
3.2.1. Cookies, which facilitate use
These cookies remember the user's choices, for example, in which form the user wants to see the page. These types of cookies are essentially settings data, which are stored in a cookie.
The legal basis for managing this data is visitors' consent.
The purpose of data management is to increase the efficiency of the services, improve the user experience and ensure a more convenient use of the site.
These data are located on the user's computer, the website only accesses them and recognizes the visitor based on them.
3.2.2. Performance cookies
This type of cookie collects information about user behavior, time spent and clicks on the page the user is viewing. These cookies are usually tracked by third-party applications (eg Google Analytics, AdWords).
Legal basis for data management: consent of the data subject.
The purpose of data management is to analyze the website and send promotional offers.
CHAPTER V
ANNOUNCEMENT ON THE RIGHTS OF PERSONS TO WHOM THE DATA REFER TO
I The rights of the persons to whom the data refer, summarized:
1. Transparent information, communication and modalities for exercising the rights of persons to whom the data refer
2. The right to prior information, which is provided - if personal data is collected from the person to whom the data refers
3. Information provided if the personal data is not obtained from the person to whom the data refers
4. The right of the data subject to access
5. Right to rectification
6. Right to erasure ("right to be forgotten")
7. Right to restriction of processing
8. Obligation to notify about correction or deletion of personal data or restriction of processing
9. Right to data portability
10. The right to object
11. Making automated individual decisions, including profiling 12. Limitations
13. Notifying the person to whom the data relates to a violation of the security of personal data
14. The right to complain to the supervisory authority
15. The right to an effective legal remedy against the supervisory authority
16. Right to an effective legal remedy against the controller or processor
II Rights of persons to whom the data refer, in detail:
1. Transparent information, communication and modalities for exercising the rights of persons to whom the data refer
1.1. The controller takes appropriate measures to provide the data subject with all information related to the processing in a concise, transparent, comprehensible and easily accessible form, using clear and simple language, which in particular refers to all information expressly intended for a child . Information is provided in written form or by other means, including electronic form when appropriate. If the person on whom
if the data refer to it, the information can be provided orally, provided that the identity of the person to whom the data refer is determined in other ways.
1.2. The operator facilitates the realization of the rights of the data subject.
1.3. Upon request, the controller shall provide the data subject with information on the actions taken without undue delay, and in any case no later than one month from the receipt of the request. That deadline can be extended by an additional two months as needed, and the Controller must notify the person to whom the data relates of any such extension of the deadline.
1.4. If the operator does not act on the request of the person to whom the data refer, the operator informs the person to whom the data refer immediately or no later than one month after receiving the request about the reasons for not acting on the request and about the possibility of submitting a complaint to the supervisory authority and seeking a legal remedy.
1.5. The information provided, all communication and measures taken are provided free of charge, but in certain cases, which are prescribed by the Regulation, a fee may be charged.
Detailed rules can be found in Article 12 of the Regulation.
2. The right to prior information, which is provided - if personal data is collected from the person to whom the data refers
2.1. If the personal data of the person to whom the data refer is collected from the person to whom the data refers, the controller provides all of the following information to that person when collecting personal data:
a) the identity and contact details of the operator and, if applicable, the representative of the operator;
b) contact details of the authorized person for data protection, if applicable;
c) processing purposes for which personal data are intended, as well as the legal basis for processing;
d) if the processing is based on the realization of legal rights, legitimate interests of the operator or a third party;
e) users or categories of users of personal data, if they exist;
f) if applicable, the fact that the controller intends to transfer personal data to a third country or international organization.
2.2. When collecting personal data, the controller provides the data subject with the following additional information necessary to ensure fair and transparent processing:
a) on the period for which personal data will be kept or, if this is not possible, the criteria used to determine that period;
b) existence of the right to request from the controller access to personal data and correction or deletion of personal data or restriction of processing in relation to the person to whom the data refer or the right to object to the processing, as well as the right to data portability;
c) if the processing is based on the consent of the user, the existence of the right to withdraw the consent at any time, without affecting the legality of the processing based on the consent before the withdrawal of the consent;
d) the right to submit a complaint to the supervisory authority;
e) information on whether the provision of personal data is a legal or contractual obligation or a necessary condition for concluding a contract, as well as whether the person to whom the data refers has an obligation to provide personal data and what are the possible consequences if such data are not provided provide;
f) the existence of automated decision-making, including profiling and, at least in those cases, substantive information about the logic used, as well as the significance and intended consequences of such processing for the data subject.
2.3. If the controller intends to further process the personal data for a purpose that differs from the purpose for which the personal data was collected, the controller shall, before such further processing, provide the data subject with information about that other purpose and any additional relevant information.
All additional rules regarding the right to prior information are contained in Article 13 of the Regulation.
3. Information provided if the personal data is not obtained from the person to whom the data refers
3.1. If he did not receive the personal data from the person to whom the data refer, the operator is obliged to inform the person to whom the data refer to the facts and information described in point 2, about the category of personal data, no later than one month from the date of obtaining the data. on the source of personal data or, in certain cases, on whether the data originates from publicly accessible sources: if personal data are used to contact the person to whom the data refer, at least in the first contact with the person; or if they intend to transfer the data to other users, no later than the first transfer.
3.2. The facts and obligations from point 2 (Right to prior information) apply to other rules.
The detailed rules of this notification are contained in Article 14 of the Regulation.
4. The right of the data subject to access
4.1. The data subject has the right to obtain confirmation from the controller as to whether his personal data is being processed and, if such personal data is being processed, the right to access the personal data and information specified in points 2 and 3 ( Article 15 of the Regulation).
4.2. If personal data is transferred to a third country or international organization, the person to whom
e data is related, has the right to be informed about the appropriate protection measures in accordance with Article 46, which refer to the transfer.
4.3. The controller provides a copy of the personal data being processed. For any additional copies requested by the data subject, the controller may charge an acceptable fee based on administrative costs.
Article 15 of the Regulation contains detailed rules regarding the rights of persons to whom the data refer to access.
5. Right to rectification
5.1. The person to whom the data relates has the right to have the operator enable him to correct incorrect personal data relating to him without undue delay.
5.2. Taking into account the purposes of the processing, the data subject has the right to complete incomplete personal data, among other things, by providing an additional statement.
These rules contain Article 16 of the Regulation.
6. Right to erasure ("right to be forgotten")
6.1. The person to whom the data refers has the right to have the operator enable him to delete the personal data relating to him without undue delay, and the operator has the obligation to delete the personal data without undue delay, if one of the following conditions is met:
a) personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
b) the person to whom the data refer has withdrawn the consent on which the processing is based and if there is no other legal basis for the processing;
c) the person to whom the data refer has filed an objection to the processing and there are no prevailing legal reasons for the processing;
d) personal data were illegally processed;
e) personal data must be deleted in order to comply with a legal obligation under Union law or the law of a Member State applicable to the controller;
f) personal data is collected in connection with the offer of information society services directly to the child.
6.2. The clauses on data deletion do not apply if the processing is necessary:
a) in order to exercise the right to freedom of expression and information;
b) to comply with a legal obligation requiring processing under Union law or the law of a Member State applicable to the controller or for the performance of a task performed in the public interest or within the exercise of official powers granted to the data controller;
c) due to public interest in the field of public health;
d) for the purposes of archiving in the public interest, for the purposes of scientific or historical research or for statistical purposes if the right to erasure would likely make it impossible or seriously jeopardize the achievement of the goals of that processing; or
e) in order to establish, realize or defend legal claims.
Detailed rules related to the right to delete data are contained in Article 17 of the Regulation.
7. Right to restriction of processing
7.1. If the processing is limited, such personal data may only be processed with the consent of the person to whom the data refer, except for storage, or for the establishment, exercise or defense of legal claims or the protection of the rights of another natural or legal person or for the important public interest of the Union or member states.
7.2. The data subject has the right to ensure the restriction of processing by the controller if one of the following conditions is met:
a) the person to whom the data refers contests the accuracy of the personal data, within the time limit that allows the data controller to check the accuracy of the personal data;
b) the processing is illegal, and the person to whom the data refer objects to the deletion of the personal data and instead requests the limitation of their use;
c) the data controller no longer needs the personal data for processing purposes, but the person to whom the data refers requests them for the purpose of establishing, exercising or defending legal claims; or
d) the data subject has objected to the processing and it has not yet been confirmed whether the controller's legitimate reasons prevail over the reasons of the data subject.
7.3. The person to whom the data refers, who has received a restriction of processing, is informed by the controller before the cancellation of the restriction of processing.
Detailed rules are contained in Article 18 of the Regulation.
8. Obligation to notify about correction or deletion of personal data or restriction of processing
The operator informs each user to whom personal data has been disclosed of any correction or deletion of personal data or restriction of processing carried out, unless it turns out to be impossible or requires a disproportionate effort. The operator informs the data subject about those users if the data subject requests it.
Detailed rules are contained in Article 19 of the Regulation.
9. Right to data portability
9.1. The person to whom the data refer has the right to receive the personal data relating to him, which he has provided to the data controller in a structured, common and machine-readable format, and has the right to transmit that data to another data controller without interference from the controller. personal data provided, if:
a) the processing is based on consent or a contract; and
b) processing is done automatically.
9.2. When exercising their rights to data portability, the person to whom
related data has the right to direct transfer from one operator to another.
9.3. Exercising the right to data portability does not call into question Article 17 (Right to erasure, i.e. "right to be forgotten"). This right does not apply to processing necessary for the performance of a task carried out in the public interest or within the exercise of official powers granted to the data controller. This right must not negatively affect the rights and freedoms of others.
Detailed rules are contained in Article 20 of the Regulation.
10. The right to object
10.1. The person to whom the data refer has the right to object to the processing of personal data related to him at any time, based on reasons related to his specific position, in accordance with Article 6, paragraph 1, point e) or f ), including profiling based on those provisions. The controller may no longer process personal data, unless it proves that there are credible legitimate reasons for processing that prevail over the interests, rights and freedoms of the person to whom the data refer or for the establishment, exercise or defense of legal claims.
10.2. If personal data is processed for the purposes of direct marketing, the data subject has the right to object at any time to the processing of personal data relating to him for the purposes of such marketing, which includes profiling if related to such direct marketing marketing. If the data subject objects to the processing for direct marketing purposes, the personal data may no longer be processed for such purposes.
10.3. At the latest during the first communication with the person to whom the data refer, the person to whom the data refer is expressly drawn to this right, which must be presented clearly and separately from all other information.
10.4. The data subject can exercise his right to object automatically by means of technical specifications.
10.5. If personal data are processed for the purposes of scientific or historical research or for statistical purposes, the person to whom the data refer, based on reasons related to his specific position, has the right to object to the processing of personal data relating to him, except if the processing is necessary for the performance of a task performed in the public interest.
Detailed rules are contained in Article 21 of the Regulation.
11. Making automated individual decisions, including profiling
11.1. The data subject has the right not to be subject to a decision based solely on automatic processing, including profiling, which produces legal effects that relate to him or similarly significantly affect him.
11.2. Paragraph 1 does not apply if the decision:
a) necessary for the conclusion or execution of a contract between the person to whom the data refer and the controller;
b) permitted by the law of the Union or the law of the Member State which applies to the controller and which also prescribes appropriate protective measures for the rights and freedoms and legitimate interests of the person to whom the data refer; or
c) based on the express consent of the person to whom the data refer.
11.3. In the cases referred to in paragraph 2, points a) and c), the controller takes appropriate measures to protect the rights and freedoms and legitimate interests of the data subject, and at least the right to human intervention of the controller, the right to express one's own position and the right to challenge the decision.
Article 22 of the Regulation contains additional rules.
12. Limitations
Based on the law of the Union or the law of the member state, which is applied to the handler or processor, a legal measure can limit the scope of obligations and rights from Articles 12 to 22 and Article 34, as well as Article 5, if such limitation respects the essence of the basic rights and freedom.
The terms of these restrictions are contained in Article 23 of the Regulation.
13. Notifying the person to whom the data relates to a violation of the security of personal data
13.1. When it is likely that a breach of the security of personal data will cause a great risk to the rights and freedoms of natural persons, the operator shall, without undue delay, inform the persons to whom the data refer that a breach of the security of personal data has occurred. The notification to the data subject describes in clear and simple language the nature of the personal data security breach and contains at least the following information and measures:
a) name and contact information of the authorized person for data protection or other contact point from which more information can be obtained;
b) a description of the likely consequences of a breach of personal data security;
c) a description of the measures taken by the operator or proposed to be taken in order to eliminate the breach of personal data security, including, as necessary, measures to mitigate its harmful consequences.
13.2. Notifying the data subject is not mandatory if any of the following conditions are met:
a) if the controller has taken appropriate technical and organizational protective measures and those measures have been applied to personal data in connection with which there has been a breach of personal data security
other, and above all, measures that make personal data unintelligible to a person who is not authorized to access it, such as encryption;
b) if the controller has taken subsequent measures to ensure that it is no longer likely that a high risk will occur for the rights and freedoms of the persons to whom the data refer;
c) if it would require a disproportionate effort. In such a case, a public notice is published or a similar measure is taken to inform the persons to whom the data refer in an equally effective manner.
Article 34 of the Regulation contains additional rules.
14. The right to complain to the supervisory authority
Any data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State in which he has his habitual residence, in which his workplace or the place of the alleged infringement, if the data subject considers that the processing of personal data in relation to him violates this regulation. The supervisory authority to which the complaint was submitted informs the complainant about the progress and outcome of the complaint, including the possibility of applying a legal remedy.
These rules contain Article 77 of the Regulation.
15. The right to an effective legal remedy against the supervisory authority
15.1. Without prejudice to any other administrative or extrajudicial legal remedy, every natural or legal person has the right to an effective legal remedy against the legally binding decision of the supervisory body that applies to him.
15.2. Without prejudice to any other administrative or extrajudicial legal remedy, any data subject has the right to an effective legal remedy if the supervisory authority competent under Articles 55 and 56 does not resolve the complaint or does not notify the data subject within three months, on the progress or outcome of the submitted complaint.
15.3. The courts of the Member State where the supervisory authority has its headquarters are competent for proceedings against the supervisory authority.
15.4. If proceedings have been initiated against the decision of the supervisory authority which was preceded by the opinion or decision of the Board within the consistency mechanism, the supervisory authority forwards that opinion or decision to the court.
These rules contain Article 78 of the Regulation.
16. Right to an effective legal remedy against the controller or processor
16.1. Without prejudice to any other available administrative or extrajudicial legal remedy, including the right to submit a complaint to a supervisory authority, the data subject has the right to an effective legal remedy if he considers that his rights under this regulation have been violated as a result of the processing of his data on persons contrary to this regulation.
16.2. The courts of the Member State in which the operator or processor has its seat are competent for proceedings against the controller or processor. Alternatively, the courts of the member state in which the person to whom the data refer has their habitual residence are competent for those procedures, except when the handler or processor is a public authority of the member state exercising its public powers.
These rules contain Article 79 of the Regulation.