Appendix to the Data Management Policy
Data Management Notice regarding the rights of natural persons concerning the management of their personal data
CONTENTS
- INTRODUCTION
- CHAPTER I – NAME OF THE DATA CONTROLLER
- CHAPTER II – NAME OF DATA PROCESSORS
- Our Company’s IT provider
- Our Company’s ticket system developer
- CHAPTER III – ENSURING COMPLIANCE OF DATA MANAGEMENT WITH LAWS
- Data management based on consent from the data subject
- Data management based on legal obligations
- Promotion of data subject rights
- CHAPTER IV – MANAGEMENT OF VISITOR DATA ON THE COMPANY’S WEBSITE – COOKIE USAGE NOTICE
- CHAPTER V – NOTICE OF DATA SUBJECT RIGHTS
INTRODUCTION
According to REGULATION 2016/679 OF THE EUROPEAN PARLIAMENT AND COUNCIL (EU) (hereinafter: Regulation) concerning the protection and free flow of data in the management of personal data of natural persons, and the repeal of regulation 95/46/EC, the Data Controller must take appropriate actions to ensure that the person whose data is collected receives all necessary notifications regarding personal data management in a concise, clear, transparent, understandable and accessible form, and to ensure conditions for fulfilling the rights of the data subject.
The obligation to inform the person in advance about the right to informational self-determination and freedom of information is also prescribed by law CXII of 2011.
The following text fulfills our obligations mandated by the aforementioned laws and regulations.
This notice should be displayed on the company’s website or sent to the data subject upon request.
CHAPTER I
NAME OF THE DATA CONTROLLER
The issuer of this notice, also the Data Controller:
Company name: Zeleni Sokovi Nemet Doo
Headquarters: Serbia, 24413 Palić, Rogaška 10
Registration number: 21567477
Tax ID: 111909874
Representative: Roland Nemet
Phone number: +381 61 210 3555
Email address: zelenisokovinemet@gmail.com
Website: eliksirvitalnosti.com, zelenisokovi.com, zelenisokodzita.com, sokodzita.com, eliksirzdravlja.com, nemetzito.com
(hereinafter: the Company)
CHAPTER II
NAME OF THE DATA PROCESSORS
Data processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller; (Regulation 4. Article 8.)
The use of a data processor is not subject to the prior consent of the data subject, but it is necessary to inform the data subject. In accordance with these regulations, we provide the following notice:
1. The Company’s IT provider
The Company uses the services of a data processor for maintaining and managing its website, who provides IT services (hosting services) and within these services – in accordance with the contract between the two parties – manages personal data left on the website by storing it on the server.
Name and data of the data processor:
Company name: Beohosting Group Doo
Headquarters: 11000 Belgrade, Mile Dimić 9, Serbia
Registration number: 21699497
Tax ID: 112568867
Representative: Filip Popović
Website: beohosting.com
III. CHAPTER
ENSURING COMPLIANCE OF DATA MANAGEMENT WITH LAWS
1. Data management based on the consent of the data subject
(1) If the Company wishes to manage data based on consent, it is necessary to request consent for personal data management from the data subject using a form whose content is specified in the data management policy.
(2) It is also considered consent if the user marks the field relating to requesting consent for data processing on the Company’s website, if they make related technical settings regarding the use of information society services, as well as any other statement or act that clearly indicates the person’s consent to the planned management of their personal data. Silence, pre-checked boxes, or inaction does not constitute consent.
(3) Consent applies to all data management actions carried out for the same purpose or purposes. If data management serves multiple different purposes, consent must be requested for all purposes related to data management.
(4) If a person gives their consent as part of a written statement that also relates to other purposes – e.g., sales, service contract conclusion – consent must be requested in a way that is clear, simply expressed, understandable, accessible, and clearly distinguished from other purposes. Parts of such statements containing consent that do not comply with the Regulation are not legally valid.
(5) The Company cannot condition the conclusion or execution of a contract on consent to manage personal data that is not necessary for contract execution.
(6) Withdrawal of consent should be as simple as giving consent.
(7) If personal data is recorded with the person’s consent, the data controller may use the recorded data in the absence of regulations that differ from the law, for the purpose of fulfilling legal obligations, without special consent, and after withdrawal of consent by the person.
(8) The website does not intentionally collect data from minors (under 16 years of age). If data from a minor is stored, upon becoming aware of this fact, the minor’s data is deleted without delay.
2. Data management based on the performance of legal obligations
(1) In the case of data management based on legal obligations, the scope of data, purpose of data management, data retention time, and data users are determined by law regulations.
(2) Data management based on fulfilling legal obligations does not depend on the person’s consent, as data management is determined by law. In this case, the person must be informed before data collection that data collection is mandatory, and must also be thoroughly and clearly informed about all facts related to the management of their data, with special attention to the purpose and legal basis of data processing, the entity that has the right to manage data, the duration of data management, that personal data is managed in accordance with legal provisions, and who can access the data. The notice must include the rights of the person and the possibilities of exercising rights related to personal data management. In the case of mandatory data management, reference to all legal regulations containing the above-mentioned information may be considered as notification.
3. Promotion of the rights of data subjects
The Company is obligated to ensure that the person can exercise their rights in all activities related to data management.
IV CHAPTER
DATA MANAGEMENT OF VISITORS TO THE COMPANY’S WEBSITE – COOKIE NOTICE
1. A visitor to the website must be informed about the use of cookies and, for all but technically necessary sessions (cookies), the visitor’s permission must be requested.
2. General information about cookies
2.1. A cookie is data that the visited website sends to the visitor’s browser (in the form of a value variable) for storage, and later the same website can fill the cookie’s content. Cookies can be valid until the browser is closed, or for an unlimited period. Later, with each HTTP(S) request, the browser will send this information to the server, thus changing the data on the user’s device.
2.2. The essence of cookies is to mark and identify the user (e.g., their entry to the site) and to treat that user appropriately in all subsequent cases. The risk lies in the fact that users are not always aware that cookies identify them, and this provides an opportunity for the user to be tracked by the site owner or other provider whose content is embedded in the site (e.g., Facebook, Google Analytics). During tracking, a profile is created about the user, and in these cases, the cookie content is treated as personal data.
2.3. Types of cookies:
2.3.1. Technically necessary session cookies: without them, websites simply are not functional, they are used to identify users when they enter the site, what they put in their cart, etc. In this case, usually only the session ID is stored, while other data is stored on the server, making them more secure. From a security aspect, when the session cookie value is not properly generated, there is a risk of session smuggling, so it is necessary that these values are generated correctly. Other terminology refers to session cookies as any cookie that is deleted when exiting the browser (a session is the use of the browser from start to exit).
2.3.2. Cookies that facilitate use: these include cookies that remember user choices – e.g., in what form they want to view the page. These cookies are essentially setting data stored in cookies.
2.3.3. Performance cookies: Although they don’t have much to do with “performance,” this is the name for cookies that collect information about user behavior, clicks, and time spent on the page they visit. These are usually third-party applications (such as Google Analytics, AdWords, or Yandex.ru cookies). They are suitable for profiling visitors.
Learn more about Google Analytics cookies here:
https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
Learn more about Google AdWords cookies here:
https://support.google.com/adwords/answer/2407785?hl=sr
2.4. Accepting or enabling cookies is not mandatory. In browser settings, you can set all cookies to be automatically rejected, or have the browser notify when the system sends cookies. Most browsers automatically accept cookies by default, but settings can usually be changed to prevent automatic acceptance and to offer the user a choice between accepting and rejecting cookies each time.
See the links below for cookie settings in the most popular browsers:
- Google Chrome: https://support.google.com/accounts/answer/61416?hl=rs
- Firefox: https://support.mozilla.org/sr/kb/omogucavanje-i-onemogucavanje-kolacica
- Microsoft Internet Explorer 11: https://support.microsoft.com/sr-latn-rs/help/17442/windows-internet-explorer–manage-cookies#
- Microsoft Internet Explorer 10: https://support.microsoft.com/sr-latn-rs/help/17442/windows-internet-explorer–manage-cookies#ie=ie-10-win-7
- Microsoft Internet Explorer 9: https://support.microsoft.com/sr-latn-rs/help/17442/windows-internet-explorer–manage-cookies#ie=ie-9
- Microsoft Internet Explorer 8: https://support.microsoft.com/sr-latn-rs/help/17442/windows-internet-explorer–manage-cookies#ie=ie-8
- Microsoft Edge: https://privacy.microsoft.com/sr-latn-rs/windows-10-microsoft-edge-and-privacy
- Safari: https://support.apple.com/en-us/HT201265
However, it must be noted that certain site functions or services may not work properly without cookies.
3. Information about the cookies used on the Company’s website and about the data generated during the visit
3.1. Data managed during visits
Our Company’s website may use the web page to record and manage the following information about the visitor or device being used:
• Visitor’s IP address,
• Browser type,
• Operating system characteristics of the device being used (configured language),
• Time of visit,
• (Sub)pages, features, or services visited,
• Clicks.
This data is stored for up to 90 days and is primarily used for testing security incidents.
3.2. Cookies used on the website
3.2.1. Technically necessary session cookies
The purpose of data management is to ensure proper website functioning. These cookies are necessary to allow visitors to browse the website without problems and to fully utilize all functions and services available through the website, including – especially – visitor comments on a particular site or logged-in user identity during visits. The duration of such cookie management is limited to visitors’ current visit, this type of cookie will automatically be deleted from the user’s computer when the session ends or when the browser is closed.
The legal basis for managing this data is paragraph 13/A. § (3) of Act CVIII of 2001 on electronic commerce services and information society services, according to which the service provider may manage personal data that is technically necessary for providing the service for the purpose of providing the service. If other conditions remain unchanged, service providers must choose and use tools used for providing information society services in a way that personal data is processed only if strictly necessary for providing the service and fulfilling other necessary purposes stated in this law, but even then only to the extent and time necessary.
3.2.1. Cookies that facilitate use
These cookies remember user choices, for example, in what form the user wants to see the page. These types of cookies are essentially setting data stored in cookies.
The legal basis for managing this data is visitor consent.
The purpose of data management is to increase service efficiency, improve user experience, and ensure more convenient site usage.
This data is located on the user’s computer, the website only accesses it and recognizes visitors based on it.
3.2.2. Performance cookies
This type of cookie collects information about user behavior, time spent, and clicks on the page the user is viewing. These cookies usually track third-party applications (e.g., Google Analytics, AdWords).
Legal basis for data management: consent of the data subject.
Purpose of data management is website analysis and sending promotional offers.
V CHAPTER
NOTICE OF THE RIGHTS OF DATA SUBJECTS
I Rights of data subjects, in summary:
1. Transparent information, communication, and modalities for exercising the rights of data subjects
2. Right to prior information provided – if personal data are collected from the data subject
3. Information to be provided if personal data have not been obtained from the data subject
4. Right of the data subject to access
5. Right to rectification
6. Right to erasure (‘right to be forgotten’)
7. Right to restriction of processing
8. Obligation to notify rectification or erasure of personal data or restriction of processing
9. Right to data portability
10. Right to object
11. Automated individual decision-making, including profiling 12. Restrictions
13. Notification of personal data breaches to data subjects
14. Right to lodge a complaint with a supervisory authority
15. Right to an effective judicial remedy against a supervisory authority
16. Right to an effective judicial remedy against a controller or processor
II Rights of data subjects, in detail:
1. Transparent information, communication and modalities for the exercise of the rights of the data subject
1.1. The controller takes appropriate measures to provide the data subject with all information relating to processing in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, particularly for any information addressed specifically to a child. The information shall be provided in writing or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
1.2. The controller facilitates the exercise of data subject rights.
1.3. The controller shall provide information on action taken on a request to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two additional months where necessary, and the controller must inform the data subject of any such extension within the period.
1.4. If the controller does not act on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
1.5. Information provided, all communication and actions taken are provided free of charge, but in certain cases prescribed by the Regulation, a fee may be charged.
Detailed rules can be found in Article 12 of the Regulation.
2. Right to prior information provided – if personal data are collected from the data subject
2.1. Where personal data concerning a data subject are collected from the data subject, the controller shall provide the data subject with all of the following information:
a) the identity and contact details of the controller and, where applicable, of the controller’s representative;
b) the contact details of the data protection officer, where applicable;
c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
d) where the processing is based on legitimate interests, the legitimate interests pursued by the controller or by a third party;
e) the recipients or categories of recipients of the personal data, if any;
f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organization.
2.2. The controller shall provide the data subject with the following additional information necessary to ensure fair and transparent processing:
a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
c) where the processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
d) the right to lodge a complaint with a supervisory authority;
e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
f) the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2.3. If the controller intends to further process personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject with information on that other purpose and all additional relevant information prior to that further processing.
All additional rules regarding the right to prior information are contained in Article 13 of the Regulation.
3. Information to be provided if personal data have not been obtained from the data subject
3.1. If the controller has not obtained the personal data from the data subject, the controller is obliged, no later than one month from the date of obtaining the data, to inform the data subject of the facts and information described in point 2, about the category of personal data, the source of the personal data, or in certain cases, whether the data originates from publicly accessible sources: if personal data are used to contact the data subject, at least at the first contact with the person; or if they intend to transfer the data to other recipients, no later than the first transfer.
3.2. The facts and obligations from point 2 (Right to prior information) apply to other rules.
Detailed rules for this notification are contained in Article 14 of the Regulation.
4. Right of the data subject to access
4.1. The data subject has the right to obtain confirmation from the controller as to whether personal data concerning him or her are being processed, and, where that is the case, the right to access the personal data and the information specified in points 2 and 3 (Article 15 of the Regulation).
4.2. If personal data are transferred to a third country or an international organisation, the data subject has the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
4.3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.
Detailed rules regarding the data subject’s right of access are contained in Article 15 of the Regulation.
5. Right to rectification
5.1. The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
5.2. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
These rules are contained in Article 16 of the Regulation.
6. Right to erasure (‘right to be forgotten’)
6.1. The data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without undue delay if one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
f) the personal data have been collected in relation to the offer of information society services directly to a child.
6.2. The provisions on data erasure do not apply if processing is necessary:
a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
c) for reasons of public interest in the area of public health;
d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
e) for the establishment, exercise or defence of legal claims.
Detailed rules related to the right to data erasure are contained in Article 17 of the Regulation.
7. Right to restriction of processing
7.1. If processing is restricted, such personal data may only be processed with the data subject’s consent, except for storage, or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
7.2. The data subject has the right to obtain from the controller restriction of processing where one of the following applies:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests instead the restriction of their use;
c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
d) the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
7.3. The data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is lifted.
Detailed rules are contained in Article 18 of the Regulation.
8. Obligation to notify rectification or erasure of personal data or restriction of processing
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
Detailed rules are contained in Article 19 of the Regulation.
9. Right to data portability
9.1. The data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
a) the processing is based on consent or on a contract; and
b) the processing is carried out by automated means.
9.2. In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another.
9.3. The exercise of the right to data portability shall be without prejudice to Article 17 (Right to erasure, i.e., “right to be forgotten”). That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This right shall not adversely affect the rights and freedoms of others.
Detailed rules are contained in Article 20 of the Regulation.
10. Right to object
10.1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on Article 6(1)(e) or (f), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
10.2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
10.3. At the latest at the time of the first communication with the data subject, the data subject shall be explicitly informed of this right, which shall be presented clearly and separately from any other information.
10.4. The data subject may exercise his or her right to object by automated means using technical specifications.
10.5. Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out in the public interest.
Detailed rules are contained in Article 21 of the Regulation.
11. Automated individual decision-making, including profiling
11.1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
11.2. Paragraph 1 shall not apply if the decision is:
a) necessary for entering into, or performance of, a contract between the data subject and a controller;
b) authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
c) based on the data subject’s explicit consent.
11.3. In the cases referred to in paragraph 2(a) and (c), the controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
Additional rules are contained in Article 22 of the Regulation.
12. Restrictions
By means of a legislative measure, Union or Member State law to which the controller or processor is subject may restrict the scope of the obligations and rights referred to in Articles 12 to 22 and Article 34, as well as Article 5, in so far as such a restriction respects the essence of the fundamental rights and freedoms.
The conditions for these restrictions are contained in Article 23 of the Regulation.
13. Notification of personal data breaches to the data subject
13.1. When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and contain at least the following information and measures:
a) the name and contact details of the data protection officer or other contact point where more information can be obtained;
b) a description of the likely consequences of the personal data breach;
c) a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
13.2. The communication to the data subject shall not be required if any of the following conditions are met:
a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
Additional rules are contained in Article 34 of the Regulation.
14. Right to lodge a complaint with a supervisory authority
Every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy.
These rules are contained in Article 77 of the Regulation.
15. Right to an effective judicial remedy against a supervisory authority
15.1. Without prejudice to any other administrative or non-judicial remedy, every natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
15.2. Without prejudice to any other administrative or non-judicial remedy, every data subject shall have the right to an effective judicial remedy if a supervisory authority competent pursuant to Article 55. and 56 does not handle a complaint or does not inform the data subject within three months of the progress or outcome of the lodged complaint.
15.3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
15.4. Where proceedings are instituted against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall transmit that opinion or decision to the court.
These rules are contained in Article 78 of the Regulation.
16. Right to an effective judicial remedy against the controller or processor
16.1. Without prejudice to any other available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, the data subject shall have the right to an effective judicial remedy if he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
16.2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.
These rules are contained in Article 79 of the Regulation.