Privacy policy

ANNEX 1 OF THE DATA MANAGEMENT REGULATIONS

DATA MANAGEMENT NOTICE REGARDING THE RIGHTS OF INDIVIDUALS IN RELATION TO THE MANAGEMENT OF THEIR PERSONAL DATA

CONTENTS

INTRODUCTION

CHAPTER I – NAME OF THE DATA CONTROLLER

CHAPTER II – NAMES OF THE DATA PROCESSORS

1. The IT provider of our Company

2. The ticket system developer of our Company

CHAPTER III – ENSURING COMPLIANCE WITH DATA MANAGEMENT LAWS

1. Data management based on the consent of the data subject

2. Data management based on the fulfillment of legal obligations

3. Promotion of the rights of the data subject

CHAPTER IV - DATA MANAGEMENT OF VISITORS TO THE COMPANY'S WEBSITE – NOTICE ON THE USE OF COOKIES

CHAPTER V – NOTICE ON THE RIGHTS OF THE DATA SUBJECT

INTRODUCTION

Based on REGULATION 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU) (hereinafter: the Regulation), concerning the protection and free movement of data during the management of personal data of individuals, and the repeal of Directive 95/46/EC, the Data Controller is required to take appropriate actions to ensure that the data subject receives all necessary information regarding the management of their personal data in a concise, clear, transparent, understandable, and accessible format, and to ensure the conditions for the fulfillment of the rights of the data subject.

The obligation to inform the data subject in advance about the right to informational self-determination and freedom of information is also prescribed by the Law CXII of 2011.

The text below fulfills our obligations as prescribed by the aforementioned laws and regulations.

This notice must be prominently displayed on the company's website or sent to the data subject upon their request.

CHAPTER I

NAME OF THE DATA CONTROLLER

The issuer of this notice, who is also the Data Controller:

Company Name: COMPANY FOR PRODUCTION, TRADE, AND SERVICES NBA2 PLAST DOO SREMSKA KAMENICA
Headquarters: Sremska Kamenica
Company Registration Number: 20111097
Tax ID: 104195702
Representative: Aleksandar Tasić
Phone Number: +381 63 498 033
Email Address: nba2plast@gmail.com
Website: nba2-plast.rs/sr

(hereinafter: the Company)

CHAPTER II

NAMES OF THE DATA PROCESSORS

A Data Processor is a natural or legal person, public authority, agency, or any other body that processes data on behalf of the Data Controller; (Regulation Article 4, point 8)

The use of a Data Processor does not require the prior consent of the data subject, but it is necessary to inform the data subject. In accordance with these regulations, we provide the following notice:

1. The IT Provider of the Company

The Company uses the services of a Data Processor, who provides IT services (hosting services) for the maintenance and management of its website and, within the scope of these services – in accordance with the content of the agreement between the two parties – manages the personal data left on the website by storing them on a server.

Name and details of the Data Processor:

Company Name: ErdSoft doo
Headquarters: 24000 Subotica, Somborski put 33a, Serbia
Company Registration Number: 21354619
Tax ID: 110478829
Representative: Daniel Erdudac
Phone Number: +381 60 44 60 555
Fax: None
Email Address: daniel.erdudac@erdsoft.com
Website: erdsoft.com

CHAPTER III

ENSURING COMPLIANCE WITH DATA MANAGEMENT LAWS

  1. Data Management with the Consent of the Data Subject

(1) When the Company wishes to manage data based on the consent of the data subject, it is necessary to obtain consent for the processing of personal data through a form whose content is defined by the data management regulations.

(2) Consent may also be expressed by the user ticking a box related to consent for data processing on the Company’s website, by performing appropriate technical settings related to the use of information society services, or by any other act or statement that clearly indicates the subject's consent to the planned processing of their personal data. Silence, pre-ticked boxes, or inactivity do not constitute consent.

(3) Consent covers all data management activities that are carried out for the same purpose or objectives. If data management serves multiple different purposes, consent must be obtained for each purpose of the data processing.

(4) If the data subject gives consent as part of a written statement that also relates to other purposes – for example, sales, or the conclusion of a service agreement – the consent must be obtained in a manner that is clear, simply expressed, understandable, and accessible, and clearly separated from other purposes. Parts of such statements that relate to consent and are not in accordance with the Regulation will not have legal force.

(5) The Company cannot condition the conclusion or execution of a contract on the provision of consent for the processing of personal data that is not necessary for the execution of the contract.

(6) Withdrawal of consent must be as easy as giving consent.

(7) If personal data is recorded with the consent of the data subject, the data controller may use this data without further consent, in accordance with legal regulations, even after the withdrawal of consent.

(8) The website does not intentionally collect data from minors (under 16 years of age). If data about a minor is inadvertently stored, it will be deleted immediately upon discovery.

  1. Data Management Based on Legal Obligations

(1) When data is managed based on legal obligations, the scope of data, the purpose of management, the retention period, and the data users are determined by law.

(2) Data management based on the fulfillment of legal obligations does not depend on the consent of the data subject, as it is mandatory by law. In this case, the data subject must be informed prior to the collection of data about the obligatory nature of the data collection, as well as all relevant facts related to data processing, with special emphasis on the purpose and legal basis of the processing, the entity authorized to manage the data, the data retention period, and the fact that the data will be processed in accordance with the law and who may have access to the data. The notice must also include the rights of the data subject and the possibilities for exercising those rights in relation to data management. In the case of mandatory data processing, the publication of a reference to the relevant legal regulations may be considered as notice.

  1. Promotion of the Rights of the Data Subject

The Company is obliged to ensure that in all activities related to data management, the data subject can exercise their rights.

CHAPTER IV

DATA MANAGEMENT OF WEBSITE VISITORS – COOKIE NOTICE

  1. Website visitors must be informed about the use of cookies, and for all cookies except those that are technically necessary for the session, the visitor's consent must be obtained.

  2. General Information About Cookies

2.1. A cookie is data that a website sends to the visitor's browser (in the form of a variable value) for storage, and the same website can later access the contents of the cookie. Cookies may be valid until the browser is closed or for an unlimited period. Later, with each HTTP(S) request, the browser sends this information to the server, altering the data on the user's device.

2.2. The essence of cookies is to identify the user (e.g., their login to the site) and ensure that in all subsequent interactions, they are treated appropriately. The risk lies in the fact that the user is not always aware of identification via cookies, which allows for the tracking of the user by the website owner or another provider whose content is embedded in the site (e.g., Facebook, Google Analytics). By tracking the user, a profile can be created, and in these cases, the content of the cookies is treated as personal data.

2.3. Types of cookies:

2.3.1. Technically necessary session cookies: without them, websites do not function properly, and they are used to identify the user, what they added to the cart, etc. Typically, the session ID is stored, while other data is stored on the server, making it more secure. From a security standpoint, if the value of the session cookie is not well generated, there is a risk of session hijacking, so it is necessary to generate these values correctly. In some terminologies, session cookies refer to all cookies that are deleted upon closing the browser.

2.3.2. Cookies that facilitate usage: these cookies remember user preferences – for example, in what format they want to view the site. These cookies essentially record setting data that is stored in cookies.

2.3.3. Performance cookies: although they do not have much to do with "performance," this is the name for cookies that collect information about user behavior, clicks, and time spent on the site. Typically, these are third-party cookies (such as Google Analytics, AdWords, or Yandex.ru). They are suitable for profiling visitors.

Learn more about Google Analytics cookies here: Analytics-cookies

Learn more about Google AdWords cookies here: Google support

2.4. Accepting or rejecting cookies is not mandatory. In the browser settings, you can set all cookies to be automatically rejected, or the browser can notify you when the system sends cookies. Most browsers automatically accept cookies, but the settings can usually be changed to prevent automatic acceptance and allow the user to choose between accepting or rejecting cookies each time.

See the links below for cookie settings in the most popular browsers:

• Google Chrome: Chrome support

• Firefox: Firefox support

• Microsoft Internet Explorer 11: Microsoft support 

• Microsoft Internet Explorer 10: Microsoft support 

• Microsoft Internet Explorer 9: Microsoft support

• Microsoft Internet Explorer 8: Microsoft support

• Microsoft Edge: Microsoft support

• Safari: Apple support

 

However, it should be noted that certain website functionalities or services may not function properly without cookies.

3. Information on Cookies Used on the Company's Website and Data Collected During Visits

3.1. Data Collected During Visits

Our website may record and manage the following information about the visitor or the device they are using:

  • IP address of the visitor,
  • Browser type,
  • Characteristics of the operating system on the visitor's device (including language settings),
  • Time of visit,
  • (Sub)pages, features, or services visited,
  • Clicks.

This data is stored for up to 90 days and is primarily used for testing security incidents.

3.2. Cookies Used on the Website

3.2.1. Technically Necessary Session Cookies

The purpose of managing this data is to ensure the proper functioning of the website. These cookies are necessary for visitors to browse the site smoothly and fully utilize all the functions and services it offers, including but not limited to visitor comments and identification of logged-in users during the visit. The duration of such cookies is limited to the session; they are automatically deleted from the user's device at the end of the session or when the browser is closed.

The legal basis for processing this data is Article 13/A, Paragraph 3 of the Act on Electronic Commerce and Information Society Services (CVIII/2001), which allows service providers to process personal data necessary for providing the service. Service providers must select and use tools for providing information society services in such a way that personal data is processed only when strictly necessary for providing the service and only to the extent and duration that is necessary.

3.2.2. Cookies That Facilitate Usage

These cookies remember user choices, such as how they want the site to be displayed. This setting data is stored in cookies.

The legal basis for processing this data is the consent of the visitors.

The purpose of managing the data is to improve the efficiency of the services, enhance the user experience, and make the website easier to use.

This data is stored on the user's device, and the website accesses it and uses it to recognize the visitor.

3.2.3. Performance Cookies

These cookies collect information about user behavior, time spent on the site, and clicks. They are usually used by third-party applications (e.g., Google Analytics, AdWords).

The legal basis for processing this data is the consent of the user.

The purpose of managing the data is to analyze the website and send promotional offers.

CHAPTER V

NOTICE ON THE RIGHTS OF THE DATA SUBJECT

I. Rights of the Data Subject, in Brief:

  1. Transparent information, communication, and modalities for the exercise of the rights of the data subject
  2. Right to prior information in case data is collected from the data subject
  3. Information to be provided if data is not collected from the data subject
  4. Right of access
  5. Right to rectification
  6. Right to erasure ("right to be forgotten")
  7. Right to restrict processing
  8. Obligation to notify about rectification, erasure, or restriction of processing
  9. Right to data portability
  10. Right to object
  11. Automated individual decision-making, including profiling
  12. Restrictions
  13. Notification of the data subject about a personal data breach
  14. Right to lodge a complaint with a supervisory authority
  15. Right to an effective judicial remedy against a supervisory authority
  16. Right to an effective judicial remedy against a data controller or processor.

II. Detailed Rights of the Data Subject:

1. Transparent Information, Communication, and Modalities for Exercising the Rights of the Data Subject

1.1. The controller shall take all necessary measures to provide the data subject with all information related to data processing in a clear, transparent, understandable, and easily accessible manner, using simple and comprehensible language, especially when it comes to information intended for children. Information may be provided in writing or by other means, including electronically, where appropriate. Upon request of the data subject, the information may also be provided orally, provided that the identity of the data subject is confirmed by appropriate means.

1.2. The controller shall facilitate the exercise of the data subject's rights.

1.3. The controller is obliged, upon request of the data subject, to provide information on the actions taken without undue delay and, at the latest, within one month of receipt of the request. This period may be extended by an additional two months if necessary, in which case the controller must inform the data subject of any such extension within the deadline.

1.4. If the controller does not act on the request of the data subject, they are obliged to inform the data subject immediately or, at the latest, within one month of receipt of the request, stating the reasons for not taking action and providing information on the possibility of lodging a complaint with a supervisory authority and seeking a legal remedy.

1.5. All provided data, communication, and actions taken shall be free of charge, except in cases prescribed by the Regulation where a fee may be charged.

Detailed rules are contained in Article 12 of the Regulation.

2. Right to Prior Information Provided – If Personal Data is Collected from the Data Subject

2.1. If personal data is collected from the data subject, the controller is obliged to provide the data subject with the following information at the time of data collection:

a) The identity and contact details of the controller, and, where applicable, the controller's representative;

b) The contact details of the data protection officer, where applicable;

c) The purposes of the processing for which the personal data is intended, as well as the legal basis for the processing;

d) If the processing is based on the legitimate interests of the controller or a third party, information about those interests;

e) The recipients or categories of recipients of the personal data, if any;

f) Where applicable, information about the controller’s intention to transfer personal data to a third country or international organization.

2.2. The controller, at the time of data collection, provides the data subject with the following additional information necessary to ensure fair and transparent processing:

a) The period for which the personal data will be stored or, if that is not possible, the criteria used to determine that period;

b) The existence of the right to request from the controller access to and rectification or erasure of personal data, restriction of processing, the right to object to processing, and the right to data portability;

c) If processing is based on the consent of the user, the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

d) The right to lodge a complaint with a supervisory authority;

e) Information on whether the provision of personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of failing to provide such data;

f) The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the expected consequences of such processing for the data subject.

2.3. If the controller intends to further process personal data for a purpose other than that for which the data was collected, the controller shall provide the data subject with information about that new purpose and all relevant information before that further processing.

Detailed rules regarding the right to prior information are contained in Article 13 of the Regulation.

3. Information Provided When Personal Data is Not Obtained from the Data Subject

3.1. If the controller obtains personal data from other sources, they are obliged to inform the data subject, no later than one month after obtaining the data, about the categories of collected data, the source of the data, and all the information mentioned in point 2. If the data is used to contact the data subject, the controller must provide this information at the latest at the time of the first contact. Additionally, if the controller intends to transfer the data to other users, they must inform the data subject at the latest at the time of the first transfer.

3.2. Other rules shall apply in accordance with the provisions of point 2 (Right to Prior Information).

Detailed rules for this notice are contained in Article 14 of the Regulation.

4. Right of Access by the Data Subject

4.1. The data subject has the right to obtain confirmation from the controller as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and information specified in points 2 and 3 (Article 15 of the Regulation).

4.2. Where personal data is transferred to a third country or an international organization, the data subject has the right to be informed of the appropriate safeguards pursuant to Article 46 of the Regulation relating to the transfer.

4.3. The controller is obliged to provide a copy of the personal data undergoing processing. For any additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.

Detailed rules regarding the right of access by the data subject are contained in Article 15 of the Regulation.

5. Right to Rectification

5.1. The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them.

5.2. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

These rules are contained in Article 16 of the Regulation.

6. Right to Erasure ("Right to be Forgotten")

6.1. The data subject has the right to obtain from the controller the erasure of personal data concerning them without undue delay, and the controller is obliged to erase the personal data without undue delay where one of the following grounds applies:

a) The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;

b) The data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;

c) The data subject objects to the processing, and there are no overriding legitimate grounds for the processing;

d) The personal data has been unlawfully processed;

e) The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

f) The personal data has been collected in relation to the offer of information society services to a child.

6.2. This provision does not apply to the extent that processing is necessary:

a) For exercising the right of freedom of expression and information;

b) For compliance with a legal obligation that requires processing under Union or Member State law, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

c) For reasons of public interest in the area of public health;

d) For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, where the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

e) For the establishment, exercise, or defense of legal claims.

Detailed rules regarding the right to erasure are contained in Article 17 of the Regulation.

7. Right to Restrict Processing

7.1. When processing is restricted, such personal data may only be processed with the consent of the data subject, except for storage, or for the establishment, exercise, or defense of legal claims, the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or a Member State.

7.2. The data subject has the right to request a restriction of processing from the controller if one of the following conditions is met:

a) The data subject contests the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data;

b) The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of its use instead;

c) The controller no longer needs the personal data for processing purposes, but the data is required by the data subject for the establishment, exercise, or defense of legal claims; or

d) The data subject has objected to processing, pending the verification of whether the legitimate grounds of the controller override those of the data subject.

7.3. The data subject who has obtained a restriction of processing must be informed by the controller before the restriction is lifted.

Detailed rules are contained in Article 18 of the Regulation.

8. Obligation to Notify About Rectification or Erasure of Personal Data or Restriction of Processing

The controller is obliged to inform all recipients to whom the personal data has been disclosed about any rectification, erasure, or restriction of processing, unless this proves impossible or involves disproportionate effort. The controller must inform the data subject about those recipients if the data subject requests it.

Detailed rules are contained in Article 19 of the Regulation.

9. Right to Data Portability

9.1. The data subject has the right to receive their personal data, which they have provided to a controller, in a structured, commonly used, and machine-readable format, and the right to transmit those data to another controller without hindrance from the controller to whom the personal data was provided, where:

a) The processing is based on consent or on a contract; and

b) The processing is carried out by automated means.

9.2. When exercising the right to data portability, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.

9.3. Exercising the right to data portability does not affect the right to erasure ("right to be forgotten") as provided in Article 17 of the Regulation. This right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This right must not adversely affect the rights and freedoms of others.

Detailed rules are contained in Article 20 of the Regulation.

10. Right to Object

10.1. The data subject has the right to object, at any time, to the processing of their personal data which is based on Article 6(1)(e) or (f) of the Regulation, including profiling based on those provisions, on grounds relating to their particular situation. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.

10.2. Where personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of their personal data for such marketing, including profiling to the extent that it is related to such direct marketing. If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

10.3. The data subject must be explicitly informed of the right to object at the latest at the time of the first communication with them, in a clear manner and separately from any other information.

10.4. The data subject may exercise their right to object by automated means using technical specifications.

10.5. Where personal data is processed for scientific or historical research purposes or statistical purposes, the data subject has the right to object, on grounds relating to their particular situation, to the processing of their personal data, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Detailed rules are contained in Article 21 of the Regulation.

11. Automated Individual Decision-Making, Including Profiling

11.1. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

11.2. Paragraph 1 does not apply if the decision:

a) Is necessary for entering into, or performance of, a contract between the data subject and a data controller;

b) Is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or

c) Is based on the data subject's explicit consent.

11.3. In the cases referred to in points (a) and (c) of paragraph 2, the controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express their point of view and to contest the decision.

Detailed rules are contained in Article 22 of the Regulation.

12. Restrictions

On the basis of Union or Member State law to which the controller or processor is subject, a legal measure may restrict the scope of obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5, provided that such a restriction respects the essence of the fundamental rights and freedoms.

The conditions for these restrictions are contained in Article 23 of the Regulation.

13. Notification of Personal Data Breach to the Data Subject

13.1. Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and shall at least include:

a) The name and contact details of the data protection officer or other contact points where more information can be obtained;

b) A description of the likely consequences of the personal data breach;

c) A description of the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

13.2. The communication to the data subject is not required if any of the following conditions are met:

a) The controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;

b) The controller has taken subsequent measures that ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize;

c) It would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

Detailed rules are contained in Article 34 of the Regulation.

14. Right to Lodge a Complaint with a Supervisory Authority

Every data subject has the right to lodge a complaint with a supervisory authority, particularly in the Member State of their habitual residence, place of work, or place of the alleged infringement, if the data subject considers that the processing of personal data relating to them infringes this Regulation. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy.

These rules are contained in Article 77 of the Regulation.

15. Right to an Effective Judicial Remedy Against a Supervisory Authority

15.1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

15.2. Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to an effective judicial remedy where the competent supervisory authority does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged.

15.3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

15.4. Where proceedings are brought against a decision of a supervisory authority that was preceded by an opinion or decision of the Board under the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.

These rules are contained in Article 78 of the Regulation.

16. Right to an Effective Judicial Remedy Against a Controller or Processor

16.1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, the data subject shall have the right to an effective judicial remedy where they consider that their rights under this Regulation have been infringed as a result of the processing of their personal data in non-compliance with this Regulation.

16.2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has their habitual residence, except where the controller or processor is a public authority of a Member State acting in the exercise of its public powers.

These rules are contained in Article 79 of the Regulation.

Cookie settings

We use cookies to personalise content and ads, to provide social media features and to analyse website traffic. You can read more by clicking on the "Settings" button.
We use cookies to personalise content and ads.