Privacy policy

Appendix 1 of the Data Management Policy

INFORMATION ON THE RIGHTS OF INDIVIDUALS REGARDING THE PROCESSING OF THEIR PERSONAL DATA

INTRODUCTION

I. CHAPTER – NAME OF THE DATA CONTROLLER ORGANIZATION II. CHAPTER – NAME OF DATA PROCESSING ORGANIZATIONS

1. Our company's IT service provider

2. Developer of our company's mapping system

CHAPTER III – ENSURING COMPLIANCE WITH DATA PROCESSING LAWS

1. Data processing based on the consent of the individual to whom the data pertains

2. Data processing based on the fulfillment of legal obligations

3. Promoting the rights of individuals affected by the data

IV. CHAPTER – HANDLING VISITOR DATA ON THE COMPANY'S WEBSITE – NOTICE ON THE USE OF COOKIES V. CHAPTER – NOTICE ON THE RIGHTS OF INDIVIDUALS TO WHOM THE DATA PERTAINS

INTRODUCTION

In accordance with the EUROPEAN PARLIAMENT AND COUNCIL (EU) 2016/679 REGULATION (hereinafter: Regulation), which relates to the protection of personal data and the free movement of such data, and the repeal of Regulation 95/46/EC, the Data Controller must take appropriate measures to ensure that individuals whose data is collected receive all necessary information regarding the processing of personal data in a concise, clear, transparent, understandable, and accessible manner. Additionally, the Data Controller must ensure the conditions for the exercise of rights by the individuals whose data is collected.

The preliminary information obligation regarding the right to informational self-determination and freedom of information is also amended by Act CXII of 2011.

The following text fulfills our obligations as required by the aforementioned laws and regulations.

The notice must be posted on the company's website and must be sent upon request to the individual whose data is collected.

I. CHAPTER NAME OF THE DATA CONTROLLER ORGANIZATION

The issuer of the notice and the Data Controller:

Company name: PROIZVODNO PREDUZEĆE PLASTEKS DOO, KORENITA

Headquarters: Korenita

Company registration number: 17043706

Tax number: 101923161

Representative: Zlatan Tejić

Phone numbers: 063 / 7796 391

Email address: zlatantejic@gmail.com

Website: plasteks-gajbice.rs/sr

(hereinafter: Company)

CHAPTER II NAME OF DATA PROCESSING ORGANIZATIONS

Entity processing the data: natural or legal person, public authority, agency, or any other body processing data on behalf of the data controller; (Rule 4, Article 8)

The engagement of data processors is not related to the prior consent of the data subject but requires informing the data subject. In accordance with this policy, we provide the following notice:

1. The Company's IT service provider

To maintain and manage the company's website, the data controller engages the services of the data processor, which provides IT services (hosting services) and, within these services, processes personal data according to the terms of the contract between the two parties. The data processed includes data stored on the server.

Name and details of the data processor:

Company name: ErdSoft doo

Headquarters: 24000 Subotica, Somborski put 33a, Serbia

Company registration number: 21354619

Tax number: 110478829

Representative: Daniel Erdudac

Phone number: +381 60 44 60 555

Fax: none

Email address: daniel.erdudac@erdsoft.com

Website: erdsoft.com

 

Chapter III: Ensuring Compliance with Data Processing Laws

1. Data Processing Based on the Data Subject’s Consent

1. If the Company intends to carry out data processing based on consent, it must obtain the necessary consent from the data subject when completing the data form, the content of which is determined by the data processing policy.

2. Consent also includes cases where the user checks the data processing consent box on the Company’s website, performs the necessary technical settings when using information society services, or provides any other statement or action that clearly indicates the data subject’s consent to the planned processing of personal data. Silence, pre-checked boxes, or lack of action do not constitute consent.

3. Consent applies to all data processing activities conducted for the same purpose. If data processing serves multiple different purposes, separate consent must be obtained for each purpose.

4. If the data subject provides written consent that also refers to other purposes (e.g., entering into a sales or service contract), the consent must be requested clearly, simply, understandably, accessibly, and separately from other purposes. Statements that do not meet these requirements are not legally binding.

5. The Company cannot condition the conclusion or performance of a contract on the consent to process personal data that is not necessary for the performance of the contract.

6. The withdrawal of consent must be as easy as giving consent.

7. If personal data is recorded with the consent of the data subject, the data controller may use the recorded data to fulfill legal obligations without additional consent, and also after the withdrawal of consent if permitted by law.

8. The site does not specifically collect data from minors (under 16). If data from minors is collected, it will be promptly deleted upon discovery.

2. Data Processing Based on Legal Obligations

1.If data processing is carried out to fulfill legal obligations, the scope of the data, the purpose of processing, the duration of data storage, and the data users are determined by law.

2. Such data processing does not depend on the data subject’s consent, as it is required by law. Before data collection, the data subject must be informed that the data collection is mandatory, and the purpose, legal basis, the data controller, the duration of processing, the scope of the personal data processed, and the scope of data access must be communicated in detail and clearly. The notification must also include the data subject’s rights and how to exercise them. For mandatory data processing, the notification must also include a description of the legal provisions.

3.Promotion of the Data Subject's Rights

The Company must ensure that the data subject can exercise their rights in every data processing activity.

Chapter IV: Handling Visitor Data on the Company’s Website – Notification on the Use of Cookies

1. Visitors to the website must be informed about the use of cookies, and except for technically necessary session cookies, visitor consent must be obtained in all other cases.

2. General Information About Cookies

2.1. A cookie is a piece of data sent by the visited website to the visitor's browser for storage purposes, which the same website can later retrieve. Cookies may be valid until the browser is closed or for an indefinite period. Subsequently, the browser sends this information to the server with every HTTP(S) request.

2.2. The essence of cookies is to mark and identify the user (e.g., when logging into the site) and to handle the user accordingly in all subsequent cases. The risk lies in the fact that users may not always know that cookies identify them, which allows the website owner or other service providers to track the user and create a profile. In such cases, the content of cookies is treated as personal data.

2.3. Types of Cookies:

2.3.1. Technically Necessary Session Cookies: These are essential for the website to function properly. They help identify the user when they access the site, what they place in their cart, etc. From a security perspective, it is important that these values are generated correctly.

2.3.2. Cookies That Facilitate Use: These cookies remember user preferences, such as how they wish to view the site.

2.3.3. Performance Cookies: These collect information about user behavior, clicks, and time spent on the visited pages and are generally from third parties (e.g., Google Analytics, AdWords).

2.4. Accepting or enabling cookies is not mandatory. Browser settings can be adjusted to automatically reject all cookies or notify the user when cookies are sent. Most browsers accept cookies by default, but settings can be changed to prevent automatic acceptance, allowing the user to choose between accepting or rejecting cookies.

Please refer to the following links for cookie settings in the most popular browsers:

• Google Chrome: Chrome support

• Firefox: Firefox support

• Microsoft Internet Explorer 11: Microsoft support 

• Microsoft Internet Explorer 10: Microsoft support 

• Microsoft Internet Explorer 9: Microsoft support

• Microsoft Internet Explorer 8: Microsoft support

• Microsoft Edge: Microsoft support

• Safari: Apple support

IV. Chapter: Handling Visitor Data on the Company’s Website – Notification on the Use of Cookies

1. However, it should be noted that certain functions of the site or service may not operate properly without cookies.

2. Information on Cookies Used on the Company’s Website and Data Generated During Visits

2.1. Data Handled During Visits

Our website may record and manage the following information about the visitor or their device:

  • The visitor's IP address,
  • Browser type,
  • Characteristics of the operating system used by the visitor's device (configured language),
  • Time of visit,
  • The (sub)websites, features, or services visited,
  • Clicks.

These data are stored for up to 90 days and are primarily used for testing security incidents.

2.2. Cookies Used on the Website

2.2.1. Technically Necessary Session Cookies

The purpose of data processing is to ensure the proper functioning of the website. These cookies are needed for visitors to browse the website without issues and to fully utilize all the features and services available on the site, including—particularly—the ability to remember visitor preferences on a specific site or the identity of a logged-in user during a visit. The duration of cookie handling is limited to the visitor's current session, and this type of cookie is automatically deleted from the user's computer at the end of the session or when the browser is closed.

The legal basis for processing this data is Section 13/A (3) of Act CVIII of 2001 on Electronic Commerce and Certain Aspects of Information Society Services, which states that a service provider may handle personal data technically necessary for the provision of the service. Under unchanged conditions, service providers must select and use tools for providing information society services so that personal data is only processed when absolutely necessary for providing the service or for other purposes specified by this Act, and even then, only to the extent and duration necessary.

2.2.2. Cookies That Facilitate Use

These cookies remember user preferences, such as how the user wishes to view the site. Such cookies essentially store settings data.

The legal basis for processing this data is the visitor's consent.

The purpose of data processing is to enhance service efficiency, improve user experience, and ensure more convenient use of the site.

These data are stored on the user's computer, and the website can only access and recognize the visitor based on this information.

2.2.3. Performance Cookies

This type of cookie collects information about user behavior, time spent, and clicks on the pages viewed by the user. These cookies are typically tracked by third-party applications (e.g., Google Analytics, AdWords).

The legal basis for processing this data is the data subject's consent.

The purpose of data processing is to analyze the website and send promotional offers.

 

V. CHAPTER: NOTIFICATION ON THE RIGHTS OF DATA SUBJECTS

I. Summary of Data Subject Rights:

  • Transparent information, communication, and methods for exercising rights for data subjects.
  • Right to prior information when personal data is collected from the data subject.
  • Information if personal data is obtained from sources other than the data subject.
  • Right of access.
  • Right to rectification.
  • Right to erasure ("right to be forgotten").
  • Right to restriction of processing.
  • Obligation to notify about rectification, erasure, or restriction of processing.
  • Right to data portability.
  • Right to object.
  • Automated decision-making and profiling.
  • Limitations.
  • Notification of data security breaches to the data subject.
  • Right to lodge a complaint with the supervisory authority.
  • Right to an effective remedy against the supervisory authority.
  • Right to an effective remedy against the data controller or processor.

II. Detailed Information on Data Subject Rights:

1. Transparent Information, Communication, and Methods for Exercising Rights:

1.1. The data controller takes appropriate measures to ensure that all information related to data processing is provided to the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. Information can be provided in writing or by other means, including electronically. Upon request, information can also be provided orally, provided that the data subject's identity is verified by other means.

1.2. The controller facilitates the exercise of data subject rights.

1.3. The data controller, upon request, will provide information on the actions taken without undue delay, but no later than one month from the receipt of the request. This deadline may be extended by a further two months if necessary, with notification of the extension provided to the data subject.

1.4. If the controller does not comply with the data subject's request, it will inform the data subject within one month, along with reasons, of the possibility to lodge a complaint and the legal remedies available to them with the supervisory authority.

1.5. Information, communication, and actions are free of charge, but a fee may be charged in certain cases.

2. Right to Prior Information When Collecting Personal Data from the Data Subject:

2.1. When collecting personal data from the data subject, the data controller must provide the following information: a) The contact details of the controller and its representative. b) The contact details of the data protection officer, if applicable. c) The purpose and legal basis for the data processing. d) The legitimate interests pursued by the controller or a third party. e) Categories of data recipients or categories of recipients. f) Information about any transfer of personal data to a third country or international organization.

2.2. The data controller must also provide the following additional information: a) The retention period or criteria used to determine the period. b) The data subject's rights to access, rectification, erasure, restriction, objection, and data portability. c) If the processing is based on consent, the right to withdraw consent. d) The right to lodge a complaint with the supervisory authority. e) The legal or contractual obligations to provide data and the consequences of failing to provide the data. f) The logic involved in automated decision-making and profiling, and the significance and consequences of such processing for the data subject.

2.3. If the data controller intends to use personal data for another purpose, it will provide prior information to the data subject about the new purpose and all relevant information.

3. Information if Personal Data is Not Collected from the Data Subject:

3.1. The data controller will inform the data subject within one month of the data acquisition about the category of personal data, the source of the data, and whether the data comes from publicly accessible sources. Information will be provided if the data was obtained during the first contact with the data subject or when data was transferred to other users. Further rules on the right to prior information are found in Article 14 of the Regulation.

4. Right of Access:

4.1. The data subject has the right to request confirmation from the data controller as to whether personal data concerning them is being processed, and to access the data and related information (according to Article 15 of the Regulation). If data is transferred to a third country or an international organization, the data subject will be informed about the appropriate safeguards related to the transfer in accordance with Article 46. The data controller will provide a copy of the personal data being processed, and may charge a reasonable fee for additional copies.

5. Right to Rectification:

5.1. The data subject has the right to request the rectification of inaccurate personal data without undue delay. The data subject has the right to complete incomplete personal data, for example, by providing a supplementary statement.

6. Right to Erasure ("Right to be Forgotten"):

6.1. The data subject has the right to request the erasure of their personal data without undue delay if any of the following conditions are met: a) The data is no longer necessary for the purposes for which it was collected. b) The data subject withdraws their consent, and there is no other legal basis for processing. c) The data subject objects to the processing, and there are no overriding legitimate grounds for processing. d) The data has been processed unlawfully. e) The erasure of the data is necessary for compliance with a legal obligation. f) The data was collected in relation to offering information society services to children.

6.2. The right to erasure does not apply if processing is necessary for: a) Exercising the right of freedom of expression and information. b) Compliance with a legal obligation or for the performance of a task carried out in the public interest. c) Public health purposes in the public interest. d) Archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes. e) The establishment, exercise, or defense of legal claims.

7. Right to Restriction of Processing:

7.1. The data subject may request the restriction of processing if: a) The data subject contests the accuracy of the data (during the restriction period, the data controller verifies the data's accuracy). b) The processing is unlawful, and the data subject requests restriction of processing instead of erasure. c) The data controller no longer needs the data, but the data subject requires it for the establishment, exercise, or defense of legal claims. d) The data subject has objected to processing (during the restriction period, it is determined whether the data controller's legitimate grounds override those of the data subject).

7.2. In the case of restriction, personal data may still be stored, but it may only be processed in other ways with the data subject’s consent, for the establishment, exercise, or defense of legal claims, or for reasons of substantial public interest.

7.3. The data controller will notify the data subject when the restriction of processing is lifted.

Detailed rules are provided in Article 18 of the Regulation.

8. Notification Obligation Regarding Rectification, Erasure, and Restriction of Processing:

The Controller is required to notify all recipients to whom personal data has been disclosed of any rectification, erasure, or restriction of processing, except where this proves impossible or involves a disproportionate effort. The Controller will inform the data subject of such recipients if requested.

Detailed rules are found in Article 19 of the Regulation.

9. Right to Data Portability:

9.1. The data subject has the right to receive the personal data concerning them, which they have provided to the data controller, in a structured, commonly used, and machine-readable format, and to transmit those data to another data controller if: a) The processing is based on consent or a contract; and b) The processing is carried out by automated means.

9.2. The data subject has the right to request the direct transmission of their personal data from one data controller to another, where technically feasible.

9.3. Exercising the right to data portability does not affect the right to erasure ("right to be forgotten") under Article 17. This right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller and must not adversely affect the rights and freedoms of others.

Detailed rules are provided in Article 20 of the Regulation.

10. Right to Object:

10.1. The data subject has the right to object to the processing of their personal data, based on Article 6(1)(e) or (f), if the objection is related to their particular situation, including profiling. The data controller shall then cease processing the personal data unless they demonstrate compelling legitimate grounds for the processing which override the data subject’s interests, rights, and freedoms, or if the processing is for the establishment, exercise, or defense of legal claims.

10.2. Where personal data is processed for direct marketing purposes, the data subject has the right to object to the processing of their personal data for such marketing, including profiling related to such direct marketing. After an objection, further processing of the data for such marketing purposes is not permitted.

10.3. The data subject must be informed of their right to object at the latest at the first point of contact, clearly and separately from other information.

10.4. The right to object may be exercised automatically based on technical specifications.

10.5. If personal data is processed for scientific, historical research, or statistical purposes, the data subject has the right to object to the processing based on their particular situation, unless the processing is necessary for the performance of a task carried out in the public interest.

Detailed rules are provided in Article 21 of the Regulation.

11. Automated Individual Decision-Making, Including Profiling:

11.1. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces significant effects concerning them.

11.2. The provisions of paragraph 1 do not apply if the decision: a) Is necessary for entering into, or performance of, a contract between the data subject and the data controller; b) Is authorized by Union or Member State law which also provides for suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or c) Is based on the data subject’s explicit consent.

11.3. In the cases referred to in (a) and (c), the data controller must implement suitable measures to safeguard the data subject’s rights, including the right to obtain human intervention, to express their point of view, and to contest the decision.

Further rules can be found in Article 22 of the Regulation.

12. Restrictions:

Union or Member State law, which applies to the data controller or processor, may restrict the obligations and rights specified in Articles 12 to 22 and Article 34, as well as Article 5. Such restrictions must respect the essence of fundamental rights and freedoms.

The conditions for restrictions are set out in Article 23 of the Regulation.

13. Notification of a Personal Data Breach:

13.1. If a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must notify those individuals without undue delay. The notification should be clear and in plain language, describing the nature of the data breach and providing the following information: a) The name and contact details of the data protection officer or other contact point; b) A description of the likely consequences of the data breach; c) A description of the measures taken or proposed to be taken to address the data breach and mitigate its possible adverse effects.

13.2. Notification to the data subject is not required if: a) The controller has implemented appropriate technical and organizational protection measures, such as encryption, that render the data unintelligible to unauthorized persons; b) The controller has taken subsequent measures to ensure that the high risk to rights and freedoms is no longer likely to materialize; or c) Notification would involve disproportionate effort. In such cases, a public communication or similar measure should be used to inform the data subjects.

Further rules are provided in Article 34 of the Regulation.

14. Right to Lodge a Complaint with a Supervisory Authority:

Any data subject has the right to lodge a complaint with a supervisory authority, especially in the Member State where their habitual residence, place of work, or the alleged infringement occurred, if they believe that the processing of their personal data infringes the Regulation. The supervisory authority will inform the complainant of the progress and outcome of the complaint, including available remedies.

Detailed rules are provided in Article 77 of the Regulation.

15. Right to an Effective Judicial Remedy Against a Supervisory Authority:

15.1. Without prejudice to any other administrative or judicial remedy, every natural or legal person has the right to an effective remedy against a legally binding decision of a supervisory authority.

15.2. Without prejudice to any other administrative or judicial remedy, every data subject has the right to an effective remedy if the supervisory authority does not handle the complaint or fails to inform the data subject within three months of the progress or outcome of the complaint.

15.3. Actions against supervisory authorities shall be brought before the courts of the Member State where the supervisory authority is established.

15.4. If proceedings are initiated against a decision of the supervisory authority, the authority shall forward the opinion or decision to the court.

Further rules are provided in Article 78 of the Regulation.

16. Right to an Effective Judicial Remedy Against a Data Controller or Processor:

16.1. Without prejudice to any other administrative or judicial remedy, the data subject has the right to an effective remedy if they consider that their rights have been infringed by the processing of personal data in violation of the Regulation.

16.2. Proceedings against a data controller or processor shall be brought before the courts of the Member State where the data controller or processor is established, or in the Member State where the data subject resides, except where the data controller is a public authority of a Member State.

Further rules are provided in Article 79 of the Regulation.

Cookie settings

We use cookies to personalise content and ads, to provide social media features and to analyse website traffic. You can read more by clicking on the "Settings" button.
We use cookies to personalise content and ads.