Law on personal data protection
Oktopaz d.o.o., with its registered office in Belgrade at the address Ustanička 141, has the status of the Controller in the sense of the definition from the Law on Personal Data Protection (“Official Gazette”, No. 87/2018, hereinafter ZZPL – “Zakon o zaštiti podataka o ličnosti“).
When processing personal data, the Controller:
- Ensures that the collection and further processing of personal data is always based on an adequate legal basis
- Ensures that the processing is performed respecting the rights of the data subject, taking care to consistently provide such a person with adequate assistance in exercising all guaranteed rights
- Regularly publishes and makes publicly available all relevant information related to processing
- Ensures that the collection and further processing of personal data is done exclusively for a specific purpose
- Collects and processes the minimum amount of personal data, which is necessary for him to achieve a specific purpose
- Collects and processes personal data only for the period necessary to achieve the purpose for which they were collected
- Ensures that collected personal data is accurate and current
- Ensures that data is protected from unauthorised or illegal access by internal or external persons.
Starting from the basic principles, the Controller hereby informs the data subjects about all critical aspects of collecting and processing their personal data.
1. What is personal data?
Personal data is any data relating to a natural person and identifying that person, directly or indirectly, and in particular based on an identity mark, such as name and identification number, location data, an identifier in electronic communications networks, or one or more characteristics of his physical, physiological, genetic, mental, economic, cultural and social identity.
2. What personal data is collected by the Controller and from which category of persons whose data are processed?
The Controller collects personal data directly from the users of its services (hereinafter: the data subject) to the extent necessary to achieve a specific purpose, as follows:
- Basic identification data (name and surname)
- Contact information (address, contact phone and e-mail address, account information on social networks).
3. How is personal data collected?
The Controller collects personal data directly from the person to whom the data relates or indirectly from other publicly available sources (Internet, advertisements …).
Cookies are small text files stored on your device (computer, tablet or mobile phone) via your browser primarily to enhance the convenience of using the site, enable certain functions, and make visiting our website attractive.
5. What is the legal basis for data processing?
Data processing is allowed if performed only according to the ZZPL. Thus, the Controller processes personal data in the following cases:
- If the data subject has consented to the processing of his or her personal data, for one or more specifically specified purposes
- If the processing is necessary for the execution of the contract concluded with the data subject or for taking action before the conclusion of the contract, at the request of the data subject
- If the processing is necessary in order to achieve the legitimate interests of the Controller or a third party unless those interests are overridden by the interests or fundamental rights and freedoms of the data subject, which requires protection of their personal data, especially if the data relates to a minor.
For consent-based processing, consent is voluntary and can be withdrawn at any time.
6. What is the purpose of processing personal data?
The Controller collects and processes personal data to:
- Create a customer database
- Inform the persons whose data are processed about users’ activities (for example, through the Newsletter or communication via social networks).
7. How are personal data stored, and what protection measures are applied?
Personal data are stored and kept by the Controller in his internal electronic records (databases), concerning which he applies all necessary organisational, technical and personnel protection measures per the requirements of the applicable ZZPL, including:
- Control of physical access to the system where personal data is stored
- Data access control
- Data transfer control
- Data entry control
- Data availability control
- Other information security measures necessary for the protection of personal data.
8. What rights do the persons whose data are processed have?
Concerning personal data, the person whose data were collected has the following rights:
- The right to request from the Controller access to personal data and information related to processing
- The right to request correction of incorrectly entered data and supplementation of such data
- The right to request the deletion of data
- The right to restrict processing
- The right to transfer data to another controller
- The right not to be subject to a decision made solely based on automated processing, including profiling
- The right to be informed of a personal data breach, if that personal data breach may pose a high risk to the rights and freedoms of individuals
- The right to lodge a complaint to the Commissioner for information of public importance and personal data protection – Bulevar kralja Aleksandra 15, 11120 Belgrade, phone: +381 11 3408900, e-mail: firstname.lastname@example.org
- The right to judicial protection if he/she considers that his/her rights under the ZZPL have been violated
- Other rights guaranteed by the applicable ZZPL.
In relation to the exercise of his/her rights, the Controller will provide the person whose data have been collected with all necessary additional information, as well as assistance, in accordance with the conditions and in the manner prescribed by the applicable ZZPL.
9. Who besides the Controller can have access to the data?
The Controller may also provide personal data to third parties, some of whom are processors and data recipients. According to the applicable ZZPL, the processor is a natural or legal person, public authority, that processes personal data on behalf of the Controller. At the same time, the recipient of data is a natural or legal person, public authority, to which personal data are disclosed, regardless of whether a third party or not.
The categories of persons who may have access to personal data:
- Employees and otherwise engaged persons with the Controller
- Clients, i.e. users of the Controller’s services
- Partner organisations or collaborators on individual projects
- IT companies that maintain the information systems of the Controller in which the data is stored.
Some processors who can access personal data are based in foreign countries, primarily in the member states of the European Union / European Economic Area. The transfer of data to the European Union / European Economic Area countries is done based on the default level of adequate protection of personal data in those countries by the law.
All processors conclude special agreements that regulate all essential aspects of personal data processing and protection measures. Exceptionally, the Controller may submit personal data to the competent state authorities only to the extent necessary to fulfil a specific legal obligation.
10. How long do we process your personal data?
We process your personal data as much as necessary to achieve the purpose of processing, i.e. until the revocation of consent (if the processing is based on consent); unless more extended data processing is necessary due to a legal obligation (e.g. an accounting obligation) or the filing, realisation, or defence of a legal claim.
11. European Economic Area and Switzerland (“Europe”)
At Oktopaz, we acknowledge European data protection laws, including the General Data Protection Regulation (“GDPR”) from 25 May 2018 and other national data protection legislation in Europe, that grant you the following additional rights:
- The right to file a complaint with the competent data protection regulator regarding the compliance of Oktopaz with data protection laws
- The right to withdraw consent where Oktopaz relies on it to process your personal data.
12. California privacy rights
13. How additional processing notifications can be obtained
Regarding all issues related to the processing of personal data, the person whose data are processed may contact the person in charge of personal data protection by e-mail at email@example.com.