1. Annex to the Data Management Policy
NOTICE ON DATA MANAGEMENT REGARDING THE RIGHTS OF INDIVIDUALS IN RELATION TO THE MANAGEMENT OF THEIR PERSONAL DATA
CONTENT
INTRODUCTION
CHAPTER I – NAME OF THE DATA CONTROLLER
CHAPTER II – NAMES OF DATA PROCESSORS
- IT service provider of our Company
- Ticketing system developer of our Company
CHAPTER III – ENSURING COMPLIANCE WITH DATA MANAGEMENT LAWS
- Data management based on consent from the data subject
- Data management based on the fulfillment of legal obligations
- Promotion of the rights of the data subjects
CHAPTER IV – DATA MANAGEMENT OF WEBSITE VISITORS – COOKIE (COOKIES) USAGE NOTICE
CHAPTER V – NOTICE ON THE RIGHTS OF DATA SUBJECTS
INTRODUCTION
Based on REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (hereinafter: Regulation), which pertains to the protection and free movement of personal data, and the repeal of Directive 95/46/EC, the Data Controller must take appropriate actions to ensure that the data subject is provided with all necessary information regarding the management of personal data in a concise, clear, transparent, comprehensible, and accessible form, as well as to ensure the conditions for the fulfillment of the rights of the data subject.
The obligation to inform the data subject in advance about the right to informational self-determination and freedom of information is also stipulated by Act CXII of 2011.
The following text fulfills our obligations as required by the aforementioned laws and regulations.
The notice should be prominently displayed on the company’s website or sent to the data subject upon their request.
CHAPTER I
NAME OF THE DATA CONTROLLER
The issuer of this notice, also the Data Controller:
Company Name: EKO TRAKA BP
Headquarters: Beograd
Company Registration Number: 20035374
Tax ID: 103845291
Representative: Ljubomir Aleksić
Phone Number:
Email Address: ekotraka@ekotraka.rs
Website: www.ekotraka.rs
(hereinafter: the Company)
CHAPTER II
NAMES OF DATA PROCESSORS
A data processor is an individual or legal entity, a governmental body, agency, or any other organization that processes data on behalf of the data controller; (Regulation, Article 4, Paragraph 8.)
The use of a data processor is not dependent on prior consent from the data subject, but it is necessary to inform the data subject. In accordance with these regulations, we provide the following notice:
- IT Service Provider of the Company
The company uses the services of a data processor that provides IT services (hosting services) for the maintenance and management of its website, and within these services – in accordance with the contract between the two parties – manages the personal data left on the website by storing them on the server.
Name and details of the data processor:
Company Name: ErdSoft LLC
Headquarters: 24000 Subotica, Somborski Put 33a, Serbia
Company Registration Number: 21354619
Tax ID: 101801079
Representative: Daniel Erdudac
Phone Number: +381 60 44 60 555
Fax: none
Email Address: daniel.erdudac@erdsoft.com
Website: erdsoft.com
III. ENSURING COMPLIANCE WITH DATA MANAGEMENT LAWS
Data Management Based on Consent
The Company must obtain consent for managing personal data through a form, the content of which is defined by the data management policy.
Consent can be given by marking a field on a website or through other clear statements. Silence or pre-checked fields do not constitute consent.
Consent covers all activities related to data management with the same purpose. For different purposes, separate consent must be sought.
If consent is part of a broader written statement, it must be clear and separate from other purposes.
Consent for data management cannot be a condition for entering into a contract.
Withdrawing consent must be as easy as giving it.
If data is collected with consent, it can be used to fulfill legal obligations without additional consent and after consent is withdrawn.
Data on minors is not collected and is deleted once its existence is known.
Data Management Based on Legal Obligations
The scope, purpose, retention period, and users of the data are determined by laws.
Data management based on legal obligations does not depend on the data subject’s consent. The individual must be informed of the mandatory data collection and all relevant facts.
The notice may include the publication of legal regulations containing the necessary information.
Promotion of Data Subject Rights
The Company must enable individuals to exercise their rights in all data management activities.
CHAPTER IV
DATA MANAGEMENT OF WEBSITE VISITORS – COOKIE (COOKIES) USAGE NOTICE
Website visitors must be informed about the use of cookies, except for technically necessary ones, and consent must be obtained for all other cookies.
General Information About Cookies:
Cookies are data that a website sends to the browser for storage and later use. They can be temporary or persistent and are used to identify users. There is a risk that users may not be aware that cookies identify them, which can allow user tracking.
Types of Cookies:
- Technically Necessary: Essential for the functionality of the site (e.g., session ID).
- Functional Cookies: Remember user choices (e.g., site layout).
- Performance Cookies: Collect data on user behavior (e.g., Google Analytics).
Information About Cookies on the Company’s Website:
Data collected during a visit:
- IP address, browser type, operating system features, visit time, pages, and clicks. Retained for up to 90 days for security purposes.
Types of Cookies:
- Technically Necessary: Ensure site functionality and are deleted after the session.
- Functional Cookies: Remember user choices and require visitor consent.
- Performance Cookies: Analyze user behavior and send promotional offers, requiring visitor consent.
See the links below for cookie settings in popular browsers:
• Google Chrome: Chrome support
• Firefox: Firefox support
• Microsoft Internet Explorer 11: Microsoft support
• Microsoft Internet Explorer 10: Microsoft support
• Microsoft Internet Explorer 9: Microsoft support
• Microsoft Internet Explorer 8: Microsoft support
• Microsoft Edge: Microsoft support
• Safari: Apple support
CHAPTER V
NOTICE OF THE RIGHTS OF DATA SUBJECTS
I. Summary of Data Subject Rights:
Transparent Information, Communication, and Modalities for Exercising Data Subject Rights
Providing clear, understandable information and facilitating the exercise of rights.
Right to Prior Information When Personal Data is Collected from Data Subjects
Informing about the identity of the data controller, the purpose of processing, the legal basis, and any potential recipients of the data.
Information Provided When Personal Data is Not Obtained from the Data Subject
Notifying about the source of the data and relevant information regarding processing.
Right of Access
The right to obtain confirmation of data processing and a copy of the processed data.
Right to Rectification
The right to correct inaccurate or incomplete data.
Right to Erasure ("Right to be Forgotten")
The right to delete data under certain circumstances.
Right to Restriction of Processing
The right to limit data processing in certain situations.
Obligation to Notify about Rectification, Erasure, or Restriction of Processing
Informing users about changes related to data processing.
Right to Data Portability
The right to receive data in a machine-readable format and transfer it to another controller.
Right to Object
The right to object to data processing, including for direct marketing.
Automated Individual Decision-Making, Including Profiling
The right to avoid decisions based solely on automated processing.
Restrictions
Possible restrictions on rights based on laws.
Notification to Data Subjects about Personal Data Breaches
Notification in case of a personal data breach.
Right to Complain to the Supervisory Authority
The right to lodge complaints with the supervisory authority.
Right to Effective Legal Remedy Against the Supervisory Authority
The right to legal recourse against decisions of the supervisory authority.
Right to Effective Legal Remedy Against the Controller or Processor
The right to legal recourse against the controller or processor in case of rights violations.
II. Detailed Rights of Data Subjects:
Transparent Information, Communication, and Modalities for Exercising Data Subject Rights
The controller provides information clearly and understandably. Information can be provided in writing or electronically, or verbally with identification.
Right to Prior Information When Personal Data is Collected from Data Subjects
The controller provides information about the purpose of processing, legal basis, data recipients, and potential transfer to third parties.
Information Provided When Personal Data is Not Obtained from the Data Subject
The controller informs the data subject about the type and source of the data, as well as any public source of the data.
Right of Access
The data subject can request confirmation of processing and copies of the data.
Right to Rectification
The data subject can request correction of inaccurate data and completion of incomplete data.
Right to Erasure ("Right to be Forgotten")
The controller must delete data if it is no longer needed, if consent is withdrawn, if an objection is made, or if processing is unlawful.
Right to Restriction of Processing
Restriction of processing can be requested in certain situations, such as for inaccurate data or legality of processing.
Obligation to Notify about Rectification, Erasure, or Restriction of Processing
The controller informs all users about changes related to data processing.
Right to Data Portability
The data subject can receive data in a structured format and transfer it to another controller.
Right to Object
The right to object to data processing based on specific reasons, including direct marketing.
Automated Individual Decision-Making, Including Profiling
The data subject can avoid decisions based on automated processing that significantly affects them.
Restrictions
Rights and obligations may be restricted by legal measures, respecting fundamental rights and freedoms.
Notification to Data Subjects about Personal Data Breaches
In the event of a breach, the controller must inform the data subject about the nature of the breach and the measures taken.
Right to Complain to the Supervisory Authority
The data subject can file a complaint with the supervisory authority regarding data processing.
Right to Effective Legal Remedy Against the Supervisory Authority
The data subject has the right to legal recourse against the decisions of the supervisory authority.
Right to Effective Legal Remedy Against the Controller or Processor
The data subject can seek legal recourse against the controller or processor to protect their rights.