Annex of the Data Management Regulations
DATA MANAGEMENT NOTICE REGARDING THE RIGHTS OF NATURAL PERSONS IN RELATION TO THE MANAGEMENT OF THEIR PERSONAL DATA
CONTENTS
INTRODUCTION
CHAPTER I – NAME OF THE DATA CONTROLLER
CHAPTER II – NAME OF DATA PROCESSORS
- IT Provider of our Company
- System Ticket Developer of our Company
CHAPTER III – ENSURING DATA MANAGEMENT COMPLIANCE WITH LAWS
- Data Management Based on Consent of the Data Subject
- Data Management Based on Legal Obligations
- Promotion of the Rights of the Data Subject
CHAPTER IV – DATA MANAGEMENT OF VISITORS ON THE COMPANY'S WEBSITE – COOKIE USAGE NOTICE
CHAPTER V – NOTICE ON THE RIGHTS OF THE DATA SUBJECT
INTRODUCTION
Based on REGULATION 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU) (hereinafter: Regulation), concerning the protection and free movement of data in the management of personal data of natural persons, and repealing Directive 95/46/EC, the Data Controller must take appropriate actions to ensure that the data subject receives all necessary information regarding the management of personal data in a concise, clear, transparent, understandable, and accessible form, and to ensure the conditions for fulfilling the rights of the data subject.
The obligation to inform the data subject in advance about the right to information self-determination and freedom of information is also prescribed by Law CXII of 2011.
With the text below, we fulfill our obligations as mandated by the aforementioned laws and regulations.
The notice should be posted on the company's website or sent to the data subject upon their request.
CHAPTER I – NAME OF THE DATA CONTROLLER
The issuer of this notice, and the Data Controller:
Company Name: SMART 2000 DOO, BEOGRAD (NOVI BEOGRAD)
Headquarters: Belgrade
Registration Number: 06000584
Tax ID: 100388489
Representative: Zoran Momčilović
Phone Numbers:
+381 11/228-6163
+381 63/209-609
+381 63/202-064
Email Address: info@smart-2000.com
Website: smart-2000.co.rs/sr
(Hereinafter: the Company)
CHAPTER II – NAME OF DATA PROCESSORS
A data processor is a natural or legal person, public authority, agency, or other body that processes data on behalf of the data controller (Regulation Article 4(8)).
Using a data processor does not require prior consent from the data subject, but the data subject must be informed. According to these regulations, we provide the following information:
1. IT Provider of the Company
The Company uses the services of a data processor that provides IT services (hosting services) for maintaining and managing its website. As part of these services, and in accordance with the contract between the two parties, the data processor manages the personal data left on the website by storing them on a server.
Name and details of the data processor:
Company Name: ErdSoft doo
Headquarters: 24000 Subotica, Somborski put 33a, Serbia
Registration Number: 21354619
Tax ID: 110478829
Representative: Daniel Erdudac
Phone Number: +381 60 44 60 555
Fax: Not available
Email Address: daniel.erdudac@erdsoft.com
Website: erdsoft.com
CHAPTER III – ENSURING DATA MANAGEMENT COMPLIANCE WITH LAWS
1. Data Management Based on Consent of the Data Subject
(1) If the Company wishes to manage data based on consent, it must request consent for managing the personal data of the data subject through a form, the content of which is determined by the data management regulations.
(2) Consent is also considered given if the user ticks a box requesting consent for data processing on the Company’s website, makes related technical settings regarding the use of information society services, or makes any other statement or act that clearly indicates the consent of the data subject to the planned management of their personal data. Silence, pre-ticked boxes, or inactivity do not constitute consent.
(3) Consent applies to all data management activities carried out for the same purpose or purposes. If data management serves several different purposes, consent must be requested for all purposes related to data management.
(4) If the data subject gives their consent as part of a written statement that also pertains to other matters – e.g., sale, service contract – the request for consent must be presented in a clear, concise, understandable, and accessible form and must be clearly distinguishable from the other matters. Parts of such statements that contain consent and do not comply with the Regulation are not legally binding.
(5) The Company cannot make the conclusion or execution of a contract contingent on the consent to the management of personal data that is not necessary for the execution of the contract.
(6) Withdrawing consent must be as easy as giving consent.
(7) If personal data is recorded with the consent of the data subject, the data controller may use the recorded data for legal obligations in the absence of other legal regulations and even after the consent has been withdrawn by the data subject.
(8) The site does not intentionally collect data from minors (under 16 years of age). If data from a minor is recorded, after becoming aware of this fact, the minor’s data will be deleted without delay.
2. Data Management Based on Legal Obligations
(1) In the case of data management based on legal obligations, the scope of the data, the purpose of data management, the duration of data retention, and the users of the data are determined by the provisions of the law.
(2) Data management based on legal obligations does not depend on the consent of the data subject, as data management is determined by law. In this case, the data subject must be informed prior to data collection that the collection of data is mandatory and must be informed in detail and clearly about all facts related to data management, with special attention to the purpose and legal basis of data processing, the entity entitled to manage data, the duration of data management, that personal data is managed in accordance with legal provisions, and who can access the data. The notice must also cover the rights of the data subject and the possibilities of exercising their rights related to the management of personal data. In the case of mandatory data management, the notice can also be considered to be the publication of references to all legal provisions containing the above-mentioned information.
3. Promotion of the Rights of the Data Subject
The Company is obliged to ensure that the data subject can exercise their rights in all data management activities.
Chapter IV
Visitor Data Management on the Company's Website – Cookie Usage Statement
-
Notification and Consent for Cookies
- Visitors to the website must be informed about the use of cookies, and consent must be obtained for all cookies except those technically necessary for sessions.
-
General Information about Cookies
2.1. Definition of a Cookie
- A cookie is data sent by the visited website to the visitor's browser (in the form of a variable) for storage, which can later be retrieved by the same website. Cookies can be valid either until the browser is closed or for an unlimited period. During each subsequent HTTP(S) request, the browser sends this information to the server, thus modifying the data on the user’s device.
2.2. Purpose and Risks of Cookies
- Cookies are used to mark and identify the user (e.g., logging into the site) and treat the user appropriately in subsequent visits. The risk lies in the fact that users may not always be aware that they are being identified by cookies, which provides an opportunity for tracking by the site owner or other providers whose content is embedded on the site (e.g., Facebook, Google Analytics). Profiles are created about the user during tracking, and in these cases, cookie content is treated as personal data.
2.3. Types of Cookies
2.3.1. Technically Necessary Session Cookies
- These cookies are essential for the website's functionality, such as identifying the user when they log in or what they add to their cart. Usually, the session ID is stored, while other data are kept on the server, making them more secure. If the session cookie value is not properly generated, there is a risk of session hijacking, so it’s crucial to generate these values correctly. Other terminologies refer to any cookie deleted upon browser exit as a session cookie.
2.3.2. User-Friendly Cookies
- These cookies remember user choices, such as preferred viewing settings for the site. They essentially store setting data in cookies.
2.3.3. Performance Cookies
- These cookies collect information about user behavior, clicks, and time spent on the site. Typically used by third-party applications (e.g., Google Analytics, AdWords), these cookies are suitable for visitor profiling.
- Learn more about Google Analytics cookies here: Analytics-cookies
- Learn more about Google AdWords cookies here: Google support
2.4. Cookie Acceptance and Browser Settings
- Accepting or enabling cookies is not mandatory. Browser settings can be configured to automatically reject all cookies or to alert when cookies are being sent. Most browsers automatically accept cookies by default, but settings can typically be changed to prevent automatic acceptance and offer a choice each time between accepting and rejecting cookies.
- Links to cookie settings for the most popular browsers:
- Google Chrome: Chrome support
- Firefox: Firefox support
- Microsoft Internet Explorer 11: Microsoft support
- Microsoft Edge: Microsoft support
- Safari: Apple support
- However, it must be noted that certain site functions or services may not work correctly without cookies.
- Information about Cookies Used on the Company’s Website and Data Collected During Visits
3.1. Data Managed During Visits
- The company's website may use the following information about the visitor or the device used:
- Visitor’s IP address
- Browser type
- Operating system characteristics (configured language)
- Visit time
- (Sub)pages, features, or services visited
- Clicks
- This data is stored for up to 90 days and is primarily used for testing security incidents.
3.2. Cookies Used on the Website
3.2.1. Technically Necessary Session Cookies
- The purpose of managing these cookies is to ensure the proper functioning of the website. These cookies are necessary to allow visitors to browse the website without issues and make full use of all available features and services, including visitor comments or logged-in user identity during visits. The duration of this cookie management is limited to the current visit; this type of cookie is automatically deleted from the user’s computer when the session ends or the browser is closed.
- The legal basis for managing this data is § 13/A (3) of the Act CVIII of 2001 on Electronic Commerce and Information Society Services, according to which the service provider may manage personal data technically necessary for providing the service. If other conditions remain unchanged, service providers must choose and use tools that process personal data only if strictly necessary for providing the service and achieving other necessary purposes stated in this law, and only to the extent and for the time necessary.
3.2.2. User-Friendly Cookies
- These cookies remember the user’s choice, such as the preferred format for viewing the site. These types of cookies store setting data.
- The legal basis for managing this data is visitor consent.
- The purpose of managing this data is to enhance service efficiency, improve user experience, and ensure more convenient site usage. This data resides on the user’s computer; the website only accesses it and recognizes the visitor based on it.
3.2.3. Performance Cookies
- These cookies collect information about user behavior, time spent, and clicks on the page being viewed. These cookies typically track third-party applications (e.g., Google Analytics, AdWords).
- The legal basis for managing this data is user consent.
- The purpose of managing this data is to analyze the website and send promotional offers.
Chapter V
Statement on Data Subject Rights
I. Summary of Data Subject Rights:
- Transparent information, communication, and modalities for exercising data subject rights
- Right to prior information when personal data is collected from the data subject
- Information provided when personal data is not obtained from the data subject
- Right of access by the data subject
- Right to rectification
- Right to erasure (“right to be forgotten”)
- Right to restriction of processing
- Notification obligation regarding rectification or erasure of personal data or restriction of processing
- Right to data portability
- Right to object
- Automated individual decision-making, including profiling
- Restrictions
- Communication of personal data breaches to the data subject
- Right to lodge a complaint with a supervisory authority
- Right to an effective judicial remedy against a supervisory authority
- Right to an effective judicial remedy against a controller or processor
II. Detailed Data Subject Rights:
- Transparent Information, Communication, and Modalities for Exercising Data Subject Rights
1.1. Information Provision and Transparency
The controller takes appropriate measures to provide all information related to processing to the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, especially for information addressed to a child. Information is provided in writing or by other means, including electronically when appropriate. If requested by the data subject, information can be provided orally, provided that the identity of the data subject is confirmed by other means.
1.2. Facilitation of Rights Exercise
The controller facilitates the exercise of data subject rights.
1.3. Response to Data Subject Requests
The controller provides information on actions taken on a request by the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller informs the data subject of any such extension within one month of receipt of the request.
1.4. Non-Compliance Notification
If the controller does not take action on the request of the data subject, the controller informs the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
1.5. Free Information and Measures
The information provided, communication, and actions taken are provided free of charge. However, where requests from a data subject are manifestly unfounded or excessive, in particular, because of their repetitive character, the controller may either charge a reasonable fee or refuse to act on the request.
Detailed rules can be found in Article 12 of the Regulation.
- Right to Prior Information When Personal Data is Collected from the Data Subject
2.1. Information Provision During Collection
If personal data is collected from the data subject, the controller provides the data subject with all of the following information at the time of collection: a) Identity and contact details of the controller and, where applicable, the controller’s representative; b) Contact details of the data protection officer, where applicable; c) Purposes of the processing for which the personal data is intended as well as the legal basis for the processing; d) Legitimate interests pursued by the controller or by a third party if the processing is based on these interests; e) Recipients or categories of recipients of the personal data, if any; f) The intention to transfer personal data to a third country or international organization; g) Period for which the personal data will be stored, or if not possible, the criteria used to determine that period; h) Existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability; i) Existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; j) Right to lodge a complaint with a supervisory authority; k) Whether the provision of personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of failure to provide such data; l) Existence of automated decision-making, including profiling, and meaningful information about the logic involved and the significance and consequences of such processing for the data subject.
Detailed rules can be found in Article 13 of the Regulation.
- Information Provided When Personal Data is Not Obtained from the Data Subject
3.1. Information Provision
If personal data is not obtained from the data subject, the controller provides the data subject with all the information specified above and the following information categories: a) Categories of personal data concerned; b) Source of the personal data and, if applicable, whether it came from publicly accessible sources.
3.2. Time of Information Provision
The controller provides the above information to the data subject within a reasonable period after obtaining the personal data, but at the latest within one month, or if the personal data is to be used for communication with the data subject, at the latest at the time of the first communication with the data subject, or if disclosure to another recipient is envisaged, at the latest when the personal data is first disclosed.
Detailed rules can be found in Article 14 of the Regulation.
- Right of Access by the Data Subject
4.1. Access Rights
The data subject has the right to obtain from the controller confirmation as to whether personal data concerning them is being processed and, if so, access to the personal data and the following information: a) Purposes of the processing; b) Categories of personal data concerned; c) Recipients or categories of recipients to whom personal data has been or will be disclosed, in particular, recipients in third countries or international organizations; d) Period for which the personal data will be stored, or if not possible, the criteria used to determine that period; e) Existence of the right to request from the controller rectification or erasure of personal data or restriction of processing concerning the data subject or to object to such processing; f) Right to lodge a complaint with a supervisory authority; g) Source of personal data if it was not collected from the data subject; h) Existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and consequences of such processing for the data subject.
4.2. Right to Obtain Copies
The controller provides a copy of the personal data undergoing processing. For any further copies requested, the controller may charge a reasonable fee based on administrative costs. If the data subject makes the request by electronic means, the information is provided in a commonly used electronic form unless otherwise requested.
Detailed rules can be found in Article 15 of the Regulation.
- Right to Rectification
5.1. Right to Correct Data
The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by providing a supplementary statement.
Detailed rules can be found in Article 16 of the Regulation.
- Right to Erasure (“Right to be Forgotten”)
6.1. Conditions for Erasure
The data subject has the right to obtain from the controller the erasure of personal data concerning them without undue delay, and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies: a) Personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; b) The data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing; c) The data subject objects to the processing and there are no overriding legitimate grounds for the processing; d) Personal data has been unlawfully processed; e) Personal data must be erased for compliance with a legal obligation; f) Personal data has been collected in relation to the offer of information society services to children.
6.2. Notification of Third Parties
If the controller has made personal data public and is obliged to erase the personal data, the controller, taking account of available technology and the cost of implementation, takes reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, that personal data.
7. Right to Restriction of Processing
7.1. If processing is restricted, such personal data may only be processed with the data subject's consent, except for storage, or for the establishment, exercise, or defense of legal claims, or to protect the rights of another natural or legal person, or for important public interest of the Union or a Member State.
7.2. The data subject has the right to obtain restriction of processing from the controller if one of the following conditions applies:
a) The data subject contests the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data;
b) The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of its use instead;
c) The controller no longer needs the personal data for the purposes of processing, but the data subject requires it for the establishment, exercise, or defense of legal claims; or
d) The data subject has objected to processing pending the verification of whether the legitimate grounds of the controller override those of the data subject.
7.3. The data subject who has obtained restriction of processing is notified by the controller before the restriction is lifted.
Detailed rules are contained in Article 18 of the Regulation.
8. Obligation to Notify of Correction or Erasure of Personal Data or Restriction of Processing
The controller notifies each recipient to whom personal data has been disclosed of any correction or erasure of personal data or restriction of processing, unless this proves impossible or involves disproportionate effort. The controller informs the data subject about those recipients if the data subject requests it.
Detailed rules are contained in Article 19 of the Regulation.
9. Right to Data Portability
9.1. The data subject has the right to receive the personal data concerning them, which they have provided to the controller, in a structured, commonly used, and machine-readable format, and has the right to transmit those data to another controller without hindrance from the original controller, if:
a) The processing is based on consent or a contract; and
b) The processing is carried out by automated means.
9.2. When exercising their right to data portability, the data subject has the right to request the direct transfer from one controller to another.
9.3. The exercise of the right to data portability does not affect the right to erasure (Article 17). This right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This right must not adversely affect the rights and freedoms of others.
Detailed rules are contained in Article 20 of the Regulation.
10. Right to Object
10.1. The data subject has the right to object, on grounds relating to their particular situation, at any time, to processing of personal data concerning them based on Article 6(1)(e) or (f), including profiling based on those provisions. The controller must no longer process the personal data unless they demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.
10.2. If personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning them for such marketing, which includes profiling related to such direct marketing. If the data subject objects to processing for direct marketing purposes, personal data must no longer be processed for such purposes.
10.3. At the latest at the time of the first communication with the data subject, the data subject is explicitly informed of their right to object, which must be presented clearly and separately from all other information.
10.4. The data subject may exercise their right to object through automated means using technical specifications.
10.5. If personal data is processed for scientific or historical research purposes or statistical purposes, the data subject, based on grounds relating to their particular situation, has the right to object to the processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out in the public interest.
Detailed rules are contained in Article 21 of the Regulation.
11. Automated Individual Decision-Making, Including Profiling
11.1. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
11.2. Paragraph 1 does not apply if the decision:
a) Is necessary for entering into or performing a contract between the data subject and the controller;
b) Is authorized by Union or Member State law applicable to the controller, which also provides for suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
c) Is based on explicit consent of the data subject.
11.3. In the cases referred to in Paragraph 2(a) and (c), the controller implements appropriate measures to safeguard the data subject's rights and freedoms and legitimate interests, including at least the right to obtain human intervention by the controller, to express their point of view, and to contest the decision.
Detailed rules are contained in Article 22 of the Regulation.
12. Limitations
Union or Member State law applicable to the controller or processor may limit the scope of the obligations and rights under Articles 12 to 22 and Article 34, as well as Article 5, provided that such limitations respect the essence of fundamental rights and freedoms.
Conditions for such limitations are contained in Article 23 of the Regulation.
13. Notification of a Personal Data Breach to the Data Subject
13.1. When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must notify the data subject without undue delay of the personal data breach. The notification to the data subject must be written in clear and plain language and include at least the following information and measures:
a) The name and contact details of the data protection officer or other contact point where more information can be obtained;
b) A description of the likely consequences of the personal data breach;
c) A description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
13.2. Notification to the data subject is not required if any of the following conditions are met:
a) The controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the breach, especially measures that make the personal data unintelligible to anyone not authorized to access it, such as encryption;
b) The controller has taken subsequent measures to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialize;
c) It would involve disproportionate effort. In such cases, a public communication or similar measure is provided to inform data subjects in an equally effective manner.
Detailed rules are contained in Article 34 of the Regulation.
14. Right to Lodge a Complaint with a Supervisory Authority
Every data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or of the alleged infringement, if they consider that the processing of personal data relating to them infringes this Regulation. The supervisory authority to which the complaint is lodged shall inform the complainant of the progress and the outcome of the complaint, including the possibility of a judicial remedy.
Detailed rules are contained in Article 77 of the Regulation.
15. Right to an Effective Judicial Remedy Against a Supervisory Authority
15.1. Without prejudice to any other administrative or non-judicial remedy, every natural or legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
15.2. Without prejudice to any other administrative or non-judicial remedy, every data subject has the right to an effective judicial remedy if the supervisory authority which is competent under Articles 55 and 56 does not handle the complaint or fails to inform the data subject within three months of the progress or outcome of the complaint.
15.3. Actions against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
15.4. If proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or decision of the Board within the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.
Detailed rules are contained in Article 78 of the Regulation.
16. Right to an Effective Judicial Remedy Against a Controller or Processor
16.1. Without prejudice to any other available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, the data subject has the right to an effective judicial remedy if they consider that their rights under this Regulation have been infringed as a result of the processing of their personal data in violation of this Regulation.
16.2. Proceedings against a controller or processor shall be brought before the courts of the Member State where the controller or processor is established. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has their habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.
Detailed rules are contained in Article 79 of the Regulation.