DATA MANAGEMENT NOTICE REGARDING THE RIGHTS OF THE INDIVIDUAL IN RELATION TO THE MANAGEMENT OF THEIR PERSONAL DATA
CONTENTS
INTRODUCTION
CHAPTER I – NAME OF THE DATA CONTROLLER
CHAPTER II – NAMES OF DATA PROCESSORS
- Our Company's IT provider
- Our Company's ticketing system developer
CHAPTER III – ENSURING DATA MANAGEMENT COMPLIANCE WITH LAWS
- Data management based on the individual's consent
- Data management based on legal obligations
- Promotion of the individual's rights
CHAPTER IV – DATA MANAGEMENT OF WEBSITE VISITORS – COOKIE USAGE NOTICE
CHAPTER V – NOTICE REGARDING THE RIGHTS OF THE INDIVIDUAL
INTRODUCTION
Based on REGULATION 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU) (hereinafter: Regulation), which concerns the protection and free flow of data during the management of personal data of individuals, and the repeal of Directive 95/46/EC, the Data Controller must take appropriate actions to ensure that the individual whose data is collected is provided with all necessary information regarding the management of personal data in a concise, clear, transparent, understandable, and accessible form, and to ensure the conditions for the fulfillment of the rights of the individual whose data is collected.
The obligation to inform the individual in advance about the right to informational self-determination and freedom of information is also prescribed by law CXII of 2011.
With the following text, we fulfill our obligations imposed by the aforementioned laws and regulations.
The notice should be posted on the company's website or sent to the individual whose data is collected upon their request.
CHAPTER I
NAME OF THE DATA CONTROLLER
The issuer of this notice, and at the same time the Data Controller:
Company name: Frigo Bel Ruma
Headquarters: 22429 Voganj, Rumska 12, Srbija
Registration number: 57178884
VAT number: 104199826
Representative: Aleksandar Belić, Direktor
Telephone number: +381 (3)553274, +381 (4)3209247, 022448517
E-mail address: frigobel2@gmail.com
Website: https://opremazaugostiteljstvo.rs/en
(hereinafter: the Company)
CHAPTER II
NAMES OF DATA PROCESSORS
Data Processor: a natural or legal person, public authority, agency, or any other body that processes data on behalf of the data controller; (Regulation Article 4, Section 8)
The use of a data processor does not require the prior consent of the individual, but the individual must be informed. In accordance with these regulations, we provide the following notice:
- The Company's IT Provider
The Company uses the services of a data processor to maintain and manage its website, which provides IT services (hosting services) and, as part of these services – in accordance with the content of the contract between the two parties – manages the personal data left on the website by storing them on a server.
Name and details of the data processor:
Company name: ErdSoft doo
Headquarters: 24000 Subotica, Somborski put 33a, Srbija
Registration number: 21354619
VAT number: 110478829
Representative: Daniel Erdudac
Telephone numer: +381 60 44 60 555
Faks: none
Email address: daniel.erdudac@erdsoft.com
Website: erdsoft.com
CHAPTER III
ENSURING DATA MANAGEMENT COMPLIANCE WITH LAWS
- Data Management Based on the Individual's Consent
(1) If the Company wishes to manage data based on consent, it is necessary to request consent for the management of personal data from the individual using a form whose content is determined by the data management regulation.
(2) Consent is also considered given if the user marks the checkbox related to requesting consent for data processing on the Company's website, if they perform related technical settings concerning the use of information society services, or any other statement or act that clearly indicates the individual's consent to the planned management of their personal data. Silence, pre-ticked boxes, or inactivity do not constitute consent.
(3) Consent applies to all actions related to data management carried out for the same purpose or purposes. If data management serves multiple different purposes, consent must be sought for all purposes related to data management.
(4) If the individual gives their consent within a written statement that also pertains to other purposes (e.g., sale, service contract), the consent must be requested in a clear, simply expressed, understandable, accessible manner, and clearly distinguishable from other purposes. Parts of such statements containing the individual's consent that do not comply with the Regulation are not legally valid.
(5) The Company cannot condition the conclusion or execution of a contract on consent for managing personal data that is not necessary for the performance of the contract.
(6) Withdrawal of consent should be as easy as giving consent.
(7) If personal data is recorded with the individual's consent, the data controller can use the recorded data, in the absence of provisions differing from the law, to fulfill legal obligations without special consent and after the withdrawal of consent by the individual.
(8) The website does not intentionally collect data from minors (under 16 years of age). If data of a minor is stored, upon becoming aware of this fact, the minor's data will be deleted without delay.
- Data Management Based on Legal Obligations
(1) In the case of data management based on legal obligations, the scope of data, the purpose of data management, the duration of data storage, and the users of the data are determined by the provisions of the law.
(2) Data management based on the fulfillment of legal obligations does not depend on the individual's consent, as data management is determined by law. In this case, the individual must be informed before data collection that data collection is mandatory, and must be informed in detail and clearly about all facts related to data management, with particular attention to the purpose and legal basis of data processing, the entity entitled to manage the data, the duration of data management, that personal data is managed in accordance with legal provisions, and who can access the data. The notification must also cover the individual's rights and possibilities for exercising rights related to personal data management. In the case of mandatory data management, the notification can be considered the publication of a reference to all legal provisions containing the above-mentioned information.
- Promotion of the Individual's Rights
The Company is obliged to ensure that the individual can exercise their rights in all data management activities.
CHAPTER IV
DATA MANAGEMENT OF WEBSITE VISITORS – COOKIE USAGE NOTICE
-
The website visitor must be informed about the use of cookies and for all, except technically necessary session cookies, the visitor's permission must be requested.
-
General Information About Cookies
2.1. A cookie is data sent by the visited website to the visitor's browser (in the form of a value variable) for storage, and later the same website can retrieve the content of the cookie. Cookies can be valid until the browser is closed or for an unlimited period. Later, with each HTTP(S) request, the browser will send this information to the server, thus modifying the data on the user’s device.
2.2. The essence of cookies is to mark and identify the user (e.g., their login to the site) and to appropriately treat the given user in all subsequent instances. The risk lies in the fact that the user is not always aware that cookies identify them, which provides the opportunity for the user to be tracked by the site owner or another provider whose content is embedded in the site (e.g., Facebook, Google Analytics). During tracking, a profile is created about the user, and in these cases, the content of the cookies is treated as personal data.
2.3. Types of Cookies:
2.3.1. Technically necessary session cookies: Without them, websites are simply not functional. They are used to identify the user, when they logged into the site, what they placed in the cart, etc. In this case, usually, the session ID is stored, while other data is stored on the server, making them more secure. From a security aspect, if the value of the session cookie is not well generated, there is a risk of session hijacking, so these values must be generated correctly. Other terminologies refer to session cookies as any cookie that is deleted upon exiting the browser (a session is the use of the browser from start to exit).
2.3.2. Cookies that facilitate use: These include cookies that remember the user’s choices – e.g., in what format they want to view the site. These cookies essentially store setting data in the cookies.
2.3.3. Performance cookies: Although they do not have much to do with "performance," this is the name for cookies that collect information about user behavior, clicks, and time spent on the site they visit. These are usually third-party applications (such as Google Analytics, AdWords, or Yandex.ru cookies). They are suitable for profiling visitors.
Learn more about Google Analytics cookies here: Analytics-cookies.
Learn more about Google AdWords cookies here: Google support.
2.4. Accepting or enabling cookies is not mandatory. In the browser settings, it can be set to automatically reject all cookies, or the browser can notify you when the system sends cookies. Most browsers automatically accept cookies by default, but settings can usually be changed to prevent automatic acceptance and offer the user a choice between accepting and rejecting cookies each time.
• Google Chrome: Chrome support
• Firefox: Firefox support
• Microsoft Internet Explorer 11: Microsoft support
• Microsoft Internet Explorer 10: Microsoft support
• Microsoft Internet Explorer 9: Microsoft support
• Microsoft Internet Explorer 8: Microsoft support
• Microsoft Edge: Microsoft support
• Safari: Apple support
However, it should be noted that certain site features or services may not function properly without cookies.
3. Information about Cookies Used on the Company's Website and Data Generated During the Visit
3.1. Data Managed During the Visit
Our Company’s website may record and manage the following information about the visitor or the device used during the visit:
- Visitor's IP address,
- Browser type,
- Characteristics of the device's operating system used by the visitor (configured language),
- Visit time,
- (Sub)pages, functions, or services visited,
- Clicks.
These data are stored for up to 90 days and are primarily used for testing security incidents.
3.2. Cookies Used on the Website
3.2.1. Technically Necessary Session Cookies
The purpose of data management is to ensure the proper functioning of the website. These cookies are necessary to enable visitors to browse the website without issues and to fully utilize all functions and services available through the website, including, specifically, visitor comments on a particular site or the identity of the logged-in user during the visit. The duration of such cookie management is limited to the current visit; this type of cookie will be automatically deleted from the user's computer when the session ends or the browser is closed.
The legal basis for managing these data is § 13/A (3) of the 2001 Act on Electronic Commerce and Information Society Services (CXXXIII of 2001), according to which the service provider may manage personal data that are technically necessary for providing the service in order to provide the service. If other conditions remain unchanged, service providers must choose and use the tools used for providing information society services in such a way that personal data are processed only if it is strictly necessary for providing the service and for fulfilling other necessary purposes specified in this law, but in that case only to the extent and for the duration necessary.
3.2.2. Cookies That Facilitate Use
These cookies remember the user's choices, for example, in what format the user wants to view the site. These types of cookies are essentially setting data stored in the cookie.
The legal basis for managing these data is the consent of the visitors.
The purpose of data management is to increase service efficiency, improve user experience, and ensure more convenient use of the site.
These data are stored on the user's computer; the website only accesses them and recognizes the visitor based on them.
3.2.3. Performance Cookies
This type of cookie collects information about user behavior, time spent, and clicks on the page being viewed by the user. These cookies typically track third-party applications (e.g., Google Analytics, AdWords).
The legal basis for data management is the consent of the individual concerned.
The purpose of data management is to analyze the website and send promotional offers.
Chapter V
Notice of Rights of Data Subjects
I. Summary of Data Subject Rights:
- Transparent information, communication, and modalities for exercising data subject rights
- Right to prior information when personal data is collected from the data subject
- Information provided when personal data is not obtained from the data subject
- Right of access
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restrict processing
- Obligation to notify about rectification, erasure, or restriction of processing
- Right to data portability
- Right to object
- Automated individual decision-making, including profiling
- Restrictions
- Notification of data breach to the data subject
- Right to lodge a complaint with a supervisory authority
- Right to an effective judicial remedy against a supervisory authority
- Right to an effective judicial remedy against a controller or processor
II. Detailed Rights of Data Subjects:
- Transparent information, communication, and modalities for exercising data subject rights
1.1. The controller shall take appropriate measures to provide any information regarding the processing to the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, particularly for any information specifically addressed to a child. Information shall be provided in writing or by other means, including, where appropriate, electronically. If requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
1.2. The controller shall facilitate the exercise of data subject rights.
1.3. The controller shall provide information on action taken on a request to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, considering the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.
1.4. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
1.5. Information provided and any communication and actions taken under Articles 12 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either: - charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or - refuse to act on the request.
Detailed rules can be found in Article 12 of the Regulation.
- Right to prior information when personal data is collected from the data subject
2.1. Where personal data relating to a data subject are collected from the data subject, the controller, at the time when personal data are obtained, shall provide the data subject with all of the following information: a) the identity and the contact details of the controller and, where applicable, of the controller's representative; b) the contact details of the data protection officer, where applicable; c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; d) where the processing is based on legitimate interests pursued by the controller or by a third party, the legitimate interests pursued by the controller or by a third party; e) the recipients or categories of recipients of the personal data, if any; f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
2.2. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing: a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability; c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; d) the right to lodge a complaint with a supervisory authority; e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data; f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2.3. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
All additional rules regarding the right to prior information are contained in Article 13 of the Regulation.
- Information provided when personal data is not obtained from the data subject
3.1. Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the information listed in points 2.1 and 2.2: - within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed; - if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or - if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
3.2. Further rules applicable are those outlined in point 2 (Right to prior information).
Detailed rules of this notice are contained in Article 14 of the Regulation.
- Right of access
4.1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the information listed in points 2 and 3 (Article 15 of the Regulation).
4.2. Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
4.3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.
Detailed rules regarding the right of access can be found in Article 15 of the Regulation.
- Right to rectification
5.1. The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
5.2. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
These rules are contained in Article 16 of the Regulation.
- Right to erasure ("right to be forgotten")
6.1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing; c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing; d) the personal data have been unlawfully processed; e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; f) the personal data have been collected in relation to the offer of information society services to a child.
6.2. Paragraphs on data erasure shall not apply to the extent that processing is necessary: a) for exercising the right of freedom of expression and information; b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; c) for reasons of public interest in the area of public health; d) for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or e) for the establishment, exercise, or defense of legal claims.
Detailed rules regarding the right to erasure are contained in Article 17 of the Regulation.
7. Right to Restriction of Processing
7.1. If processing is restricted, such personal data may only be processed with the consent of the data subject, except for storage, or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.
7.2. The data subject has the right to obtain restriction of processing from the controller if one of the following conditions is met:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims; or
d) the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
7.3. A data subject who has obtained restriction of processing is informed by the controller before the restriction is lifted.
Detailed rules are contained in Article 18 of the Regulation.
8. Obligation to Notify about Rectification or Erasure of Personal Data or Restriction of Processing
The controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
Detailed rules are contained in Article 19 of the Regulation.
9. Right to Data Portability
9.1. The data subject has the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used, and machine-readable format and has the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided, if:
a) the processing is based on consent or on a contract; and
b) the processing is carried out by automated means.
9.2. In exercising their right to data portability, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.
9.3. The exercise of the right to data portability is without prejudice to Article 17 (the right to erasure, 'right to be forgotten'). This right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This right shall not adversely affect the rights and freedoms of others.
Detailed rules are contained in Article 20 of the Regulation.
10. Right to Object
10.1. The data subject has the right to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them which is based on Article 6(1)(e) or (f), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.
10.2. Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
10.3. At the latest at the time of the first communication with the data subject, this right shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
10.4. The data subject may exercise their right to object by automated means using technical specifications.
10.5. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to their particular situation, shall have the right to object to the processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Detailed rules are contained in Article 21 of the Regulation.
11. Automated Individual Decision-Making, Including Profiling
11.1. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
11.2. Paragraph 1 shall not apply if the decision:
a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
b) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
c) is based on the data subject's explicit consent.
11.3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express their point of view and to contest the decision.
Detailed rules are contained in Article 22 of the Regulation.
12. Restrictions
Union or Member State law to which the controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5, in so far as such a restriction respects the essence of the fundamental rights and freedoms.
The conditions of these restrictions are contained in Article 23 of the Regulation.
13. Communication of a Personal Data Breach to the Data Subject
13.1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and shall contain at least the following information and measures:
a) the name and contact details of the data protection officer or other contact point where more information can be obtained;
b) the likely consequences of the personal data breach;
c) the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
13.2. The communication to the data subject shall not be required if any of the following conditions are met:
a) the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular, those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize;
c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
Detailed rules are contained in Article 34 of the Regulation.
14. Right to Lodge a Complaint with a Supervisory Authority
Every data subject shall have the right to lodge a complaint with a supervisory authority, in particular, in the Member State of their habitual residence, place of work, or place of the alleged infringement if the data subject considers that the processing of personal data relating to them infringes this Regulation. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy.
These rules are contained in Article 77 of the Regulation.
15. Right to an Effective Judicial Remedy Against a Supervisory Authority
15.1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
15.2. Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to an effective judicial remedy where the competent supervisory authority does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged.
15.3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
15.4. Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.
These rules are contained in Article 78 of the Regulation.
16. Right to an Effective Judicial Remedy Against a Controller or Processor
16.1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, the data subject shall have the right to an effective judicial remedy where they consider that their rights under this Regulation have been infringed as a result of the processing of their personal data in non-compliance with this Regulation.
16.2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has their habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.
These rules are contained in Article 79 of the Regulation.