Pursuant to the Law on Personal Data Protection, company Volvox LLC. Kragujevac, seated at Kralja Aleksandra I Karađorđevića St., No. 78 – shop 22, Kragujevac, with Registration no: 20870435, and Tax Identification Number: 107777877, is on 15/12/2019 issuing the following:
1. INTRODUCTORY PROVISIONS
1.4. “Volvox” website is owned and controlled by limited liability company Volvox D.O.O. Kragujevac, seated at Kralja Aleksandra I Karađorđevića St. no 78 – shop 22, Kragujevac, with Registration No: 20870435 and Tax Identification Number: 107777877 (previously and hereinafter termed: Controller).
- CONTROLLER– the company, from Article 1.5 that is processing the personal data;
- SERVICE – enabling insight into the Controller’s products as well as direct contact with the Controller via a web form in order to purchase or become informed about the products (hereinafter: Services);
- VISITOR – physical person accessing the website’s content or contacting the Controller via the “Contact” segment by leaving information such as: name, e-mail, comment content which may voluntarily contain further personal information;
- CONTROLLER PRODUCTS – entail websites the owner of which is the Controller;
- THE LAW – The Law on Personal Data Protection of the Republic of Serbia (Official Gazette of the Republic of Serbia, no 87, dated 13/11/2018), (hereinafter: the Law);
- GDPR – General Data Protection Regulation of the European Union (2016/679);
- ACCEPTANCE is any voluntary, specific, informed and unambiguous expression of will of the visitor, by which, through a statement or clear affirmative action, they accept the processing of personal data that refer to them;
- PERSONAL DATA is any data that refers to a physical person whose identity is unique and can be determined, directly or indirectly, especially on the basis of identity like a name or personal ID number in electronic communication networks or one or many characteristics of their physical, physiological, genetic, mental, economic, cultural and social identity;
- PERSONAL DATA PROTECTION is any action or collection of actions that are performed automatically or manually with the visitor data, such as collecting, noting, classifying, grouping or structuring, storing, adjusting or changing, disclosing, providing insight, using, disclosing by transmission and any delivery, multiplication, spreading or otherwise enabling the accessibility, comparison, limiting, deletion or destruction;
- PROCESSOR is any physical or legal entity hired by the Controller to process personal data of the visitors in their name;
- THIRD PARTY is any physical or legal entity, or government body that is neither a visitor, Controller, Processor nor person authorised to process personal data under immediate supervision of the Controller or Processor;
- COMPETENT AUTHORITY are state bodies in charge of preventing, investigating and discovering criminal acts as well as pursuing the perpetrators of criminal acts or executing sanctions, including the protection and prevention of threats to public and national security, but also they are legal entities authorised by the Law to perform the said operations;
- COMMISSIONER OR SUPERVISORY AUTHORITY is an independent and autonomous body of authority defined based on the Law, in charge of supervising the execution of the Law and performing other affairs as prescribed by the Law;
3. DATA CONTROLLER
3.1. The Data Controller is the company, closer defined by Art. 2.1, item 1. with contact information as stated in Art. 16.
3.2. The Company from Art. 1. in the capacity of Controller, is responsible for personal data collected from the visitors, in a manner and volume that is anticipated by this Law.
3.3. The Controller undertakes the necessary technical, organisational and personnel measures to ensure that the processing is performed in accordance with the Law so that it can present this to the visitors taking into account the nature, volume, circumstances and purpose of processing as well as the probability of risk and level of risk to the rights and liberties of the visitors.
3.4. The information on who, be it employee or other persons engaged by the Controller, has access to the personal data but also who their administrator is, are kept in the Processing Activities Records from Art. 13.
4. VISITOR DATA THAT IS COLLECTED AND PROCESSED
4.1. To comply with the rights and obligations determined by the Terms of Service, as well for the goal of observing legal requirements, legitimate interests and improvement reasons, a more efficient and lawful work of the Controller or based on the given visitor acceptance, which is explained in more detail within the text, the Controller collects and processes visitors’ personal data.
4.2. The Controller collects and processes some of the following data of the visitor:
- mobile phone number;
- landline number;
- e-mail address;
- a message that can contain arbitrary personal data;
- IP address;
- information collected by internet browsers.
4.3. Special categories of personal data.
4.3.1. The Controller does not process data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs or union memberships, genetic information, biometric data for the purpose of unique personal identification, information on health statuses or information on a physical person’s sexual preferences.
4.4. Data collected by the internet browser of the visitor – Cookies.
4.4.1. To promote the services on our website and improve visitor experience during page browsing, the Controller collects information from internet browsers of the Visitors (Cookies).
5. PURPOSE AND BASIS OF PROCESSING
5.1. Data, from Art 4., the Controller processes based on:
- consent provided by the Visitor, which can have a special form, the acceptance of which means that the consent has been given, as mentioned in Art. 12. paragraph 1, Item 1 of the Law;
- legitimate interest of the Controller as mentioned in 12, Paragraph 1, Item 6 of the Law;
- other conditions/causes anticipated by the Law, obliging the Controller to collect, store and process visitor data.
5.2. Data processing from Art. 4 is done by the Controller for the following purposes:
- to enable communication with the Controller by sending messages in the segment “Contact” (name; e-mail address; potential personal data left in the section “Message”);
- to improve user experience when visiting the website (data from Art. 2.);
- sending notifications on promotional offers of the Controller (email address);
- for other purposes in line with the Law.
5.3. Processing for other purposes
5.3.1. If the purpose of processing is different from the purpose for which the data has been collected, and doesn’t observe the Law, the Controller, by taking adequate security measures, assesses whether that other purpose of processing is in line with the purpose for which the data has been collected, whereby they particularly take into consideration:
- whether there is a connection between the purpose for which the data has been collected and the other intended processing purpose;
- the circumstances under which the data has been collected, including the relationship between the Controller and the Visitor;
- nature of the data;
- potential consequences of further processing for the Visitor.
5.4. The Controller is obliged, by applying the appropriate technical, organisational and personnel measures, to ensure that only the personal data that is necessary for realizing every individual purpose for processing, are indeed processed, applying it to the number of collected data, processing volume, length of storage and their accessibility.
5.5. The Controller particularly highlights that email address processing is performed for marketing purposes, based on unambiguous consent from Art. 6. i.e. by clicking on a certain field, thereby accepting for the Controller to send promotional offers and notifications – newsletters to the entered email address.
6.1. Approval given by the Visitor is done on a separate form, with a clear and prominent title “Consent”, while the content of it is described informatively, transparently, understandably, accessibly and uses clear and concise words as stated by the Law.
6.2. The Visitor is not conditioned to give their consent in order for a service to be enabled or part of the service for which consent isn’t necessary and can be considered voluntary unless the processing is mandatory so the Visitor can realize their rights.
6.3. The Visitor has the right to revoke their consent at any point. Revoking the consent does not affect the consent process based on approval given prior to the revoking. Prior to providing consent, the person to which the data pertains must be notified of their right to revoke, and the effects of revoking. Revoking must be as simple as consent.
6.4. The Visitor has the right to revoke their consent for processing that is based solely on consent as its basis, at any time, however the revoking of the consent does not affect the consent to process that was given prior to the revoking, done by notifying the Controller in writing.
6.5. Consent from Art 6.1 can be given in electronic form by the Visitors being given the opportunity to read the consent text on the website and, in accordance with Article 6, to decide whether to consent or not, by clicking on a certain field.
6.6. Processing that is done based on consent and for the purpose of Article 5.5 is email processing for the purpose of notifying Visitors about the activities of the website, services of the Controller and direct advertising, while consent for this particular processing is given electronically in a specific field on the website.
7. VISITORS’ RIGHTS BASED ON PERSONAL DATA PROTECTION
7.1. The right to be informed and the right to access to information:
7.1.1. The Controller is obliged to provide the following information concisely, transparently, to make it understandable and accessible, by using simple and clear words, at the request of the Visitor:
- the identity and contact details of the Controller, employee or otherwise engaged person responsible for data processing;
- the purpose of the intended processing and legal basis for it;
- the existence of legitimate interest of the Controller or third party, if the basis of the processing is legitimate interest;
- the recipient or group of recipients of personal data, if they exist;
- the fact that the Controller intends to export personal data to another country or international organisation;
- the period of time when the personal data will be kept, and if that isn’t possible, the criteria to determine it;
- the right to ask the Controller for access, editing and deletion of the visitor’s data, and the right to limit processing, right to object and rights referring to data transmission;
- the right to withdraw consent at any time, as well as to confirm that withdrawing does not impact the previously given consent for processing;
- the right to file a claim with the Commissioner;
- whether providing personal data is either a legal or contractual obligation or that providing the data is a necessary requirement to conclude the agreement, as well as whether the person to whom the data pertains is obliged to provide it and the potential consequences if it is not given;
- the existence of automated decision making, including profiling, if the Controller handles such processing.
7.1.2. At the request, pursuant to Article 1.1. the Controller must respond within 30 days, but that deadline may be extended by another 60 days if necessary, considering the volume and complexity. On the deadline extension and its reasons, the Controller is obliged to notify the visitor within 30 days from the time the Visitor had filed the complaint, in electronic form, if the complaint was made in such a way.
7.2. Right to Rectification and Completion
7.2.1. The Visitor has the right to rectify incorrect personal data, if possible without delay. Depending on the processing type, the Visitor has a right to complete its incomplete personal data, which includes providing an additional statement.
7.2.2. If possible, this should be done by rectification, deletion or entry of different data by the visitors themselves.
7.2.3.If the Visitor isn’t able to rectify or complete information in the manner from Art 7.2.2 they will address the Controller with a request.
7.3. Right to Erasure
7.3.1. If the legal conditions are met, the Controller is obliged, at the request of the Visitor, without unnecessary delays, to erase the personal data from Article 4, in the following cases:
- the personal data is no longer required for the purpose it was initially collected or processed;
- The Visitor has withdrawn its consent based on which the processing was conducted, and in line with the Law there is no other legal basis for its processing;
- The Visitor has filed a complaint to processing in line with the Law and there is no legal basis for processing that outweighs its legitimate interest, rights or liberties of the persons to which the data refers;
- personal data is unlawfully processed;
- personal data must be erased in order to execute the legal requirements of the Controller;
- personal data relating to the use of services of the technology company pursuant to the Law.
7.4. Right to restrict processing of personal information
7.4.1. Visitors have the right to request the restriction of data processing if the processing is unlawful, if the data is stated to be incorrect and if a complaint has been made in accordance with the Law and owing to other legal reasons.
7.5. Right to object
7.5.1. Depending on the specific case, and if the Visitor feels it is warranted, the Visitor may at any point request from the Controller to restrict the processing of their personal data which is done by consent, and the Controller is obliged to cease the processing of Visitor information if they have requested it.
7.5.2. The Controller is not obliged to cease processing in the manner indicated in Art. 7.5.1. if it has shown the Visitor that there are legal reasons that supersede the interests, rights or liberties of that Visitor or are related to the filing, enforcing or defense of legal claims.
8. STORING VISITORS PERSONAL DATA
8.1. Visitor personal data collected via the website are electronically stored on the servers owned by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany, VAT Reg. No.: DE812871812 (hereinafter: Hetzner Online GmbH) and are secured with an SSL certificate, while access to the database is held by the Controller.
8.3. Queries – the message that is passed by entering information in the section “Contact” on the website, and which contain the visitor’s data are stored at firstname.lastname@example.org.
8.4. Personal data collected by providing technical support by the Controller, relating to the controller’s products are stored at email@example.com.
8.5. Visitors’ data and the data of other persons collected and stored in the email addresses as stated in Art. 8.3 and 8.4 are stored on the servers of company Zendesk that provides mail hosting services, in accordance with the privacy policies of this company.
9. ACCESS OF DATA BY THIRD PARTIES/ PERSONAL DATA PROCESSORS
9.2. The Controller guarantees that the Processors will apply the required technical, organisational and personnel measures so the processing is done in line with the Law and that it will provide adequate protection of the visitors’ personal data.
9.3. To ensure the conditions from Art. 9.2 are met, the Controller and Processor may enter into Agreement on Data Processing, that will be an accompaniment or appended part of the basic agreement and will contain all the elements as required by the Law.
9.4. To realise these purposes from Art. 1. the Controller may engage the following processors:
- Hetzner Online GmbH;
- Google Inc.;
10. DATA SECURITY
10.1. When assessing the necessary level of established security of the personal data, the Controller takes into consideration and monitors the level of technological advancements as well as the costs to implement them, followed by the nature, volume, circumstances and purpose of data processing, and based on those parameters, it assesses the probability of any future risk, or level of risk to the rights and liberties of the Visitors.
10.2. In relation to circumstances from Art. 1. the Controller takes appropriate technical, organisational and personnel measures to reach the required level of protection in relation to the risk.
10.3. When sending data to the Processors, the Controller is obliged to provide a secure communication channel by which the data is transmitted and to make sure that the data is securely stored by providing adequate security standards.
10.7. Visitor information collected via the website is secured with an SSL certificate, while access to the database has the Controller, administrator, the directors and technical support as well as the employees of the Controller.
11. PROCEDURE IN CASE OF DATA PROTECTION BREACH
11.2. In case of data breach, the Controller is obliged to inform the Supervisory authority without unnecessary delay, or 72h at the latest from the time the breach was discovered, if this can risk the rights of the Visitors. In case this isn’t observed, the Controller will explain its reasons for delay.
11.3.Notifying the Supervisory authority from Art. 11.2 must contain the following information:
- description of the nature of the rights that were infringed, including the type of data and approximate number of Visitors to which the data relates and the approximate volume of information that was breached;
- name and contact of the person that can provide information on the data that was breached;
- description of any potential consequences of the breach;
- description of measures that the Controller has undertaken or the undertaking of which has been proposed , including the measures taken for the purpose of reducing the harmful impact.
11.4. In case of a data protection breach, the Controller is obliged to notify the Visitors in case the breach can risk the rights and liberties of the physical persons to which the data refers.
11.5. Notifying the Visitor from Art 4. must be descriptive, clear and understandable and to state the information from Art. 11.3.
11.6. The Controller is not obliged to notify the Visitor as in the case from Art. 4. if:
- it has undertaken the appropriate technical and organisational measures of protection of the personal data the security of which has been breached;
- it has subsequently undertaken measures to ensure that personal data breach with high risk to the rights and liberties of the persons to which the data refer can no longer have any effects on the person;
- notifying the person to which the data refers would present a disproportionate waste of time and resources, in which case the Controller is obliged, via public announcement or other effective means, to provide access to this information to the persons to which this data refers.
11.7. If the Visitor finds out about any event that has led or can lead to the breach of their data or the data of other parties, they are obliged, without delay, to notify the Controller via the Contact details in this document.
12. PERIOD OF STORING AND DELETION OF DATA
12.1. Data from Art. 4 is kept as long as it is needed for the purpose for which it is processed, unless consent to the collection of this data is required by the Visitor to be given.
12.2. In the instance from Art.1. where the basis of collecting the data on the Visitor from Art. 4 is its consent, this data will be kept until the consent is withdrawn, in line with Art. 6.3.
12.3. Exceptionally from Art 2. the website will keep the data of the Visitors who gave their explicit consent to process and store this data for the purpose of receiving news or promotional offers as well as newsletters.
13. PERSONAL DATA PROCESSING ACTIVITIES RECORDS OF THE CONTROLLER
13.2. The records, along with the name and business information of the Controller, contain the following information: category of the persons whose data is processed, category of personal data, purpose of processing, third parties to whom the data has been disclosed, length of data storage, description of protection measures, the form in which the data is kept.
13.3.The records from Art. 1. is in electronic form and is kept permanently, in line with the Law.
14. TRANSMISSION OF DATA TO OTHER STATES AND TO THIRD PARTIES THAT HAVE ACCESS TO THIS DATA OUTSIDE THE TERRITORY OF THE REPUBLIC OF SERBIA
14.1. The Controller transmits certain Visitor data to the Federal Republic of Germany, which is a member of the Convention of the Council of Europe Data Protection for the automatic processing of personal data, and is on that basis on the list of countries that have an acceptable level of data protection as decided by the European Union.
14.2. Information on Visitors is specifically transmitted and stored on the servers of hosting company Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany, VAT Reg. No.: DE812871812, and which is protected in line with the security policy applied by the company and which fulfills the conditions in line with the ISO/IEC standard no. 27001:2013. Insight into the previously mentioned document can be done via the following link: https://www.hetzner.com/pdf/FOX_Zertifikat.pdf.
14.3. The Controller transmits visitor data in line with its business operations.
15. COMMISSIONER/ SUPERVISORY AUTHORITY
15.1. The supervisory authority for the protection of data in the Republic of Serbia is the Commissioner for information of public importance and personal data protection of the Republic of Serbia. The Commissioner can be contacted at Bulevar Kralja Aleksandra No. 15, 11000 Belgrade, Republic of Serbia, via email at firstname.lastname@example.org or via phone at +381 11 3408 900.
15.2. The Controller cooperates with the Commissioner in the enforcement of its authority, in accordance with the obligations prescribed by the Law.
16. CONTACT INFORMATION OF THE CONTROLLER AND DATA PROTECTION OFFICER
- Controller’s Business Name: Volvox D.O.O. Kragujevac;
- Address: Kralja Aleksandra I Karađorđevića St. No. 78 – shop 22, Kragujevac;
- Email: email@example.com
- Telephone: 0693000400
- Working hours:Working days: 09-17h
16.2. In cases from Article 16.1. the Visitor can turn to the Data Protection Officer at the following contact details:
- Name and Surname: Petar Milojevic
- Address: Save Kovačevića .1, 34000 Kragujevac
- email: firstname.lastname@example.org
- Phone: +381693300556
17. FINAL PROVISIONS
18. LAW THAT IS EXERCISED AND JURISDICTION
18.1. The material right that is exercised pertaining to Visitors personal data protection, relating to its processing by the Controller, is the Law of the Republic of Serbia, Personal Data Protection Law and GDPR, where implementable.
18.2. For administrative and court proceedings the courts of the Republic of Serbia are responsible in line with the positive legislature of this state.