Privacy policy

1. Appendix to the Data Management Regulation

DATA MANAGEMENT NOTICE REGARDING THE RIGHTS OF NATURAL PERSONS IN RELATION TO THE MANAGEMENT OF THEIR PERSONAL DATA

CONTENT

INTRODUCTION

CHAPTER I – NAME OF THE DATA CONTROLLER

CHAPTER II – NAME OF THE DATA PROCESSOR

IT provider of our company
Ticketing system programmer of our company

CHAPTER III – ENSURING COMPLIANCE WITH DATA MANAGEMENT LAWS

Data management based on consent from the data subject
Data management based on legal obligations
Promotion of the rights of the data subjects

CHAPTER IV – DATA MANAGEMENT OF WEBSITE VISITORS – COOKIE NOTICE

CHAPTER V – NOTICE ON THE RIGHTS OF THE DATA SUBJECTS

INTRODUCTION

Pursuant to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND COUNCIL (hereinafter: the Regulation), which pertains to the protection and free flow of personal data regarding the management of natural persons' personal data and the repeal of Regulation (EC) No 95/46, the Data Controller must take appropriate actions to ensure that the person whose data is collected receives all necessary information regarding personal data management in a concise, clear, transparent, intelligible, and easily accessible form, and to provide the conditions for fulfilling the rights of the data subjects.

The obligation to inform the person in advance about the right to informational self-determination and the freedom of information is also stipulated by Act CXII of 2011.

The following text fulfills our obligations imposed by the aforementioned laws and regulations.

The notice should be prominently displayed on the company's website or sent to the person whose data is collected upon their request.

CHAPTER I

NAME OF THE DATA CONTROLLER

The issuer of this notice, also the Data Controller:

Company Name: GORAN GODA PR SAMOSTALNA ZANATSKA TRGOVINSKA RADNJA TRSKA PROMET BELO BLATO
Headquarters: BELO BLATO
Registration Number: 62804645
Tax ID: 107529177
Representative: Goran Goda
Phone Number: +381 63 779 00 27
Email Address: info.trskapromet@gmail.com
Website: https://trskapromet.co.rs

(hereinafter: the Company)

CHAPTER II

NAME OF THE DATA PROCESSOR

The data processor: a natural or legal person, a public authority, agency, or any other body that processes data on behalf of the data controller; (Regulation Article 4(8))

The use of a data processor is not dependent on the prior consent of the data subject but it is necessary to inform the data subject. In accordance with these regulations, we provide the following notice:

IT Provider of the Company

The company for maintaining and managing its website uses the services of a data processor, which provides IT services (hosting services) and, as part of these services – in accordance with the content of the contract between the two parties – manages the personal data left on the website by storing it on the server.

Name and details of the data processor:

Company Name: ErdSoft doo
Headquarters: 24000 Subotica, Somborski put 33a, Serbia
Registration Number: 21354619
Tax ID: 110478829
Representative: Daniel Erdudac
Phone Number: +381 60 44 60 555
Fax: none
Email Address: daniel.erdudac@erdsoft.com
Website: erdsoft.com

CHAPTER III

ENSURING COMPLIANCE OF DATA MANAGEMENT WITH LAWS

1. Data Management Based on Consent of the Data Subject

(1) If the Company wishes to manage data based on consent, it is necessary to obtain consent for the management of the personal data of the individual whose data will be managed using a form whose content is specified in the data management regulation.

(2) Consent is considered given if the user checks a box on the Company’s website relating to consent for data processing, performs related technical settings for the use of information society services, or any other statement or act that clearly indicates the consent of the individual to the planned management of their personal data. Silence, pre-checked boxes, or the failure to take any action are not considered consent.

(3) Consent applies to all actions related to data management that are carried out for the same purpose or purposes. If data management serves different purposes, consent must be obtained for all purposes related to data management.

(4) If an individual provides consent in a written statement related to other purposes—e.g., sales, entering into a service contract—consent must be requested in a manner that is clear, simply expressed, understandable, accessible, and clearly distinguished from other purposes. Parts of statements that contain consent which are not in accordance with the Regulation are not valid.

(5) The Company cannot condition the conclusion or execution of a contract on consent to manage personal data that is not necessary for the performance of the contract.

(6) Withdrawal of consent must be as easy as giving consent.

(7) If personal data is processed based on the consent of the individual, the data controller may use that data in the absence of regulations differing from the law to fulfill legal obligations, without additional consent, and even after the consent has been withdrawn by the individual.

(8) The site intentionally does not collect data from minors (under 16 years of age). If data from a minor is retained and the Company becomes aware of this fact, the minor's data will be deleted without delay.

2. Data Management Based on Legal Obligations

(1) In cases where data is managed based on legal obligations, the scope of data, the purpose of data management, the retention period of data, and data users are determined by legal regulations.

(2) Data management based on legal obligations does not depend on the consent of the individual, as data management is dictated by law. In this case, before collecting data, the individual must be informed that data collection is mandatory and must be thoroughly and clearly informed about all facts related to the management of their data, with particular attention to the purpose and legal basis of data processing, the entity entitled to manage the data, the duration of data management, and who may have access to the data. The notification must also cover the rights of the individual and the possibilities for exercising rights related to personal data management. In cases of mandatory data management, the notification may include a publication of a call to all legal regulations containing the aforementioned information.

3. Promotion of the Rights of Data Subjects

The Company is obligated to ensure that individuals can exercise their rights in all activities related to data management.

 

CHAPTER IV

MANAGEMENT OF VISITOR DATA ON THE COMPANY'S WEBSITE – COOKIE (COOKIES) POLICY

  1. Visitors to the website must be informed about the use of cookies, and permission must be sought from the visitor for all cookies except those technically necessary for sessions.

  2. General Information About Cookies

2.1. A cookie is a piece of data that a visited website sends to the visitor's browser (in the form of a variable) to be stored, and later the same website can read the content of the cookie. Cookies can be valid until the browser is closed or for an unlimited period of time. Later, with each HTTP(S) request, the browser will send this information to the server, thereby altering the data on the user's device.

2.2. The essence of cookies is to mark and identify the user (e.g., their entry to the site) so that the user is treated accordingly in all subsequent cases. The risk lies in the fact that the user may not be aware that they are being identified by cookies, which allows the user to be tracked by the website owner or another provider whose content is integrated into the site (e.g., Facebook, Google Analytics). During tracking, a profile of the user is created, and the content of cookies in these cases is treated as personal data.

2.3. Types of Cookies:

2.3.1. Technically Necessary Session Cookies: These cookies are essential for the functionality of websites, used to identify users, their entry to the site, items in the cart, etc. In this case, usually, the session ID is stored, while other data is stored on the server, making it more secure. From a security perspective, if the session cookie value is not well-generated, there is a risk of session theft, so these values must be generated correctly. Other terminology might refer to any cookie that is deleted when the browser is closed (a session is the use of the browser from start to exit).

2.3.2. Cookies That Facilitate Use: These cookies remember user choices—e.g., the display settings of the site. Essentially, they store configuration data in cookies.

2.3.3. Performance Cookies: Although not directly related to "performance," this term refers to cookies that collect information about user behavior, clicks, and time spent on the visited page. These are usually third-party applications (such as Google Analytics, AdWords, or Iandek.ru cookies). They are used for profiling visitors.

Learn more about Google Analytics cookies here.

Learn more about Google AdWords cookies here.

2.4. Accepting or enabling cookies is not mandatory. Browser settings can be adjusted to automatically reject all cookies or to notify when the system sends cookies. Most browsers automatically accept cookies by default, but settings can usually be changed to prevent automatic acceptance and allow the user to choose between accepting and rejecting cookies.

See the links below for cookie settings for the most popular browsers:

• Google Chrome: Chrome support

• Firefox: Firefox support

• Microsoft Internet Explorer 11: Microsoft support 

• Microsoft Internet Explorer 10: Microsoft support 

• Microsoft Internet Explorer 9: Microsoft support

• Microsoft Internet Explorer 8: Microsoft support

• Microsoft Edge: Microsoft support

• Safari: Apple support

However, it should be noted that certain functions or services on the site may not work properly without cookies.

3. Information About Cookies Used on the Company’s Website and Data Generated During Visits

3.1. Data Collected During Visits

Our website may use cookies to record and manage the following information about the visitor or device they are using:

  • Visitor’s IP address
  • Browser type
  • Features of the device’s operating system used by the visitor (configured language)
  • Time of visit
  • (Sub)pages, functions, or services visited
  • Clicks

This data is stored for up to 90 days and is primarily used for testing security incidents.

3.2. Cookies Used on the Website

3.2.1. Technically Necessary Session Cookies

The purpose of managing this data is to ensure the proper functioning of the website. These cookies are essential for allowing visitors to browse the website without issues and to fully utilize all functions and services available on the site, including—particularly—visitor comments on a specific page or the identity of a logged-in user during the visit. The duration of this cookie management is limited to the current visit; this type of cookie will automatically be deleted from the user’s computer when the session ends or the browser is closed.

The legal basis for managing this data is § 13/A (3) of Act CVIII of 2001 on Electronic Commerce and Information Society Services, which allows the service provider to manage personal data that is technically necessary for providing the service. Provided that all other conditions remain unchanged, service providers must use tools to provide services in a manner that personal data is processed only if it is strictly necessary for providing services and fulfilling other necessary purposes specified by the law, and only to the extent and for the duration required.

3.2.2. Cookies That Facilitate Use

These cookies remember user choices, for example, the format in which they prefer to view the page. These types of cookies essentially store data about settings saved in the cookie.

The legal basis for managing this data is the visitor's consent.

The purpose of managing this data is to improve service efficiency, enhance user experience, and enable more convenient use of the site.

This data is located on the user’s computer, and the website only accesses it and uses it to recognize the visitor.

3.2.3. Performance Cookies

This type of cookie collects information about user behavior, time spent, and clicks on the page the user is viewing. These cookies typically track third-party applications (e.g., Google Analytics, AdWords).

The legal basis for managing this data is the consent of the data subject.

The purpose of managing this data is to analyze the website and send promotional offers.

CHAPTER V

NOTIFICATION OF THE RIGHTS OF DATA SUBJECTS

I Summary of Data Subject Rights:

  1. Transparent information, communication, and modalities for exercising data subject rights
  2. Right to prior information when personal data is collected from the data subject
  3. Information provided when personal data is not obtained from the data subject
  4. Right of access for the data subject
  5. Right to rectification
  6. Right to erasure (“right to be forgotten”)
  7. Right to restriction of processing
  8. Obligation to notify of rectification, erasure, or restriction of processing
  9. Right to data portability
  10. Right to object
  11. Automated individual decision-making, including profiling
  12. Restrictions
  13. Notification of personal data breach
  14. Right to lodge a complaint with a supervisory authority
  15. Right to an effective legal remedy against the supervisory authority
  16. Right to an effective legal remedy against the data controller or processor

II Detailed Rights of Data Subjects:

1. Transparent Information, Communication, and Modalities for Exercising Data Subject Rights

1.1. The controller takes appropriate measures to provide the data subject with all information related to processing in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, especially when the information is addressed to a child. Information is provided in written form or by other means, including electronically, where appropriate. If the data subject requests, information may be provided orally, provided that the data subject’s identity is verified by other means.

1.2. The controller facilitates the exercise of the data subject’s rights.

1.3. The controller provides the data subject with information on the actions taken in response to a request without undue delay and, in any case, no later than one month from receipt of the request. The period may be extended by an additional two months, and the controller must inform the data subject of any such extension within the timeframe.

1.4. If the controller does not act on the data subject’s request, the controller informs the data subject without delay or at the latest one month from receipt of the request about the reasons for not taking action and about the possibility of lodging a complaint with the supervisory authority and seeking a judicial remedy.

1.5. The information provided, all communication, and measures taken are provided free of charge, except in cases prescribed by the Regulation when a fee may be charged.

Detailed rules are contained in Article 12 of the Regulation.

2. Right to Prior Information When Personal Data is Collected from the Data Subject

2.1. If personal data of the data subject is collected directly from the data subject, the controller provides the following information at the time of collection:

a) The identity and contact details of the controller and, where applicable, the controller’s representative;

b) Contact details of the data protection officer, if applicable;

c) The purposes of processing for which the personal data is intended, as well as the legal basis for the processing;

d) If processing is based on the exercise of legal rights, legitimate interests of the controller or a third party;

e) The recipients or categories of recipients of the personal data, if any;

f) If applicable, the fact that the controller intends to transfer personal data to a third country or international organization.

2.2. The controller provides the following additional information necessary for fair and transparent processing:

a) The retention period for personal data or, if not possible, the criteria used to determine that period;

b) The existence of the right to request access to, rectification, erasure, or restriction of processing of personal data, as well as the right to object to processing, and the right to data portability;

c) If processing is based on the consent of the data subject, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

d) The right to lodge a complaint with a supervisory authority;

e) Information about whether the provision of personal data is a statutory or contractual requirement or a necessary condition for entering into a contract, and the consequences of not providing the data;

f) The existence of automated decision-making, including profiling, and information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.

2.3. If the controller intends to further process personal data for purposes other than those for which the data was initially collected, the controller provides the data subject with information on that new purpose and all other relevant information prior to the further processing.

All additional rules regarding the right to prior information are contained in Article 13 of the Regulation.

3. Information Provided When Personal Data is Not Obtained from the Data Subject

3.1. If the controller has not obtained personal data from the data subject, they must inform the data subject, at the latest within one month of obtaining the data, of all facts and information mentioned in point 2, including categories of personal data, the source of personal data, or, in some cases, whether the data comes from publicly accessible sources. If personal data is used to contact the data subject, the information must be provided at least at the time of the first contact; if data is transferred to other recipients, information should be provided no later than at the time of the first transfer.

3.2. The other rules from point 2 (Right to Prior Information) also apply here.

Detailed rules on this notification are contained in Article 14 of the Regulation.

4. Right of Access for the Data Subject

4.1. The data subject has the right to obtain from the controller confirmation as to whether their personal data is being processed and, if so, to access that data and the information specified in points 2 and 3 (Article 15 of the Regulation).

4.2. If personal data is transferred to a third country or international organization, the data subject has the right to be informed about the appropriate safeguards in accordance with Article 46 related to the transfer.

4.3. The controller provides a copy of the personal data being processed. For any additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.

Detailed rules regarding the right of access are contained in Article 15 of the Regulation.

5. Right to Rectification

5.1. The data subject has the right to have the controller rectify inaccurate personal data concerning them without undue delay.

5.2. Considering the purposes of processing, the data subject has the right to complete incomplete personal data, including by providing a supplementary statement.

These rules are contained in Article 16 of the Regulation.

6. Right to Erasure (“Right to be Forgotten”)

6.1. The data subject has the right to have the controller erase personal data concerning them without undue delay if one of the following conditions applies:

a) The personal data is no longer necessary for the purposes for which it was collected or processed;

b) The data subject has withdrawn consent on which the processing is based, and there is no other legal ground for processing;

c) The data subject has objected to the processing and there are no overriding legitimate grounds for processing;

d) The data has been processed unlawfully;

e) The data must be erased to comply with a legal obligation under Union or Member State law applicable to the controller;

f) The data was collected in relation to the offer of information society services directly to a child.

6.2. The right to erasure does not apply if processing is necessary:

a) For exercising the right of freedom of expression and information;

b) For compliance with a legal obligation which requires processing under Union or Member State law applicable to the controller or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

c) For reasons of public interest in the area of public health;

d) For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes if the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing;

e) For the establishment, exercise, or defense of legal claims.

Detailed rules related to the right to erasure are contained in Article 17 of the Regulation.

7. Right to Restriction of Processing

7.1. If processing is restricted, personal data may only be processed with the consent of the data subject, except for storage, establishment, exercise, or defense of legal claims, or for the protection of the rights of other persons or for important public interest reasons of the Union or a Member State.

7.2. The data subject has the right to request the restriction of processing from the controller if one of the following conditions applies:

a) The data subject contests the accuracy of the data, for a period enabling the controller to verify its accuracy;

b) Processing is unlawful, and the data subject opposes erasure and requests the restriction of its use;

c) The controller no longer needs the data for processing, but the data subject requires it for the establishment, exercise, or defense of legal claims;

d) The data subject has objected to processing, and it has not yet been determined whether the legitimate grounds of the controller override those of the data subject.

7.3. The data subject, to whom processing has been restricted, will be informed before the restriction is lifted.

Detailed rules are contained in Article 18 of the Regulation.

8. Obligation to Notify of Rectification, Erasure, or Restriction of Processing

The controller is obliged to notify every recipient to whom the personal data has been disclosed of any rectification, erasure of personal data, or restriction of processing, unless this proves impossible or involves disproportionate effort. The controller also informs the data subject about the recipients who have been notified, if the data subject requests it.

Detailed rules are contained in Article 19 of the Regulation.

9. Right to Data Portability

9.1. The data subject has the right to receive their personal data provided to the controller in a structured, commonly used, and machine-readable format and to transmit those data to another controller without hindrance from the controller to whom the data was provided, if:

a) The processing is based on consent or on a contract; and

b) The processing is carried out by automated means.

9.2. When exercising the right to data portability, the data subject has the right to have the data transmitted directly from one controller to another, where technically feasible.

9.3. Exercising the right to data portability does not affect the right to erasure (Article 17, "right to be forgotten"). This right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Additionally, this right should not adversely affect the rights and freedoms of others.

Detailed rules are contained in Article 20 of the Regulation.

10. Right to Object

10.1. The data subject has the right to object, on grounds relating to their particular situation, at any time to processing of their data, based on Article 6(1)(e) or (f), including profiling based on those provisions. The controller may no longer process the data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.

10.2. If the data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of their data for such purposes, including profiling related to direct marketing. If the data subject objects to processing for direct marketing purposes, the data should no longer be processed for those purposes.

10.3. At the latest at the time of the first communication with the data subject, the right to object must be explicitly brought to their attention.

10.4. The data subject may exercise their right to object by automated means using technical specifications.

10.5. If the data is processed for scientific or historical research purposes or for statistical purposes, the data subject has the right to object to the processing of their data, unless processing is necessary for the performance of a task carried out in the public interest.

Detailed rules are contained in Article 21 of the Regulation.

11. Automated Individual Decision-Making, Including Profiling

11.1. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

11.2. Paragraph 1 does not apply if the decision:

a) Is necessary for entering into or performing a contract between the data subject and the controller;

b) Is authorized by Union or Member State law applicable to the controller and which also provides for suitable measures to safeguard the data subject's rights and freedoms; or

c) Is based on the explicit consent of the data subject.

11.3. In cases referred to in paragraphs 2(a) and 2(c), the controller implements suitable measures to safeguard the data subject’s rights and freedoms, including the right to human intervention, the right to express their point of view, and the right to contest the decision.

Additional rules are contained in Article 22 of the Regulation.

12. Limitations

Union or Member State law applicable to the controller or processor may restrict the scope of the obligations and rights under Articles 12 to 22 and Article 34, as well as Article 5, provided that such restrictions respect the essence of fundamental rights and freedoms.

Detailed rules are contained in Article 23 of the Regulation.

13. Notification of a Personal Data Breach to the Data Subject

13.1. When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall notify the data subject of the breach without undue delay. The notification shall describe the nature of the breach in clear and plain language and shall at least contain the following information and measures:

a) The name and contact details of the data protection officer or other contact points where more information can be obtained;

b) A description of the likely consequences of the breach;

c) A description of the measures taken or proposed by the controller to address the breach, including measures to mitigate its possible adverse effects.

13.2. Notification to the data subject is not required if any of the following conditions are met:

a) The controller has implemented appropriate technical and organizational protection measures, such as encryption, which render the data unintelligible to unauthorized persons;

b) The controller has taken subsequent measures to ensure that the high risk to the rights and freedoms of the data subject is no longer likely;

c) Notification would involve disproportionate effort, in which case a public communication or similar measure is taken to inform data subjects.

Detailed rules are contained in Article 34 of the Regulation.

14. Right to Lodge a Complaint with a Supervisory Authority

Every data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement, if they consider that the processing of their personal data infringes this Regulation. The supervisory authority shall inform the complainant about the progress and outcome of the complaint, including the possibility of a judicial remedy.

Detailed rules are contained in Article 77 of the Regulation.

15. Right to an Effective Judicial Remedy Against a Supervisory Authority

15.1. Without prejudice to any other administrative or non-judicial remedy, every natural or legal person has the right to an effective judicial remedy against a binding decision of a supervisory authority concerning them.

15.2. Without prejudice to any other administrative or non-judicial remedy, every data subject has the right to an effective judicial remedy if the supervisory authority fails to address their complaint or inform them about the progress or outcome within three months.

15.3. Actions against a supervisory authority are to be brought before the courts of the Member State where the supervisory authority is established.

15.4. If proceedings are initiated against a decision of a supervisory authority that was preceded by an opinion or decision of the Board within the consistency mechanism, the supervisory authority shall submit that opinion or decision to the court.

Detailed rules are contained in Article 78 of the Regulation.

16. Right to an Effective Judicial Remedy Against the Controller or Processor

16.1. Without prejudice to any other available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, the data subject has the right to an effective judicial remedy if they consider that their rights under this Regulation have been infringed as a result of the processing of their personal data.

16.2. Proceedings against a controller or processor shall be brought before the courts of the Member State where the controller or processor is established. Alternatively, proceedings may be brought before the courts of the Member State where the data subject has their habitual residence, unless the controller or processor is a public authority acting in its public capacity.

Detailed rules are contained in Article 79 of the Regulation.

Cookie settings

We use cookies to personalise content and ads, to provide social media features and to analyse website traffic. You can read more by clicking on the "Settings" button.
We use cookies to personalise content and ads.