Privacy policy

Annex 1 to the Data Management Regulations

STATEMENT ON DATA MANAGEMENT RELATED TO THE RIGHTS OF NATURAL PERSONS IN RELATION TO THE MANAGEMENT OF THEIR PERSONAL DATA

CONTENTS

INTRODUCTION

CHAPTER I – NAME OF THE DATA CONTROLLER

CHAPTER II – NAMES OF THE DATA PROCESSORS

  1. IT provider of our Company
  2. Developer of the ticketing system of our Company

CHAPTER III – ENSURING COMPLIANCE OF DATA MANAGEMENT WITH LAWS

  1. Data management based on the consent of the data subject
  2. Data management based on the fulfillment of legal obligations
  3. Promotion of the rights of the data subject

CHAPTER IV - MANAGEMENT OF WEBSITE VISITOR DATA – COOKIE USAGE STATEMENT

CHAPTER V – STATEMENT ON THE RIGHTS OF THE DATA SUBJECTS

INTRODUCTION

Based on the REGULATION 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU) (hereinafter: Regulation), which concerns the protection and free flow of data in the management of personal data of natural persons and repeals Directive 95/46/EC, the Data Controller must take appropriate actions to ensure that the data subject, whose data is being collected, receives all necessary information related to the management of their personal data in a concise, clear, transparent, understandable, and accessible form, and to provide conditions for the fulfillment of the rights of the data subject.

The obligation to inform the data subject in advance about the right to informational self-determination and freedom of information is also prescribed by Law CXII of 2011.

The text below fulfills our obligations imposed by the aforementioned laws and regulations.

The notice should be displayed on the company's website or sent to the data subject upon their request.

CHAPTER I

NAME OF THE DATA CONTROLLER

The issuer of this notice, also the Data Controller:

Company name: Strugovi Potisje d.o.o
Headquarters: Ada
Company registration number: 20906456
VAT number: 107965985
Representative: Magdolna Miklos
Phone number: +381 62 299 084
Email address: m.laslo.strugovi@gmail.com
Website: https://strugovi.com/en
(hereinafter: the Company)

CHAPTER II

NAMES OF THE DATA PROCESSORS

A data processor is a natural or legal person, public authority, agency, or any other body that processes data on behalf of the data controller (Regulation Article 4, point 8).

The use of a data processor does not require the prior consent of the data subject, but it is necessary to inform the data subject. In accordance with these regulations, we provide the following information:

1. IT Provider of the Company

The Company uses the services of a data processor for the maintenance and management of its website, which provides IT services (hosting services) and, within these services – in accordance with the content of the contract between the two parties – manages the personal data left on the website by storing it on the server.

Name and details of the data processor:

Company name: ErdSoft doo
Headquarters: 24000 Subotica, Somborski put 33a, Serbia
Company registration number: 21354619
VAT number: 110478829
Representative: Daniel Erdudac
Phone number: +381 60 44 60 555
Fax: None
Email address: daniel.erdudac@erdsoft.com
Website: erdsoft.com

CHAPTER III

ENSURING COMPLIANCE OF DATA MANAGEMENT WITH LAWS

  1. Data management based on the consent of the data subject

(1) When the Company intends to manage data based on consent, it is necessary to obtain consent for the processing of personal data from the data subject by using a form whose content is defined in the data management regulations.

(2) Consent can also be considered given when the user checks a box on the Company's website, thereby agreeing to the data processing, or when performing the necessary technical settings for the use of information society services, as well as through other statements or actions that clearly express consent to the planned processing of their personal data. Silence, pre-checked boxes, or inaction are not considered as consent.

(3) Consent includes all data management activities carried out with the same purpose or purposes. If data management relates to multiple different purposes, consent must be obtained for each specific purpose.

(4) If the data subject gives their consent as part of a written statement that also concerns other matters – such as sales, the conclusion of service contracts – the request for consent must be presented in a manner that is clear, simple, and understandable, and must be clearly separated from other matters. Parts of such statements containing consent that are not in accordance with the law shall not be considered valid.

(5) The Company may not make the conclusion or performance of a contract conditional upon the provision of consent for the processing of personal data that is not necessary for the performance of that contract.

(6) The withdrawal of consent must be possible in the same way as the giving of consent.

(7) If personal data is processed based on consent, the data controller may use the data in accordance with the law to fulfill legal obligations even after the withdrawal of consent.

(8) The website does not intentionally collect data from minors (under the age of 16). If data about minors is inadvertently collected, it will be deleted as soon as this fact is discovered.

  1. Data management based on legal obligations

(1) When data is processed based on legal obligations, the scope of data, the purpose of processing, the retention period, and the users of the data are determined by law.

(2) Data processing based on legal obligations does not require the consent of the data subject, as it is mandated by law. In this case, the data subject must be informed before the data is collected that the collection is mandatory, as well as all relevant facts related to the processing of their data, with particular emphasis on the purpose and legal basis of the processing, the subject entitled to process the data, the duration of the processing, and who may have access to the data. The notice must also include information on the data subject's rights and the possibilities for exercising those rights concerning the processing of personal data. In the case of mandatory data processing, referencing the relevant legal provisions may be considered sufficient notice.

  1. Promotion of the rights of the data subject

The Company is obligated to ensure that the data subject can exercise their rights concerning data management in all situations.


CHAPTER IV

MANAGEMENT OF WEBSITE VISITOR DATA – COOKIE USAGE STATEMENT

1. Website visitors must be informed about the use of cookies, and consent must be obtained for all cookies except those that are technically necessary for the session.

2. General information about cookies

2.1. A cookie is a piece of data sent by a website to the visitor's browser (in the form of a variable value) to be stored, and later the same website can access the content of the cookie. Cookies can be valid until the browser is closed, but they can also remain for an indefinite period. After that, every HTTP(S) request automatically sends this information back to the server, allowing the user data on the device to be customized.

2.2. The essence of cookies is to mark and identify the user (e.g., logging into the site) and to treat the user accordingly in future visits. The risk lies in the fact that the user is not always aware that cookies identify them, enabling tracking by the site owner or another provider whose content is embedded on the site (e.g., Facebook, Google Analytics). During tracking, a user profile is created, and in such cases, the content of the cookies is treated as personal data.

2.3. Types of cookies:

2.3.1. Technically necessary session cookies: Without these cookies, websites would not be functional as they are used to identify the user, e.g., when logging in or determining what has been added to the cart. Usually, a session ID is stored, while other data is stored on the server, making them more secure. From a security perspective, if the session cookie value is not properly generated, there is a risk of session hijacking, so it is essential that these values are correctly generated. In some terminologies, any cookie deleted after the browser is closed is referred to as a session cookie.

2.3.2. Cookies to ease usage: These cookies remember user preferences, e.g., the format in which the user wishes to view the page. These cookies store data about user settings, which are saved in the cookies.

2.3.3. Performance cookies: Although the name may be misleading, these are cookies that collect information about user behavior, such as clicks and time spent on the site. These are typically third-party applications (such as Google Analytics, AdWords, or Yandex.ru cookies) and are suitable for profiling visitors.

Learn more about Google Analytics cookies here: Analytics-cookies

Learn more about Google AdWords cookies here: Google support

2.4. Acceptance or enabling of cookies is not mandatory. You can set your browser to automatically reject all cookies or to notify the user when the system sends cookies. Most browsers automatically accept cookies by default, but the settings can usually be changed to prevent automatic acceptance and allow the user to choose between accepting or rejecting cookies each time they visit the site.

See the links below for cookie settings in the most popular browsers:

• Google Chrome: Chrome support

• Firefox: Firefox support

• Microsoft Internet Explorer 11: Microsoft support 

• Microsoft Internet Explorer 10: Microsoft support 

• Microsoft Internet Explorer 9: Microsoft support

• Microsoft Internet Explorer 8: Microsoft support

• Microsoft Edge: Microsoft support

• Safari: Apple support

 

 

However, it should be noted that certain website functions or services may not function properly without cookies.

3. Information about the cookies used on the Company’s website and the data collected during visits

3.1. Data collected during visits

Our Company’s website may use cookies to record and manage the following information about the visitor or the device they are using:

  • Visitor’s IP address,
  • Browser type,
  • Characteristics of the device’s operating system used by the visitor (configured language),
  • Time of visit,
  • (Sub)pages, functions, or services visited,
  • Clicks.

This data is stored for up to 90 days and is primarily used for security incident testing.

3.2. Cookies used on the website

3.2.1. Technically necessary session cookies

The purpose of managing this data is to ensure the proper functioning of the website. These cookies are essential for visitors to browse the website smoothly and fully utilize all functions and services available through the site, including - in particular - visitor comments on a specific site or the identity of a logged-in user during the visit. The duration of managing such cookies is limited to the visitor's current session; this type of cookie is automatically deleted from the user's computer when the session ends or when the browser is closed.

The legal basis for managing this data is Article 13/A, paragraph (3) of the CVIII Act on Electronic Commerce and Information Society Services from 2001, according to which the service provider may manage personal data that is technically necessary for the provision of the service. If other conditions remain unchanged, service providers must choose and use tools for providing information society services in such a way that personal data is processed only if it is strictly necessary for providing the service and fulfilling other necessary purposes specified in this law, and in such cases only to the extent and for the time necessary.

3.2.2. Cookies that facilitate usage

These cookies remember user preferences, for example, the format in which the user wants to view the page. These cookies essentially record data about the settings, which are stored in the cookie.

The legal basis for managing this data is the consent of the visitors.

The purpose of managing this data is to increase the efficiency of services, improve the user experience, and ensure a more convenient use of the site.

This data is stored on the user's computer, while the website only accesses it and uses it to recognize the visitor.

3.2.3. Performance cookies

This type of cookie collects information about user behavior, time spent on the site, and clicks made by the user. These cookies typically track third-party applications (e.g., Google Analytics, AdWords).

The legal basis for managing this data: the consent of the data subject.

The purpose of managing this data is to analyze the website and send promotional offers.

CHAPTER V

NOTICE ON THE RIGHTS OF DATA SUBJECTS

I. Summary of the rights of data subjects

  1. Transparent information, communication, and methods for exercising the rights of data subjects
  2. Right to prior information provided – if personal data is collected directly from the data subjects
  3. Information provided if personal data is not collected directly from the data subjects
  4. Right of the data subjects to access data
  5. Right to rectification of data
  6. Right to erasure of data ("right to be forgotten")
  7. Right to restrict data processing
  8. Obligation to notify about rectification, erasure of data, or restriction of processing
  9. Right to data portability
  10. Right to object
  11. Right to automated individual decision-making, including profiling
  12. Limitations of rights
  13. Notification of data subjects about a personal data security breach
  14. Right to lodge a complaint with a supervisory authority
  15. Right to an effective judicial remedy against a supervisory authority
  16. Right to an effective judicial remedy against a data controller or processor

II. Detailed Rights of Data Subjects

1. Transparent Information, Communication, and Methods for Exercising the Rights of Data Subjects

1.1. The Data Controller shall take all necessary measures to ensure that the data subject receives all information related to data processing in a concise, transparent, understandable, and easily accessible form, using clear and plain language. This is particularly important for information intended for children. The information shall be provided in writing or by other means, including electronically, when appropriate. If the data subject requests it, the information may be provided orally, provided that the identity of the data subject is confirmed by other means.

1.2. The Data Controller shall facilitate the exercise of rights by the data subject.

1.3. Upon request by the data subject, the Data Controller shall provide information on the actions taken without undue delay, and in any case no later than one month from the receipt of the request. This period may be extended by an additional two months if necessary, in which case the Data Controller must inform the data subject of any such extension within the time limit.

1.4. If the Data Controller does not act on the request of the data subject, it shall inform the data subject immediately, and no later than one month after the receipt of the request, of the reasons for not taking action and the possibility of lodging a complaint with a supervisory authority and seeking judicial remedy.

1.5. All information provided, communication, and actions taken shall be free of charge, except in certain cases specified by the Regulation, where an appropriate fee may be charged.

Detailed rules are provided in Article 12 of the Regulation.

2. Right to Prior Information Provided – If Personal Data is Collected Directly from the Data Subjects

2.1. If the personal data of the data subject is collected directly from that individual, the Data Controller shall provide the following information at the time of data collection:

a) The identity and contact details of the Data Controller and, where applicable, of the Data Controller’s representative;

b) The contact details of the Data Protection Officer, if applicable;

c) The purposes of the processing for which the personal data is intended, as well as the legal basis for the processing;

d) If the processing is based on the legitimate interests of the Data Controller or a third party;

e) The categories of recipients of the personal data, if any;

f) Where applicable, information on whether the Data Controller intends to transfer personal data to a third country or international organization.

2.2. At the time of data collection, the Data Controller shall also provide the data subject with additional information necessary to ensure fair and transparent processing:

a) The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

b) The existence of the right to request access to and rectification or erasure of personal data or restriction of processing concerning the data subject, or to object to processing as well as the right to data portability;

c) Where the processing is based on the data subject’s consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

d) The right to lodge a complaint with a supervisory authority;

e) Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of failure to provide such data;

f) The existence of automated decision-making, including profiling, and at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

2.3. If the Data Controller intends to further process the personal data for a purpose other than that for which the data was collected, the Data Controller shall provide the data subject with information about that other purpose and any relevant additional information before that further processing.

All additional rules regarding the right to prior information are contained in Article 13 of the Regulation.

3. Information Provided If Personal Data Is Not Collected Directly from the Data Subjects

3.1. If personal data is not obtained from the data subject, the Data Controller is obliged to inform the data subject of the following facts and information no later than one month after obtaining the data:

  • Category of personal data,
  • Source of personal data,
  • In certain cases, whether the data originates from publicly accessible sources (if personal data is used to contact the data subject, at least at the time of first contact with the subject; or if the data is intended to be transferred to other recipients, no later than at the time of the first transfer).

3.2. Other applicable rules are subject to the facts and obligations stated in point 2 (Right to Prior Information).

Detailed rules regarding this information are contained in Article 14 of the Regulation.

4. Right of Access by the Data Subject

4.1. The data subject has the right to obtain confirmation from the Data Controller as to whether or not personal data concerning them is being processed, and where that is the case, access to the personal data and the information listed in points 2 and 3 (Article 15 of the Regulation).

4.2. Where personal data is transferred to a third country or to an international organization, the data subject has the right to be informed of the appropriate safeguards pursuant to Article 46 of the Regulation regarding the transfer.

4.3. The Data Controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the Data Controller may charge a reasonable fee based on administrative costs.

Detailed rules regarding the right of access are contained in Article 15 of the Regulation.

5. Right to Rectification

5.1. The data subject has the right to obtain from the Data Controller the rectification of inaccurate personal data concerning them without undue delay.

5.2. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

These rules are contained in Article 16 of the Regulation.

6. Right to Erasure ("Right to Be Forgotten")

6.1. The data subject has the right to obtain from the Data Controller the erasure of personal data concerning them without undue delay, and the Data Controller has the obligation to erase personal data without undue delay where one of the following grounds applies:

a) The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;

b) The data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;

c) The data subject objects to the processing and there are no overriding legitimate grounds for the processing;

d) The personal data has been unlawfully processed;

e) The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the Data Controller is subject;

f) The personal data has been collected in relation to the offer of information society services to a child.

6.2. The right to erasure does not apply to the extent that processing is necessary:

a) For exercising the right of freedom of expression and information;

b) For compliance with a legal obligation that requires processing by Union or Member State law to which the Data Controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;

c) For reasons of public interest in the area of public health;

d) For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, where the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

e) For the establishment, exercise, or defense of legal claims.

Detailed rules regarding the right to erasure are contained in Article 17 of the Regulation.

7. Right to Restrict Processing

7.1. When processing is restricted, such personal data may only be processed with the consent of the data subject, except for the purposes of storage, or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.

7.2. The data subject has the right to request a restriction of processing from the Data Controller if one of the following conditions is met:

a) The data subject contests the accuracy of the personal data, for a period enabling the Data Controller to verify the accuracy of the personal data;

b) The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of its use instead;

c) The Data Controller no longer needs the personal data for the purposes of the processing, but the data is required by the data subject for the establishment, exercise, or defense of legal claims; or

d) The data subject has objected to processing and the verification of whether the legitimate grounds of the Data Controller override those of the data subject is still pending.

7.3. When the restriction of processing is lifted, the Data Controller shall inform the data subject before removing the restriction.

Detailed rules related to the right to restrict processing are contained in Article 18 of the Regulation.

8. Obligation to Notify About Rectification, Erasure, or Restriction of Processing

The Data Controller is obligated to inform all recipients to whom the personal data has been disclosed about any rectification, erasure of personal data, or restriction of processing, unless this proves impossible or involves disproportionate effort. The Data Controller is also required to inform the data subject about these recipients if the data subject requests it.

Detailed rules regarding the obligation to notify are contained in Article 19 of the Regulation.

9. Right to Data Portability

9.1. The data subject has the right to receive their personal data, which they have provided to a Data Controller, in a structured, commonly used, and machine-readable format, and has the right to transmit those data to another Data Controller without hindrance from the Data Controller to which the personal data was originally provided, if:

a) The processing is based on consent or on a contract; and

b) The processing is carried out by automated means.

9.2. In exercising their right to data portability, the data subject has the right to have the personal data transmitted directly from one Data Controller to another, where technically feasible.

9.3. The exercise of the right to data portability shall not prejudice the right to erasure ("right to be forgotten") as provided in Article 17. This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller. This right shall not adversely affect the rights and freedoms of others.

Detailed rules related to the right to data portability are contained in Article 20 of the Regulation.

10. Right to Object

10.1. The data subject has the right to object, on grounds relating to their particular situation, at any time to the processing of their personal data, in accordance with Article 6(1)(e) or (f), including profiling based on those provisions. The Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.

10.2. Where personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning them for such marketing, including profiling to the extent that it is related to such direct marketing. If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

10.3. At the latest, at the time of the first communication with the data subject, the right to object must be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.

10.4. The data subject may exercise their right to object by automated means using technical specifications.

10.5. Where personal data is processed for scientific or historical research purposes or statistical purposes, the data subject, on grounds relating to their particular situation, has the right to object to the processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Detailed rules related to the right to object are contained in Article 21 of the Regulation.

11. Automated Individual Decision-Making, Including Profiling

11.1. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

11.2. The exception to paragraph 1 exists if the decision:

a) Is necessary for entering into, or the performance of, a contract between the data subject and a Data Controller;

b) Is authorized by Union or Member State law to which the Data Controller is subject and which also lays down suitable measures to safeguard the data subject's rights, freedoms, and legitimate interests; or

c) Is based on the data subject's explicit consent.

11.3. In the cases referred to in points (a) and (c) of paragraph 2, the Data Controller shall implement suitable measures to safeguard the data subject's rights, freedoms, and legitimate interests, including the right to obtain human intervention on the part of the Data Controller, to express their point of view, and to contest the decision.

Detailed rules are contained in Article 22 of the Regulation.

12. Restrictions

By Union or Member State law to which the Data Controller or Processor is subject, legislative measures may restrict the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5, in so far as such a restriction respects the essence of the fundamental rights and freedoms.

The conditions of these restrictions are contained in Article 23 of the Regulation.

13. Notification of a Personal Data Breach to the Data Subject

13.1. When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall communicate the personal data breach to the data subject without undue delay. The notification to the data subject shall describe in clear and plain language the nature of the personal data breach and shall at least include the following information and measures:

a) The name and contact details of the Data Protection Officer or other contact point where more information can be obtained;

b) A description of the likely consequences of the personal data breach;

c) A description of the measures taken or proposed by the Data Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

13.2. Notification to the data subject is not required if any of the following conditions are met:

a) The Data Controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular, those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;

b) The Data Controller has taken subsequent measures that ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize;

c) It would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

Detailed rules are contained in Article 34 of the Regulation.

14. Right to Lodge a Complaint with a Supervisory Authority

Every data subject has the right to lodge a complaint with a supervisory authority, particularly in the Member State of their habitual residence, place of work, or place of the alleged infringement, if they consider that the processing of personal data relating to them infringes this Regulation. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint, including the possibility of judicial remedy.

These rules are contained in Article 77 of the Regulation.

15. Right to an Effective Judicial Remedy Against a Supervisory Authority

15.1. Without prejudice to any other administrative or non-judicial remedy, every natural or legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

15.2. Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to an effective judicial remedy where the competent supervisory authority under Articles 55 and 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint.

15.3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

15.4. Where proceedings are brought against a decision of a supervisory authority that was preceded by an opinion or decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.

These rules are contained in Article 78 of the Regulation.

16. Right to an Effective Judicial Remedy Against a Data Controller or Processor

16.1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, the data subject shall have the right to an effective judicial remedy where they consider that their rights under this Regulation have been infringed as a result of the processing of their personal data in non-compliance with this Regulation.

16.2. Proceedings against a Data Controller or Processor shall be brought before the courts of the Member State where the Data Controller or Processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has their habitual residence unless the Data Controller or Processor is a public authority of a Member State acting in the exercise of its public powers.

These rules are contained in Article 79 of the Regulation.

Cookie settings

We use cookies to personalise content and ads, to provide social media features and to analyse website traffic. You can read more by clicking on the "Settings" button.
We use cookies to personalise content and ads.