Attachment 1 to the Data Processing Policy
DATA PROCESSING INFORMATION
ON THE RIGHTS OF THE DATA SUBJECT
REGARDING THE PROCESSING OF PERSONAL DATA
TABLE OF CONTENTS
INTRODUCTION
CHAPTER I - IDENTIFICATION OF THE DATA CONTROLLER
CHAPTER II - IDENTIFICATION OF DATA PROCESSORS
1. IT Service Provider of Our Company
CHAPTER III - ENSURING THE LAWFULNESS OF DATA PROCESSING
1. Data Processing Based on the Consent of the Data Subject
2. Data Processing Based on Compliance with Legal Obligations
3. Facilitating the Rights of the Data Subject
CHAPTER IV - VISITOR DATA PROCESSING ON THE COMPANY'S WEBSITE - INFORMATION ABOUT THE USE OF COOKIES
CHAPTER V - INFORMATION ABOUT THE RIGHTS OF THE DATA SUBJECT
INTRODUCTION
The General Data Protection Regulation (EU) 2016/679 (hereinafter: Regulation), concerning the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as well as the repeal of Directive 95/46/EC, stipulates that the Data Controller shall take appropriate measures to provide the data subject with every piece of information relating to the processing of personal data in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, and to facilitate the exercise of the data subject's rights.
The information obligation of the data subject is also provided for by Act CXII of 2011 on informational self-determination and freedom of information.
With the information provided below, we comply with this legal obligation.
The information must be published on the company's website or sent to the data subject upon request.
CHAPTER I
IDENTIFICATION OF THE DATA CONTROLLER
The issuer of this information and the Data Controller is:
Company Name: ErdSoft doo
Registered Office: 24000 Subotica, Somborski put 33a, Serbia
Company Registration Number: 21354619
Tax Identification Number: 110478829
Representative: Dániel Erdudac
Phone: +381 60 44 60 555
Fax: Not available
Email: daniel.erdudac@erdsoft.com
Website: erdsoft.com
(hereinafter: Company)
CHAPTER II
IDENTIFICATION OF DATA PROCESSORS
Data Processor: a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller; (Article 4(8) of the Regulation)
The use of a data processor does not require the prior consent of the data subject, but informing them is necessary. Accordingly, we provide the following information:
1, IT Service Provider of Our Company
For the maintenance and management of our website, our company uses a data processor who provides IT services (hosting services), and as part of this, - for the duration of our contract with them - processes the personal data provided on the website. The operation performed by them involves storing the personal data on the server.
The name of this data processor is as follows:
Company Name: ErdSoft doo
Registered Office: 24000 Subotica, Somborski put 33a, Serbia
Company Registration Number: 21354619
Tax Identification Number: 110478829
Representative: Dániel Erdudac
Phone: +381 60 44 60 555
Fax: Not available
Email: daniel.erdudac@erdsoft.com
Website: erdsoft.com
III. CHAPTER
ENSURING THE LAWFULNESS OF DATA PROCESSING
1. Data Processing Based on the Data Subject's Consent.
(1) If the Company intends to perform data processing based on consent, the consent of the data subject for the processing of their personal data must be obtained with the content and information specified in the data request form in the data processing policy.
(2) Consent shall also be deemed to have been given if the data subject checks a corresponding box while viewing the Company's website, makes relevant technical settings during the use of information society services, or any other statement or action indicating the data subject's consent to the planned processing of their personal data in the given context. Silence, pre-checked boxes, or inaction does not constitute consent.
(3) The consent covers all data processing activities for the same purpose or purposes. If the processing serves multiple purposes simultaneously, the consent must be given for all data processing purposes.
(4) If the data subject gives their consent through a written statement that pertains to other matters as well—e.g., concluding a sales or service contract—the request for consent must be presented in a clear and easily accessible manner, with understandable and straightforward language, distinct from these other matters. Any part of such a statement containing the data subject's consent that violates the Regulation shall not have binding force.
(5) The Company cannot condition the conclusion or performance of a contract on the data subject's consent to the processing of personal data that is not necessary for the performance of the contract.
(6) The withdrawal of consent must be made possible in the same simple manner as its granting.
(7) If personal data has been collected with the data subject's consent, and in the absence of a different legal provision, the data controller can process the collected data for the purpose of fulfilling the relevant legal obligation without further separate consent, even after the withdrawal of the data subject's consent.
2. Data Processing Based on Compliance with Legal Obligations
(1) In the case of data processing based on a legal obligation, the scope of processable data, the purpose of data processing, the duration of data storage, and the recipients are determined by the relevant legal provisions.
(2) Data processing based on compliance with legal obligations is independent of the data subject's consent, as the processing is defined by law. The data subject must be informed clearly and in detail about the data processing before its commencement, including the purpose and legal basis of the data processing, the person or organization authorized for data processing and data processing, the duration of data processing, whether the data controller processes the personal data of the data subject based on the legal obligation concerning them, and who may access the data. The information should also cover the data subject's rights and remedies related to data processing. In the case of mandatory data processing, the information may be provided by referring to the legal provisions containing the aforementioned information.
3. Facilitating the Rights of the Data Subject
The Company is obliged to facilitate the exercise of the data subject's rights during all data processing activities.
IV. CHAPTER
VISITOR DATA PROCESSING ON THE COMPANY'S WEBSITE - INFORMATION ABOUT THE USE OF COOKIES
1. Visitors to the website must be informed about the use of cookies on the website, and their consent must be obtained for this, excluding technically essential session cookies.
2. General information about cookies
2.1. A cookie is data sent by the visited website to the visitor's browser (in the form of variable-name-value) to store it and later allow the website to load its content. A cookie can have a validity period, it can be valid until the browser is closed or for an unlimited time. In the future, with every HTTP(S) request, the browser sends this data to the server. Thus, it modifies the data on the user's machine.
2.2. The essence of a cookie is that web service providers inherently need to identify a user (e.g., whether the user has logged into the site) and handle them accordingly in the future. The danger lies in the fact that the user is not always aware of this, and it can be used to track the user by the website operator or another provider whose content is embedded on the site (e.g., Facebook, Google Analytics). In this case, the content of the cookie can be considered as personal data.
2.3. Types of cookies:
2.3.1. Technically essential session cookies: Without these, the website would not function properly. They are necessary for visitors to browse the website smoothly and fully utilize its functions, the services available through the website, including, among others, remembering the actions performed by the visitor on the respective pages or identifying a logged-in user during a visit. The duration of data processing with these cookies applies only to the visitor's current visit; after the session or when the browser is closed, this type of cookie is automatically deleted from the visitor's computer.
2.3.2. Preference cookies: These are often called cookies that facilitate the user's choices, such as how the user wants to see the page. Essentially, these cookies represent the setting data stored in the cookie.
2.3.3. Performance cookies: Although they have little to do with "performance," they are usually referred to as cookies that collect information about the user's behavior within the visited website, time spent, and clicks. These are typically applications of third parties (e.g., Google Analytics, AdWords, or Yandex.ru cookies). These are suitable for creating a user profile.
Information about Google Analytics cookies can be found here: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
Information about Google AdWords cookies can be found here: https://support.google.com/adwords/answer/2407785?hl=en
2.4. Accepting or enabling the use of cookies is not mandatory. You can reset your browser settings to reject all cookies or to notify you when the system sends a cookie. Most browsers automatically accept cookies by default, but these settings can usually be changed to prevent automatic acceptance and offer a choice every time.
For more information on cookie settings for popular browsers, please refer to the following links:
• Google Chrome: https://support.google.com/accounts/answer/61416?hl=en
• Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences
• Microsoft Internet Explorer 11: http://windows.microsoft.com/en-us/internet-explorer/delete-manage-cookies#ie=ie-11
• Microsoft Internet Explorer 10: http://windows.microsoft.com/en-us/internet-explorer/delete-manage-cookies#ie=ie-10-win-7
• Microsoft Internet Explorer 9: http://windows.microsoft.com/en-us/internet-explorer/delete-manage-cookies#ie=ie-9
• Microsoft Internet Explorer 8: http://windows.microsoft.com/en-us/internet-explorer/delete-manage-cookies#ie=ie-8
• Microsoft Edge: http://windows.microsoft.com/en-us/windows-10/edge-privacy-faq
• Safari: https://support.apple.com/en-us/HT201265
In addition to the above, please note that certain website features or services may not function properly without cookies.
3. Information about the cookies used on the Company's website and the data generated during the visit
3.1. Data processed during the visit: During the use of our company's website, the website may record and process the following data about the visitor and the device used for browsing:
• IP address used by the visitor,
• browser type,
• characteristics of the operating system of the browsing device (language settings),
• time of visit,
• the visited (sub)page, function, or service,
• clicks.
These data are kept for a maximum of 90 days and can primarily be used for investigating security incidents.
3.2. Cookies used on the website
3.2.1. Technically essential session cookies
Purpose of data processing: ensuring the proper operation of the website. These cookies are necessary for visitors to browse the website, use its functions smoothly and comprehensively, and access services available through the website. This includes, among others, remembering the actions performed by the visitor on the respective pages or identifying a logged-in user during a visit. The data processing with these cookies applies only to the visitor's current visit, and these cookies are automatically deleted from the visitor's computer after the session or when the browser is closed.
Legal basis for data processing: Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (Elkertv.) 13/A. § (3), which states that the service provider can process personal data necessary for providing the service for the purpose of providing the service. In case of identical conditions, the service provider must select and operate the tools used in the provision of information society services in such a way that personal data is only processed if absolutely necessary for providing the service and for other purposes defined in this Act, but even in this case, only to the extent and duration necessary.
3.2.1. Preference cookies:
Purpose of data processing: improving the efficiency of the service, enhancing user experience, and making the use of the website more convenient.
This data resides more on the user's machine; the website only accesses and recognizes the user through it.
Legal basis for data processing: the consent of the visitor.
3.2.2. Performance cookies:
Purpose of data processing: analyzing the website, sending advertisements.
Legal basis for data processing: the consent of the data subject.
CHAPTER V
INFORMATION ABOUT THE RIGHTS OF THE DATA SUBJECT
I. Summary of the rights of the data subject:
1. Transparent information, communication, and facilitation of the data subject's exercise of rights
2. Right to prior information - when personal data is collected from the data subject
3. Informing the data subject and providing information if the personal data was not obtained from the data subject
4. Right of access for the data subject
5. Right to rectification
6. Right to erasure ("right to be forgotten")
7. Right to restriction of processing
8. Obligation to notify regarding rectification, erasure, or restriction of processing of personal data
9. Right to data portability
10. Right to object
11. Automated decision-making in individual cases, including profiling
12. Limitations
13. Informing the data subject about data breaches
14. Right to lodge a complaint with the supervisory authority (right to administrative remedy)
15.Right to an effective judicial remedy against the supervisory authority
16.Right to an effective judicial remedy against the data controller or data processor
II. Detailed Rights of the Data Subject:
1. Transparent Information, Communication, and Facilitation of the Data Subject's Exercise of Rights
1.1. The data controller must provide the data subject with all information regarding the processing of personal data in a concise, transparent, understandable, and easily accessible form, clearly and in plain language, especially in the case of information addressed to children. Information must be provided in writing or by other means, including electronically if applicable. Upon request, oral information can also be provided, provided that the identity of the data subject has been otherwise verified.
1.2. The data controller must facilitate the exercise of the data subject's rights.
1.3. The data controller shall inform the data subject without undue delay, but in any case within one month from the receipt of the request, about the measures taken regarding the exercise of their rights. This period can be extended by two months under the conditions specified in the Regulation, of which the data subject must be informed.
1.4. If the data controller does not take action on the data subject's request, they shall inform the data subject without undue delay, but no later than one month from the receipt of the request, of the reasons for not taking action and the possibility to lodge a complaint with a supervisory authority and to seek a judicial remedy.
1.5. The data controller shall provide information and notifications regarding the data subject's rights free of charge. However, a fee may be charged in cases specified in the Regulation.
Detailed rules can be found in Article 12 of the Regulation.
2. Right to Pre-information - When Personal Data is Obtained from the Data Subject
2.1. The data subject is entitled to receive information about the facts and details related to data processing before the commencement of data processing. In this regard, the data subject must be informed of the following:
a) the identity and contact details of the data controller and their representative,
b) the contact details of the data protection officer (if applicable),
c) the purpose of the planned processing of personal data and the legal basis for the processing,
d) in the case of processing based on legitimate interests, the legitimate interests pursued by the data controller or a third party,
e) the recipients or categories of recipients of the personal data - if the personal data will be disclosed to recipients -,
f) if applicable, whether the data controller intends to transfer personal data to a third country or international organization.
2.2. To ensure fair and transparent data processing, the data controller must also inform the data subject about the following additional information:
a) the period for which the personal data will be stored or, if not possible, the criteria used to determine that period,
b) the data subject's right to request access to, rectification, erasure, or restriction of processing of their personal data from the data controller, and the right to object to such processing, as well as the right to data portability,
c) in the case of processing based on the data subject's consent, the right to withdraw the consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal,
d) the right to lodge a complaint with a supervisory authority,
e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of failing to provide such data,
f) the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
2.3. If the data controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the data controller shall inform the data subject about that different purpose and any relevant additional information before such further processing.
The detailed rules for the right to pre-information are contained in Article 13 of the Regulation.
3. Information to the Data Subject and Provided Information if Personal Data is Not Obtained from the Data Subject:
3.1. If the data controller did not obtain the personal data from the data subject, the data controller must inform the data subject within one month from the acquisition of the personal data at the latest. If the personal data is used for communication with the data subject, at the latest at the time of the first contact with the data subject, or if it is expected to be disclosed to other recipients, at the time of the first disclosure of the personal data, the data subject must be informed of the facts and information mentioned in point 2 above, as well as the categories of personal data concerned and, if applicable, whether the personal data originate from publicly accessible sources.
3.2. The provisions of point 2 above (Right to Pre-information) shall apply accordingly.
The detailed rules for this information are contained in Article 14 of the Regulation.
4. Right of Access
4.1. The data subject is entitled to receive feedback from the data controller on whether the processing of their personal data is ongoing and, if such processing is in progress, to have access to the personal data and the related information mentioned in the preceding points 2-3. (Article 15 of the Regulation).
4.2. If personal data is transmitted to a third country or an international organization, the data subject has the right to be informed about the appropriate safeguards in accordance with Article 46 of the Regulation.
4.3. The data controller must provide a copy of the personal data being processed to the data subject. For additional copies requested by the data subject, the data controller may charge a reasonable fee based on administrative costs.
Detailed rules regarding the right of access are provided in Article 15 of the Regulation.
5. Right to Rectification
5.1. The data subject is entitled to request the data controller to rectify inaccurate personal data concerning them without undue delay upon their request.
5.2. Taking into account the purpose of the data processing, the data subject has the right to request the completion of incomplete personal data, including by means of providing a supplementary statement.
These rules are outlined in Article 16 of the Regulation.
6. Right to Erasure ("Right to Be Forgotten")
6.1. The data subject has the right to request the data controller to erase the personal data concerning them without undue delay, and the data controller is obliged to erase the personal data concerning the data subject without undue delay if:
a) the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;
c) the data subject objects to the processing, and there are no overriding legitimate grounds for the processing;
d) the personal data has been unlawfully processed;
e) the erasure of personal data is required to comply with a legal obligation under Union or Member State law to which the data controller is subject;
f) the personal data was collected in relation to the offer of information society services directly to a child.
6.2. The right to erasure does not apply to the extent that processing is necessary:
a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation which requires processing by Union or Member State law to which the data controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
c) for reasons of public interest in the area of public health;
d) for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, insofar as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
e) for the establishment, exercise, or defense of legal claims.
Detailed rules regarding the right to erasure are provided in Article 17 of the Regulation.
7. Right to Restriction of Processing
7.1. In the case of a restriction of processing, such personal data, except for storage, may only be processed with the data subject's consent or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or a Member State.
7.2. The data subject has the right to request the data controller to restrict processing if one of the following applies:
a) the accuracy of the personal data is contested by the data subject, in which case the restriction shall be for a period enabling the data controller to verify the accuracy of the personal data;
b) the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the data controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise, or defense of legal claims; or
d) the data subject has objected to processing, pending the verification whether the legitimate grounds of the data controller override those of the data subject.
7.3. The data subject shall be informed in advance of the lifting of the restriction on processing.
The relevant rules are contained in Article 18 of the Regulation.
8. Obligation to Notify on Rectification, Erasure, or Restriction related to Personal Data
The data controller shall inform every recipient to whom or which the personal data have been disclosed of any rectification, erasure, or restriction of processing, unless this proves impossible or involves disproportionate effort. The data controller shall inform the data subject about those recipients if the data subject requests it.
These rules can be found in Article 19 of the Regulation.
9. Right to Data Portability
9.1. Subject to the conditions specified in the Regulation, the data subject has the right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided, where:
a) the processing is based on consent or on a contract; and
b) the processing is carried out by automated means.
9.2. The data subject may request the direct transmission of personal data between data controllers.
9.3. The exercise of the right to data portability shall not adversely affect the right to erasure ("right to be forgotten") pursuant to Article 17 of the Regulation. The right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. This right shall not adversely affect the rights and freedoms of others.
Detailed rules regarding the right to data portability are provided in Article 20 of the Regulation.
10. Right to Object
10.1. The data subject has the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or on legitimate interests pursued by the controller or a third party, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.
10.2. Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
10.3. The right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
10.4. The data subject shall have the right to object to the right to object through automated means using technical specifications.
10.5. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to their particular situation, shall have the right to object to processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
The relevant rules can be found in Article 21 of the Regulation.
11. Automated Decision-Making, Including Profiling, in Individual Cases
11.1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
11.2. This right shall not apply in the following cases:
a) where the decision is necessary for entering into or performing a contract between the data subject and a data controller;
b) where the decision is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
c) where the decision is based on the data subject's explicit consent.
11.3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express their point of view, and to contest the decision.
Further rules on this can be found in Article 22 of the Regulation.
12. Restrictions
Union or Member State law to which the data controller or processor is subject may restrict the scope of the obligations and rights provided in Articles 12 to 22 and Article 34, as well as Article 5 with regard to processing for the purposes referred to in Article 1(1), (2), and (3), when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1).
The conditions and specifics of such restrictions are detailed in Article 23 of the Regulation.
13. Notification to the Data Subject in Case of a Data Breach
13.1. If a data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall promptly inform the data subject about the data breach without undue delay. This notification shall describe the nature of the data breach and shall at least contain the following information:
a) the name and contact details of the data protection officer or other contact point where more information can be obtained;
b) a description of the likely consequences of the data breach;
c) a description of the measures taken or proposed to be taken by the data controller to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects.
13.2. The data subject shall not be informed if any of the following conditions are met:
a) the data controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
b) the data controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of the data subject referred to in paragraph 1 is no longer likely to materialize;
c) informing the data subject would involve a disproportionate effort. In such a case, a public communication or similar measure shall be used to inform data subjects.
Detailed rules regarding this are outlined in Article 34 of the Regulation.
14. Right to Lodge a Complaint with a Supervisory Authority (Right to Judicial Remedy against a Supervisory Authority)
The data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement, if the data subject considers that the processing of personal data relating to them infringes this Regulation. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy.
These rules are covered in Article 77 of the Regulation.
15. Right to an Effective Judicial Remedy against a Supervisory Authority
15.1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, every person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
15.2. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, every data subject shall have the right to an effective judicial remedy if the supervisory authority does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint.
15.3. The proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
15.4. Where proceedings are initiated against a decision of a supervisory authority, the supervisory authority shall forward that decision to the court.
These rules can be found in Article 78 of the Regulation.
16. Right to an Effective Judicial Remedy against the Data Controller or Processor
16.1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, every data subject shall have the right to an effective judicial remedy against a controller or processor where they consider that their rights under this Regulation have been infringed as a result of the processing of their personal data that does not comply with this Regulation.
16.2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has their habitual residence, unless the controller or processor is a public authority of another Member State acting in the exercise of its public powers.
These provisions are detailed in Article 79 of the Regulation.
Place and date, Subotica, 2018.07.10
Dániel Erdudac
Director