Privacy policy

Appendix to the Data Processing Policy DATA PROCESSING INFORMATION REGARDING THE HANDLING OF PERSONAL DATA

 

CONTENTS

 

INTRODUCTION

 

CHAPTER I – NAME OF THE DATA CONTROLLER

 

CHAPTER II – NAME OF THE DATA PROCESSORS

 

1. IT Provider of Our Company
2. Card System Programmer of Our Company

 

CHAPTER III – ENSURING COMPLIANCE WITH DATA PROCESSING LAWS

 

1. Data Management Based on Consent from the Data Subjects
2. Data Management Based on the Fulfillment of Legal Obligations
3. Promotion of Data Subject Rights

 

CHAPTER IV – VISITOR DATA PROCESSING ON THE WEBSITE – COOKIE USAGE INFORMATION

 

CHAPTER V – INFORMATION ON THE RIGHTS OF THE DATA SUBJECT

 

INTRODUCTION

The European Parliament and Council Regulation (EU) 2016/679 (hereinafter referred to as the Regulation), which pertains to the protection of personal data and the free movement of such data, and the repeal of Directive 95/46/EC, stipulates that the data controller must take appropriate steps to ensure that data subjects are provided with comprehensive information regarding the handling of personal data in a concise, transparent, intelligible, and easily accessible form, as well as to ensure the exercise of data subject rights.

The requirement to inform data subjects of their rights to informational self-determination and the freedom of information is also stipulated in Act CXII of 2011.

The following text fulfills our obligations under the aforementioned laws and regulations.

This information must be made available on the company’s website or sent to the data subject upon request.

CHAPTER I NAME OF THE DATA CONTROLLER

The issuer of the information and also the data controller is:

Company Name: SZR HEKOM NERAC BORE VÁLLALKOZÁS KAĆ

Headquarters: Kać

Company Registration Number: 55786950

Tax Number: 102541118

Representative: Bore Nerac

Phone Number: +381 63 / 502 544

Email Address: 021.hekom@gmail.com

Website: gumazafrizider.rs/en

(hereinafter referred to as the Company)

CHAPTER II NAME OF THE DATA PROCESSORS

The data processor is a natural or legal person, public authority, agency, or any other body that processes data on behalf of the data controller; (Article 4(8) of the Regulation)

The use of data processors does not require the consent of the data subject but necessitates informing the data subject. According to these regulations, we provide the following information:

For our IT service provider: The company responsible for maintaining and managing our website provides IT services (hosting services) and, within the framework of the contract between the parties, processes the personal data left on the website by storing it on the server.

The data processor’s name and details are:

Company Name: ErdSoft Ltd.

Headquarters: 24000 Subotica, Somborski put 33a, Serbia

Company Registration Number: 21354619

Tax Number: 110478829

Representative: Daniel Erdudac

Phone Number: +381 60 44 60 555

Fax: None

Email Address: daniel.erdudac@erdsoft.com

Website: erdsoft.com

CHAPTER III ENSURING COMPLIANCE WITH DATA PROCESSING LAWS

  1. Data Processing Based on the Data Subject's Consent

(1) If the Company wishes to process data based on consent, it must obtain the necessary consent for processing personal data through the completion of the appropriate form defined by the data processing policy.

(2) Consent is also considered to be given when a user marks the consent request field on the Company’s website, completes the related technical settings regarding the use of IT services, and any declaration or act that clearly indicates the data subject’s consent to the planned processing of their personal data. Silence, pre-ticked boxes, or inaction do not constitute consent.

(3) Consent applies to all processing activities for the same purpose or purposes. If data processing occurs for several different purposes, separate consent is required for each purpose.

(4) If the data subject provides consent through a written declaration that covers other purposes as well—such as for sales or service contracts—the consent must be requested in a way that is clear, simple, comprehensible, and distinctly separated from other purposes. Parts of such declarations that do not comply with the Regulation are invalid.

(5) The Company cannot condition the conclusion or performance of a contract on the consent to process personal data that is not necessary for the contract.

(6) Withdrawing consent must be as easy as giving consent.

(7) If personal data is collected with the data subject's consent, the data controller may use the data for legal obligations as per relevant regulations without additional consent, even after the consent has been withdrawn.

(8) The website does not intentionally collect data from minors (under 16 years of age). If data from a minor is collected once it comes to our attention, it will be deleted without delay.

  1. Data Processing Based on Legal Obligations

(1) In cases of data processing based on legal obligations, the scope of the data, the purpose of processing, the duration of data retention, and the data recipients are determined by the relevant laws.

(2) Data processing based on legal obligations does not depend on the consent of the data subject, as the processing is mandated by law. In this case, the data subject must be informed before the data collection that the collection is mandatory, and detailed and clear information must be provided about all aspects of the data processing, particularly the purpose and legal basis for the processing, the competent authority for the processing, the duration of processing, the compliance with laws, and who has access to the data. The information must also include the rights of the data subject and how to exercise those rights. For mandatory data processing, making the relevant laws publicly available can also be considered as providing information, as long as it includes the aforementioned details.

  1. Exercise of Data Subject Rights

The Company is obligated to ensure that the data subject can exercise their rights during data processing activities.

IV. CHAPTER
VISITOR DATA PROCESSING ON THE WEBSITE – SPECIAL INFORMATION ON THE USE OF COOKIES

1. Visitors to the website must be informed about the use of cookies, and consent must be obtained from the visitor for any cookie that is not technically necessary.

2. General Information about Cookies

2.1. A cookie is a piece of data sent by the visited website to the visitor's browser (as a value) to store and later retrieve the cookie content from the same website. Cookies may be valid until the browser is closed or for an unlimited period. Later, during each HTTP(S) request, the browser sends this information to the server, thus modifying the data on the user's device.

2.2. The purpose of cookies is to identify and track the user (e.g., during website login) and to manage the same user appropriately in subsequent instances. The risk lies in the fact that users may not always be aware that cookies identify them, which allows the website owner or other providers (e.g., Facebook, Google Analytics) to track the user. Tracking involves creating user profiles, and in this case, the contents of cookies are treated as personal data.

2.3. Types of Cookies:

2.3.1. Technically Necessary Session Cookies: Without these, websites do not function properly; they are used for user identification, such as during login, tracking items added to the cart, etc. Typically, only the session identifier is stored, while other data remains on the server, enhancing security. For security reasons, if the session cookie value is not properly generated, there is a risk of session hijacking, so it is important that these values are correctly generated. Other terminology refers to session cookies as any cookie deleted when the browser is closed (the session refers to the browser's use from start to end).

2.3.2. Cookies that Facilitate Use: These cookies remember user choices – such as the preferred format of the page. They essentially store setting information.

2.3.3. Performance Cookies: While not necessarily related to "performance," these cookies collect information about user behavior, clicks, and time spent on the website. These are generally third-party applications (e.g., Google Analytics, AdWords). They are suitable for profiling visitors.

For more information on Google Analytics cookies, visit: Analytics-cookies

For more information on Google AdWords cookies, visit: Google support

2.4. Accepting or enabling cookies is not mandatory. Browser settings allow for automatic rejection of all cookies or notifications when the system sends a cookie. Most browsers accept cookies by default, but settings can generally be adjusted to prevent automatic acceptance, giving the user the option to accept or reject cookies.

Refer to the following links for cookie settings on the most popular browsers:

• Google Chrome: Chrome support

• Firefox: Firefox support

• Microsoft Internet Explorer 11: Microsoft support 

• Microsoft Internet Explorer 10: Microsoft support 

• Microsoft Internet Explorer 9: Microsoft support

• Microsoft Internet Explorer 8: Microsoft support

• Microsoft Edge: Microsoft support

• Safari: Apple support

 

Note that certain website functions or services may not work properly without cookies.

3. Information on Cookies Used on the Website and Data Generated

3.1. Data Processed During a Visit

Our website may collect the following information about the visitor or the device used:

• The visitor's IP address,

• The type of browser,

• The characteristics of the operating system of the device used by the visitor (set language),

• The time of the visit,

• (Sub)pages, functions, or services visited,

• Clicks.

This data is stored for up to 90 days and is primarily used for testing security events.

3.2. Cookies Used on the Website

3.2.1. Technically Necessary Session Cookies

Cookies are managed to ensure the website functions correctly. These cookies are necessary for visitors to browse the website without issues and fully utilize all its functions and services, including – especially – remembering visitor comments on a particular page or identifying logged-in users during the visit. Such cookies are limited to the current visit and are automatically deleted from the user's computer when the session ends or when the browser is closed.

The legal basis for processing this data is Section 13/A (3) of Act CVIII of 2001 on Electronic Commerce and Information Society Services, which allows the service provider to process personal data technically necessary for providing the service. If other conditions remain unchanged, service providers must choose and use tools necessary for providing information society services in a way that personal data is only processed as strictly necessary for providing the service and fulfilling other necessary purposes, and only to the extent and duration required.

3.2.2. Cookies that Facilitate Use

These cookies remember user choices, such as the preferred format of the page. They essentially store setting data.

The legal basis for processing this data is the visitor's consent.

The purpose of managing these cookies is to increase the effectiveness of services, improve the user experience, and ensure more convenient use of the website.

This data is found on the user's computer, accessed by the website, and used to identify the visitor.

3.2.3. Performance Cookies

This type of cookie collects information about user behavior, time spent on the website, and clicks. These cookies are generally third-party applications (e.g., Google Analytics, AdWords).

The legal basis for processing this data is the consent of the data subject.

The purpose of managing these cookies is to analyze the website and send promotional offers.

Chapter V

Information on Rights Related to Personal Data

I. Summary of Rights Related to Personal Data:

  • Transparent information, communication, and methods for exercising rights related to personal data
  • Prior information if data is collected from the data subject
  • Information if data is not collected from the data subject
  • Right of access
  • Right to rectification
  • Right to erasure (“right to be forgotten”)
  • Right to restriction of processing
  • Obligation to notify about rectification, erasure, or restriction of processing
  • Right to data portability
  • Right to object
  • Automated decision-making, including profiling
  • Limitations
  • Information on data breaches
  • Right to lodge a complaint with a supervisory authority
  • Right to an effective judicial remedy against the supervisory authority
  • Right to an effective judicial remedy against the data controller or processor

II. Detailed Information on Rights Related to Personal Data:

1. Transparent Information, Communication, and Methods for Exercising Rights

1.1. The data controller must take appropriate measures to ensure that data subjects receive all information about data processing in a transparent, understandable, and easily accessible form, in clear and simple language, especially for information intended for children. Information should be provided in writing or by other means, such as electronically, if necessary. Information can also be made available verbally upon request, provided that the data subject has been identified by other means.

1.2. The data controller assists the data subject in exercising their rights.

1.3. The data controller must inform the data subject immediately, but no later than one month, about the actions taken in response to a request. This period may be extended by an additional two months if necessary, and the data controller is obligated to notify the data subject of any such extension.

1.4. If the data controller does not fulfill the data subject’s request, they must inform the data subject immediately or at the latest within one month of the reasons for refusal and the possibility of lodging a complaint with a supervisory authority and seeking judicial remedy.

1.5. Information, communication, and actions should be provided free of charge, although a fee may be charged in certain cases as regulated by the provisions.

Detailed rules are contained in Article 12 of the Regulation.

2. Prior Information if Data is Collected from the Data Subject

2.1. If the data controller collects personal data from the data subject, they must provide the following information during the data collection:

a) The identity and contact details of the data controller, and, if applicable, the data controller’s representative;

b) The contact details of the data protection officer, if applicable;

c) The purposes of the data processing and the legal basis for processing;

d) If the processing is based on a legal obligation or the legitimate interests of the data controller or a third party;

e) The categories of personal data, if applicable;

f) If applicable, the fact that the data controller intends to transfer the personal data to a third country or an international organization.

2.2. The data controller must provide additional information to ensure the fairness and transparency of data processing:

a) The period for which the data will be stored, or, if not possible, the criteria used to determine the storage period;

b) The rights to access, rectification, or erasure of data, restriction of processing, as well as the right to lodge a complaint and the right to data portability;

c) If the processing is based on the data subject’s consent, the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal;

d) The right to lodge a complaint with a supervisory authority;

e) The fact that providing data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, and the consequences of not providing data;

f) The existence of automated decision-making, including profiling, and, at least in such cases, information about the logic involved, as well as the significance and consequences of such processing for the data subject.

2.3. If the data controller intends to process personal data for purposes other than those for which it was collected, they must inform the data subject of the new purpose and all relevant information before further processing.

Detailed rules are contained in Article 13 of the Regulation.

3. Information if Data is Not Collected from the Data Subject

3.1. If personal data is not collected from the data subject, the data controller must inform the data subject within one month of the information described in point 2, the categories of personal data, the source, or if the personal data is from publicly accessible sources, the data controller must provide this information to the data subject; if the data is used in relation to the data subject’s contact, this must be done at least at the first contact; or if the data is transmitted to other users, no later than before the first transmission.

3.2. Other rules apply as described in point 2 (Prior Information).

Detailed rules are contained in Article 14 of the Regulation.

4. Right of Access

4.1. The data subject has the right to obtain confirmation from the data controller as to whether their personal data is being processed, and if so, to access the personal data and the information described in points 2 and 3.

4.2. If personal data is being transferred to a third country or an international organization, the data subject has the right to be informed of the appropriate safeguards in accordance with Article 46.

4.3. The data controller must provide a copy of the personal data being processed. For any additional copies requested by the data subject, the data controller may charge a reasonable fee based on administrative costs.

Detailed rules are contained in Article 15 of the Regulation.

5. Right to Rectification

5.1. The data subject has the right to have the data controller immediately rectify inaccurate personal data concerning them.

5.2. Depending on the purposes of the processing, the data subject also has the right to complete incomplete personal data, including by providing additional statements.

Detailed rules are contained in Article 16 of the Regulation.

6. Right to Erasure (“Right to be Forgotten”)

6.1. The data subject has the right to obtain from the data controller the immediate erasure of personal data concerning them, and the data controller is required to erase personal data without undue delay if any of the following conditions apply:

a) The personal data is no longer necessary for the purposes for which it was collected or processed;

b) The data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;

c) The data subject objects to the processing, and there are no overriding legitimate grounds for the processing;

d) The personal data has been unlawfully processed;

e) The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the data controller is subject;

f) The personal data was collected in relation to the offer of information society services to children.

6.2. The right to erasure does not apply if the processing is necessary for:

a) The exercise of the right to freedom of expression and information;

b) Compliance with a legal obligation which requires processing by Union or Member State law, or for the performance of a task carried out in the public interest or in the exercise of official authority;

c) Reasons of public interest in the area of public health;

d) Archiving in the public interest, scientific or historical research purposes, or statistical purposes, where the erasure is likely to seriously impair or jeopardize the achievement of the purposes of such processing; or

e) The establishment, exercise, or defense of legal claims.

Detailed rules are contained in Article 17 of the Regulation.

7. Right to Restriction of Processing

7.1. When the processing of personal data is restricted, the data may only be processed with the data subject’s consent, except where processing is necessary for the establishment, exercise, or defense of legal claims, the protection of the rights of other persons, or for important public interests of the Union or a Member State.

7.2. The data subject may request the restriction of processing from the data controllers if any of the following conditions are met:

a) The data subject contests the accuracy of the data, while the data controller verifies its accuracy;

b) The processing is unlawful, and the data subject opposes the deletion of the data and requests the restriction of its use instead;

c) The data controller no longer needs the data, but the data subject requires it for the establishment, exercise, or defense of legal claims;

d) The data subject has objected to the processing, and it has not yet been determined whether the data controller’s legitimate interests override the data subject’s interests.

7.3. If the data subject has obtained restriction of processing, the data controller will inform them before lifting the restriction.

Detailed rules are provided in Article 18 of the General Data Protection Regulation (GDPR).

8. Obligation to Inform on Rectification, Erasure, or Restriction of Processing

The data controller must inform all data recipients to whom personal data have been disclosed of any rectification, erasure, or restriction of processing, unless this proves impossible or involves disproportionate effort. The data controller must inform the data subject about these recipients if the data subject requests it.

Detailed rules are provided in Article 19 of the General Data Protection Regulation (GDPR).

9. Right to Data Portability

9.1. The data subject has the right to receive personal data concerning them, which they have provided to a data controller, in a structured, commonly used, and machine-readable format, and to transmit those data to another data controller without hindrance from the first data controller if:

a) The processing is based on the data subject’s consent or on a contract; and

b) The processing is carried out by automated means.

9.2. In exercising the right to data portability, the data subject has the right to have the data transmitted directly from one data controller to another, where technically feasible.

9.3. The exercise of the right to data portability shall not adversely affect the rights and freedoms of others. This right does not apply to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.

Detailed rules are provided in Article 20 of the General Data Protection Regulation (GDPR).

10. Right to Object

10.1. The data subject may object to the processing of their personal data at any time, on grounds relating to their particular situation, based on Article 6(1)(e) or (f) of the GDPR, including profiling based on those provisions. The data controller shall no longer process the personal data unless the data controller demonstrates compelling legitimate grounds for the processing which override the data subject’s interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

10.2. If the personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning them for such marketing, including profiling related to direct marketing. If the data subject objects, the personal data shall no longer be processed for such purposes.

10.3. The data subject must be clearly informed of their right to object in the course of the first communication, separate from other information.

10.4. The data subject can exercise the right to object automatically through the use of technical specifications.

10.5. If personal data are processed for scientific or historical research purposes or statistical purposes, the data subject may object to the processing, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Detailed rules are provided in Article 21 of the General Data Protection Regulation (GDPR).

11. Automated Decision-Making, Including Profiling

11.1. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

11.2. This right does not apply if the decision:

a) Is necessary for entering into, or performance of, a contract between the data subject and the data controller;

b) Is authorized by Union or Member State law that also provides for suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

c) Is based on the data subject’s explicit consent.

11.3. In the cases referred to in (a) and (c), the data controller must implement appropriate measures to safeguard the data subject’s rights, freedoms, and legitimate interests, including at least the right to obtain human intervention, to express their point of view, and to contest the decision.

Detailed rules are provided in Article 22 of the General Data Protection Regulation (GDPR).

12. Restrictions

Union or Member State laws may restrict the obligations and rights provided in Articles 12 to 22 and Article 34 of the GDPR, provided that such restrictions respect the essence of the fundamental rights and freedoms.

The conditions for restrictions are provided in Article 23 of the General Data Protection Regulation (GDPR).

13. Notification to the Data Subject of a Personal Data Breach

13.1. When a personal data breach is likely to result in a high risk to the rights and freedoms of the data subject, the data controller shall promptly notify the data subject of the breach, describing the nature of the breach, the information available, the consequences of the breach, and the measures taken or proposed to be taken.

13.2. Notification is not required if:

a) Technical and organizational protection measures, such as encryption, were applied;

b) Measures were taken that render the data unintelligible to unauthorized persons;

c) Notification would require disproportionate effort, in which case a public communication or similar measure may be used.

Detailed rules are provided in Article 34 of the General Data Protection Regulation (GDPR).

14. Right to Lodge a Complaint with a Supervisory Authority

Any person has the right to lodge a complaint with a supervisory authority in the Member State of their habitual residence, place of work, or the place of the alleged infringement if they believe that the processing of personal data infringes the regulation. The supervisory authority shall inform the complainant of the progress and outcome of the complaint, including the possibility of judicial remedy.

Detailed rules are provided in Article 77 of the General Data Protection Regulation (GDPR).

15. Effective Judicial Remedy Against a Supervisory Authority

15.1. Any natural or legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority.

15.2. If the supervisory authority does not act on the complaint or fails to inform the data subject within three months, the data subject is entitled to an effective judicial remedy.

15.3. Proceedings against a supervisory authority are to be brought before the courts of the Member State where the supervisory authority has its seat.

15.4. If an opinion or decision of the European Commission has been issued before the decision of the supervisory authority, the supervisory authority must forward the opinion or decision to the court.

Detailed rules are provided in Article 78 of the General Data Protection Regulation (GDPR).

16. Effective Judicial Remedy Against the Data Controller or Processor

16.1. The data subject has the right to an effective judicial remedy if they consider that their rights under the regulation have been infringed as a result of processing.

16.2. Proceedings against the data controller or processor are to be brought before the courts of the Member State where the data controller or processor is established, or where the data subject resides, except where proceedings are brought by public authorities.

Detailed rules are provided in Article 79 of the General Data Protection Regulation (GDPR).

Cookie settings

We use cookies to personalise content and ads, to provide social media features and to analyse website traffic. You can read more by clicking on the "Settings" button.
We use cookies to personalise content and ads.

Cookies are small text files that can be used by websites to make a user's experience more efficient.
The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission.
This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Your consent applies to the following domains gumazafrizider.rs

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.

Statistical cookies allow anonymous data collection to allow website owners to analyze website usage.

The purpose of marketing cookies is to track users through multiple websites. The goal is to be able to display ads to our users that are relevant and of interest to them, making them more valuable to publishers and third-party advertising providers.

Cookie declaration last updated on 2020.09.04.