Personal data protection policy
INTRODUCTION
The CHAMBER OF COMMERCE AND INDUSTRY OF SERBIA with the head office in Belgrade at the address: 13-15, Resavska Street, 11000 Belgrade, Registration Number: 07000529; Tax ID: 100296837 (hereinafter referred as the: Chamber) deals with personal data processing very seriously and treats all personal data responsibly since it is committed to its intention to achieve full compliance with all legal obligations in this respect and this is not limited only to the Law on Personal Data Protection (“The Official Gazette of the Republic of Serbia” Number 87/18, hereinafter referred as the: Law).
The Personal Data Protection Policy (hereinafter referred as the: Policy) contains detailed overview of activities related to personal data processing, which is organised and conducted by the Chamber as the Data Controller, but also all information important for data subjects.
BASIC DATA ABOUT THE CHAMBER
The Chamber is an interest, business and professional and non-profit organisation of business entities that are connected by common business interests in order to coordinate and represent interests of members and to encourage economic activities at the territory of the Republic of Serbia.
The members of the Chamber are all business entities that perform registered business activities at the territory of the Republic of Serbia. For the purpose of joint development of work and business, coordination of special and common interests, proposal of measures for the advancement of economic environment and for the improvement of business conditions in accordance with prevailing activities that they perform, the members of the Chamber are organised in branch associations. Within the network of regional chambers of commerce and industry and the chamber of commerce of the capital city, professional support and efficient representation of interests are provided for the economy in the regions. Through operations of representative offices in several European countries that are main foreign trade partners, special importance is given to the internationalisation of business operations and to international connections of the domestic economy.
The Chamber represents interests and views of its members by the participation in drafting laws and other regulations relevant for the business community; it promotes economic cooperation with foreign countries; it provides information and analytical support to the economy; it encourages export activities and participation of domestic companies in international supply chains. The connection of the economy and science encourages the use of new technologies and knowledge in modern business operations and in manufacturing. All members of the Chamber have rights and obligations that are defined by the law and by internal documents. The Chamber is autonomous and independent in its activities. The Chamber is managed by its members through their representatives in the Chamber’s bodies and these representatives are elected in such a way to ensure equal representation of interests of the economy. The Chamber’s bodies are: the Assembly, the Board of Directors, the Supervisory Board and the President.
For the purpose of performing all legally delegated tasks and activities and in numerous aspects of its business operations, the Chamber collects and processes personal data of its employees, as well as personal data of other entities, persons employed in companies that are members of the Chamber, personal data of participants in the events that are organised by the Chamber such as trade fairs, seminars, training courses then, personal data of persons who use different types of services provided by the Chamber and personal data of entities within other activities performed by the Chamber in its business operations.
In addition, the Chamber collects and processes personal data that can be contained in video recordings of surveillance cameras that are located in the business premises of the Chamber, as well as audio and video recordings of events organised by the Chamber.
Also, when Internet presentations and other Internet portals owned by the Chamber are visited, it is possible that personal data of website visitors are processed. The Chamber also uses most modern channels of communication with its members and with the public, such as Facebook and Instagram, as well as Twitter, etc. To a certain extent, personal data can also be found in such forms of communication.
In the following sections, the Chamber shall provide detailed overview of the types of personal data that are processed, the categories of data subjects, the legal basis and the purposes of processing, as well as the rights of data subjects.
MEANING OF CERTAIN TERMS
In this Policy, certain terms shall have the following meanings:
- Data Subject - a natural person whose personal data are processed;
- Data Controller - the Chamber since it determines the purpose and manner of personal data processing;
- Data Processor – a natural person or a legal entity that processes personal data on behalf of the Data Controller;
- Personal Data Processing – any operation or the set of operations that are performed automatically or non-automatically with personal data or with their sets, such as collecting, recording, sorting, grouping, structuring, storing, matching or modifying, detecting, inspecting or disclosing, using, disclosing by transmission and/or delivery, copying, spreading or otherwise making available, comparing or grouping, restricting, deleting or destroying (hereinafter referred to as the: processing);
- Commissioner – the Commissioner for Information of Public Importance and Personal Data Protection.
All other terms that have not been explicitly defined above but that are mentioned in the Policy shall have the same meaning as in the Law.
PRINCIPLES OF PERSONAL DATA PROCESSING
The Data Controller shall be obliged to adhere to all data processing principles prescribed by the Law, as well as with the following:
- Every data processing has to be lawful, fair and transparent which, among other things, implies the following:
- It is based on a corresponding legal basis (depending on the purpose of processing and on the category of data subjects),
- Personal data are collected and processed in a fair and just manner and/or in a manner that respects the rights of data subjects, but also obligations prescribed by the Law,
- All data subjects are previously fully informed about all significant aspects of data processing in a simple and understandable language, among other things, this Policy is published and available to all data subjects. The Data Controller shall be always ready to provide all information that is relevant for the relevant data subject;
- Personal data shall be collected and processed for specifically defined, explicit, justified and lawful purposes (limitations regarding the purpose of processing);
- Personal data have to be adequate, relevant and limited to what is necessary in relation to the purpose of processing (minimisation of processing in the context of the purpose);
- Collected personal data have to be accurate (as obtained from the data subject) and, when necessary, kept up to date (data accuracy);
- Personal data shall be kept in a form that allows identification of data subjects only for the period of time that is necessary for the fulfilment of the relevant purpose of processing (limitation of storage);
- Data processing shall be done in a manner that ensures appropriate personal data protection primarily the protection against unauthorised or unlawful processing, accidental loss, destruction or damage by means of using appropriate technical, personnel or organisational measures (integrity and confidentiality).
TYPES OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS
Depending on the category of data subjects, the Data Controller shall process the following personal data:
- From employees and persons hired for work, personal data shall be collected and processed in compliance with positive legal regulations governing the field of labour relations and regulations governing the field related to the payment of salaries and other benefits to employees and/or persons hired for work. This type of processing is necessary in order to comply with the legal obligations of the Data Controller in terms of the Article 12, Paragraph 1, Item 3) of the Law;
- From candidates for employment or candidates to be hired for work, personal data that are contained in a professional biography (CV), such as name and surname, date and place of birth, addresses of residence, contact information, such as telephone number, e-mail and other data shall be collected and processed. This type of processing shall be done on the basis of the consent of the data subject in terms of the Article 12, Paragraph 1, Item 1) of the Law or at the request of the data subject in terms of the Article 12, Paragraph 1, Item 2) of the Law.
- From members of the Chamber - entrepreneurs, representatives of legal entities and other business entities that are members of the Chamber, personal data shall be collected and processed in compliance with positive regulations governing this area and primarily in compliance with the Law on the Chamber of Commerce “The Official Gazette of the Republic of Serbia” , No. 112/15).
- From persons who use some type of services provided by the Chamber, personal data necessary for the provision of such services shall be processed (name and surname, Unique Master Citizen Number, personal ID card number, name of the business entity, function performed in the business entity, e-mail address and telephone number). When it comes to concluding a contract with the Chamber, in the pre-contractual phase, processing shall be done at the request of the person who is the other contracting party then, personal data necessary to fulfil the contractual obligation of the Data Controller (in the phase of the contract validity) and personal data that are kept after the expiration of the contractual relationship on the basis of legal regulations (post-contractual phase) shall be processed. This processing is necessary for the execution of the contract concluded with the data subject and/or for taking action at the request of the data subject before the conclusion of the contract in terms of the Article 12, Paragraph 1, Item 2) of the Law and/or in order to respect legal obligations of the Data Controller referred to in the Article 12, Paragraph 1, Item 3) of the Law;
- From visitors of Internet presentations of the Chamber, personal data, such as name and surname, username and password and IP address, shall be collected and processed. From visitors of https://usluge.pks.rs, in addition to above specified, personal data, such as the u Unique Master Citizen Number, telephone number and e-mail address, shall also be collected and processed. The legal basis for this type of personal data processing is the consent of the data subject in terms of the Article 12, Paragraph 1, Item 1) of the Law;
- From visitors of events organised by the Chamber, personal data, such as name and surname, personal ID card number, the name of the visitor’s company, e-mail address, telephone number, photograph or video recording that can contain personal data (the photograph of data subject’s face) shall be collected and processed. The legal basis for this type of personal data processing is the consent of the data subject in terms of the Article 12, Paragraph 1, Item 1) of the Law;
- From persons who communicate or come into contact with the Chamber, personal data, such as name and surname and other data that are given to the Chamber by the data subject shall be collected and processed. The legal basis for this type of processing of personal data is the consent of the data subject in terms of the Article 12, Paragraph 1,Item 1) of the Law;
- From persons recorded by video surveillance cameras, photographs and videos shall be collected and processed on the basis of which relevant data subjects can be identified. The legal basis for this type of processing is the legitimate interest of the Data Controller in terms of the Article 12, Paragraph 1, Item 6) of the Law.
PURPOSE OF PERSONAL DATA PROCESSING
The Chamber shall use personal data for the following purposes:
- Fulfilment of legal obligations to the extent that it is prescribed (in relation to employees and persons hired for work, legal representatives and employees of companies that are members of the Chamber and other persons whose data are processed to the extent prescribed by the Law);
- Preparation, conclusion and fulfilment of contracts (in relation to candidates for employment, members of the Chamber, as well as to all other natural persons or legal entities that conclude contracts with the Chamber directly or as representatives/agents);
- Physical protection of business property, business premises and preservation of safe environment for employees in such a way that basic rights of data subjects are protected (video surveillance, identification, etc.);
- Communication with the data subject at his/her request (persons that in some way get in contact with the Chamber by means of e-mails, internet presentations, telephones, etc.);
- Communication with the data subject at his/her request (persons that in some way get in contact with the Chamber by means of e-mails, internet presentations, telephones, etc.);
- Communication with the data subject at his/her request (persons that in some way get in contact with the Chamber by means of e-mails, internet presentations, telephones, etc.);
- Communication with the data subject at his/her request (persons that in some way get in contact with the Chamber by means of e-mails, internet presentations, telephones, etc.);
- Data analysis (that refers to all data about persons who use internet presentations of the Chamber, Facebook, Instagram, etc.);
- Improvement of activities and business operations of the Chamber on the basis of the feedback (in relation to data subjects, except employees and candidates for employment);
- Creation and management of online profiles (for participants of Internet presentations and of other Internet portals owned by the Chamber);
- Sending information about the Chamber’s activities and news (Newsletter and other similar information materials - for natural persons within the members of the Chamber (legal representatives and employees of legal entities that are members of the Chamber or entrepreneurs), newsletter subscribers and other persons who have provided their consent for obtaining such information.
LEGAL BASIS
The Chamber shall collect and process personal data only provided that such data collection and processing is done on the appropriate legal basis. Depending on the purpose for which data are collected and on categories of data subjects, processing of personal data shall be carried out on the basis of the following:
- The consent of the data subject (the Article 12, Paragraph 1, Item 1) of the Law) with a prior notice to the data subject about all relevant aspects of processing. The consent of the data subject is voluntary, explicit, informed and unambiguous and can be revoked at any time;
- The respect of legal obligations by the Data Controller (the Article 12, Paragraph 1, Item 3) of the Law) because the Chamber is a legally defined organisation of business entities and it is obliged to comply with regulations that govern this activity. Also, the Chamber has certain public authorisations that are delegated to it by ratified international treaties and by special laws. The Chamber shall process personal data for these purposes exclusively to the extent that is necessary for the fulfilment of these obligations, provided that it has undertaken all necessary measures in order to enable access to personal data only to authorised persons and to state bodies;
- The execution of contracts and/or undertaking activities before the conclusions of the contract (the Article 12, Paragraph 1, Item 2) of the Law) only to the extent that is necessary for such a purpose;
- The protection of legitimate interests of the Chamber and/or legitimate interests of third parties (the Article 12, Paragraph 1, Item 6) of the Law) only exceptionally for the purpose of achieving legitimate interests such as physical protection of the business property, business premises, preservation of safe environment for employees, etc. but in such a way that basic rights of data subjects are protected (video surveillance, identification, etc.)
DATA PROCESSORS, RECIPIENTS AND USERS AND OTHER PERSONS
Personal data that are collected and processed by the Chamber can be given to:
- Competent state authorities as recipients or to the group of recipients and users in compliance with the Law;
- Business entities for physical security as processors;
- Business entities that make personal data processing software as processors;
- Business entities that maintain information and communication systems of the Chamber as processors;
- Hosting business entities as processors;
- Oher natural persons and legal entities that belong to the category of data processors, data recipients or data users in compliance with applicable laws and regulations.
Personal data can be given to competent state authorities if this is necessary to fulfil legal obligations of the Chamber provided that the use of personal data by state authorities is limited to the minimum that is necessary to meet specific legal requirements. The Chamber as the Data Controller shall conclude the Contract with processors about entrusted personal data processing which regulates the position of the processor, its tasks in relation to data processing and measures of protection that it shall be obliged to undertake and other important issues related to personal data processing that it shall perform on behalf of the Chamber.
The majority of data processing operations shall be performed by processors that are registered and that perform their activities at the territory of the Republic of Serbia. However, some of data processing operations can also be provided by processors registered and operating in the EU or in third countries.
The transfer in these countries shall be done as follows:
- On the basis of the decision about the adequacy for EU/ EEA countries in compliance with the Article 64 of the Law. The cross-border transfer to these countries shall be free (without the prior approval of the Commissioner) in accordance with the Paragraph 2 of the same Article;
- On the basis of adequate guarantees in compliance with the Article 65, Paragraph 2, Item 2) of the Law, that is, on the basis of the agreement (Personal Data Transfer Agreement) that includes standard clauses for personal data protection that have been enacted by the Commissioner. The processor shall be entitled to engage sub-processors only with the prior special consent given by the Chamber in writing and with the obligation to conclude the agreement with such a person depending on the head office of the sub-processor or to prepare another document that shall provide at least the same level of protection as the above mentioned agreement.
DATA SUBJECTS THAT ARE LEGAL ENTITIES
The Data Subject has the following rights:
- The right to be notified about personal data that are being processed (the Article 23 of the Law );
- The right to withdraw the consent – the withdrawal leads to the cancellation of any further operation of processing provided that data processing performed before the withdrawal of the consent shall be considered as lawful (the Article 15, Paragraph 3 of the Law);
- The right to access personal data that are being processed - the right to submit a request to the Data Controller as to whether his/her personal data are being processed and what the purpose of the processing is. In the case of such a request, the Data Controller shall be obliged to provide free of charge the copy of personal data that are the subject matter of processing and/or it can request reimbursement of costs necessary for making additional copies and, if the request is submitted electronically, the information shall be delivered in usually used electronic form (the Article 26 of the Law);
- The right to corrections - the right to correct inaccurate personal data without any delays (the Article 29 of the Law);
- The right to deletion (the right to be forgotten) - the right to request the deletion of personal data if requirements referred to in the Article 30 of the Law have been fulfilled;
- The right to limit processing - the right to request the restriction of processing if the requirements referred to in the Article 31 of the Law have been fulfilled;
- The right to data transferability - the right to receive personal data in a structured and in a commonly used and electronically readable form, as well as the right to transfer data to another Data Controller (the Article 36 of the Law);
- The right to object - the right of the data subject to object to personal data processing at any time in compliance with the Article 37 of the Law;
- The rights regarding automated decision-making including profiling - the right that he or she is not subject to the decision that has been made solely on the basis of automated processing including profiling in compliance with the Article 38 of the Law;
- The right of the data subject to be notified about the violation of personal data - the right to be notified about the violation of personal data if that violation can produce a high risk to the rights and freedoms of natural persons in compliance with the Article 53 of the Law;
- The right to file a complaint to the Commissioner - if he/she believes that processing of his/her personal data has been performed contrary to the provisions of the Law (the Article 82 of the Law);
- The right to judicial protection - against the decision of the Commissioner (the Article 83 of the Law) and if he/she believes that, contrary to the law, the Data Controller or the Data Processor has violated his/her right prescribed by law in the processing operation (the Article 84).
- The right to receive compensation for damages - if he/she has suffered material or non-material damage due to the violation of the provisions of the Law (the Article 86).
The contact of authorities in charge of personal data protection in the Republic of Serbia: The Commissioner for Information of Public Importance and Personal Data Protection, The address: 15, Bulevar Kralja Aleksandra Street, 11120 Belgrade, Republic of Serbia; E-mail:
office@poverenik.rsThe Commissioner shall provide to the data subject all relevant information concerning his/her rights prescribed by the Law.
MEASURES FOR PERSONAL DATA PROTECTION
The Chamber as the Data Controller shall perform the highest standards with reference to personal data protection and accordingly the Chamber shall use all necessary organisational, technical and personnel measures in order to ensure personal data protection against accidental, unlawful or unauthorised destruction, loss, disposal, ambiguity, access, disclosure or use also including the following:
- Technical protection measures;
- Control of physical access to systems where personal data are stored;
- Data access control;
- Data transfer control;
- Personal data input control;
- Data availability control,
- Other measures regarding the security of information;
- All other measures that are necessary to ensure the adequate level of personal data protection.
Third parties that have access to or otherwise process personal data, including joint controllers shall also be required to act in compliance with above specified measures.
TIMEFRAME FOR THE STORAGE OF DATA
The Chamber shall process personal data within the timeframe necessary for fulfilling the particular purpose, as follows:
- In the case that personal data have been collected on the basis of previously obtained consent, data shall be deleted or anonymised without delay within the period that does not exceed 10 days after the withdrawal of the consent;
- Personal data of the candidate for employment shall be kept until the end of the procedure for the selection of candidates and shall be deleted within the period of 10 days after the end of the process. After the completion of the selection procedure, the candidate's personal data shall be kept within the period of the following year provided that the candidate has agreed that his/her data are kept for the purpose of making contact in the event of a future need for employment;
- Personal data on the basis of which licenses are issued shall be kept within the period of one year after the expiration of the validity period of the license;
- Personal data of persons to whom identification cards are issued shall be kept within the period of one year after he expiration of the validity period of the identification card;
- Personal data of persons who lease or purchase real estate from the Chamber shall be kept within the period of two years after the expiration and/or implementation of the contract;
- Personal data of persons who participate in the implementation of events (training courses, seminars, fairs) that are organised by the Chamber shall be kept within the period of one year after the date when the event has been held;
- Personal data of persons who attend training courses in order to acquire the title of licensed insurance intermediaries/agents and/or for continuous training of licensed insurance intermediaries/agents shall be kept until the termination of the validity period of the Agreement on Training Candidates for Taking Professional Exam in Order to Obtain the Title of Licensed Insurance Intermediary or Licensed Insurance Agent and for Professional Development of Licensed Intermediaries and Licensed Insurance Agents which the Chamber of Commerce and Industry of Serbia concluded with the National Bank of Serbia (G. No. 2358 dated 20th March 2017 and CCIS 01 No. 38/14 dated 23rd March 2017);
- Personal data of persons who participate in the work of working groups and/or working bodies shall be kept within the period of one year after the expiration of the mandate of working groups and/or working bodies;
- Personal data of persons who address the Chamber with an inquiry shall be kept within the period of two years after the inquiry has been answered;
- Personal data that have been collected for the requirements of publishing/guarantee activities of the ATA and TIR systems shall be kept within the period of 10 years after the date ATA and TIR carnets have been issued and/or after the termination of claims;
- Personal data that have been collected from persons who take part in the work of the Chamber’s organs and bodies and in the forms of organisation and operations in the Chamber (the Assembly, the Board of Directors, the Supervisory Board, the Board of Associations and Groups, the Board of the Group, the General Associations of Entrepreneurs, the Commission for Financial Issues of the Assembly) and/or representative of the members of the Parliament of Businessmen shall be kept within the period of four years after the termination of the mandate;
- Personal data of persons who have been engaged in the Court of Honour and/or in the Permanent Arbitration at the Chamber shall be kept permanently;
- Personal data of persons who have become holders of the certificate or the license issued by the Chamber shall be kept within the period of three years after the date of the termination of the validity period of the certificate and/or the license;
- Personal data of persons who have been included in any of the registers that are maintained by the Chamber in compliance with delegated public authorisations shall be kept within the period of three years after the date of the deletion from the register;
- Personal data of persons who have participated in electronic operations shall be kept within the period of 10 years after the date when the qualified electronic certificate has expired;
- Personal data of lecturers who have been hired by the Chamber shall be kept within the period of one year after the event has been held;
- Personal data that have been collected for the purpose of exercising delegated public authorisations in the connection with the preparation of the distance indicator, intercity timetables and categorisation of bus stations shall be kept within the period of five years after their amendment;
- Personal data that have been processed on the basis of concluded contracts shall be kept within the period of 10 years after the implementation of the contract and/or after the termination of the contract;
- Personal data that have been collected for the purposes of accounts shall be kept within the period of 10 years in compliance with the law governing the value added tax;
- Video surveillance records shall be for the period of 30 days and after the expiration of that period, they shall be automatically deleted except in exceptional cases when there is a legitimate interest of the Chamber to be kept them for a longer period of time.
HOW TO CONTACT US WITH REFERENCE TO YOUR PERSONAL DATA
As the data subject you have the right to contact Ljilјana Pantelić – Data Protection Officer (DPO), who has been appointed by the Chamber for all issues related to your personal data processing that also includes the possibility to exercise your rights as it has been explained in this Policy in writing by an email to the address:
zastitapodataka@pks.rs and/or by a letter to the address: The Chamber of Commerce and Industry of Serbia, 13-15, Resavska Street, Belgrade, with the reference to the Data Protection Officer in the Chamber or orally by dialling the number: +38166 8751-127.
The Data Protection Officer shall reply to your inquiry as soon as possible depending on its complexity however, not later than within the period of 30 days after the DPO has received your inquiry.
COOKIES
The Internet platform of the Chamber shall use cookies and/or small data packages that are stored on a computer (or on any other device) that is used by the data subject to access the Internet.
You can see cookies that we use in the Cookie Policy.
Cookies enable additional functionalities of the website that are necessary for a special presentation of contents.
Usually, cookies do not reveal the identity of the user but they monitor and analyse the behaviour of users on the Internet (number of website visits, average time on the website, sites you open, etc.) and they are exclusively used to maintain and to improve functionalities of our Internet presentations. In the case that cookies enable access to the user's identity, this shall be treated as any other personal data and everything that has been said about personal data shall be applicable, as well.
The EU regulations on telecommunications, as well as the Law on Electronic Communications (“The Official Gazette of the Republic of Serbia” No. 44/10, 60/13 – Decision of the Constitutional Court, 62/14 and 95/18 – other laws) enable the use of cookies provided the user (data subject) has been clearly and precisely notified about the purpose for the collection and processing of cookies and that he/she has had an opportunity to reject such processing.
The removal of cookies is possible by changing the settings in your internet browser (Internet Explorer, Firefox, Google Chrome, Opera, Microsoft Edge, Safari, etc.). Saved cookies can be removed depending on the type of cookies. Such a removal of cookies can potentially reduce functionalities of the platform.
MISCELLANEOUS
This Policy shall come into force on the eight day after it has been published on the website of the Chamber.
This Policy can be amended and supplemented provided that it does not in any way reduce the level of legal protection of data subjects.
Data subjects shall be notified about all important amendments of this Policy in usual ways of communication.