With an aim to comply with the applicable regulations and to establish the good practice, in personal data processing the Controller shall:
ensure that the collection and further processing of personal data is always based on the adequate legal grounds;
ensure that the processing is performed in compliance with the rights of the data subjects, while taking care to always provide data subjects with adequate assistance in exercising all their guaranteed rights;
regularly publish and make publicly available all relevant information related to processing;
ensure that the collection and further processing of personal data is carried out exclusively for the purpose of achieving a specific purpose;
collect and process the minimum set of personal data that is really necessary for the Controller to achieve a specific purpose;
collect and process personal data in the time period necessary to achieve the purpose for which the data were collected;
ensure that the collected personal data are accurate and up-to-date;
ensure that data is protected from any unauthorized or illegal access by internal or external persons.
Starting from these basic principles, the Controller hereby informs the data subjects about all important aspects of the collection and processing of their personal data, while the term “data subject” means all principals, customers, suppliers, associates, business partners, negotiators, negotiators who later withdraw from cooperation, employees, persons engaged outside employment and third interested parties (hereinafter referred to as Data Subjects).
Taktik d.o.o. takes the privacy of website users seriously and strives to protect the information about them, which it collects, uses and stores.
In doing so, the Company collects the minimum amount of data on users, primarily for the purpose of processing the requests of users and website visitors.
Several options within the website require providing us with personal data. This includes the possibility for users to send us a complaint, resume, job application. The Company may collect all information that users send us through the “career” and “contact” options (including, but not limited to the name, surname, e-mail address, as well as other information left on the website), whereby the Company shall not be responsible for the content of information provided by users.
The Company shall not provide user data to third parties, and if at any time we have to disclose such data to third parties (ex. government authorities), users will be notified thereof, and their consent will be sought.
The Company may disclose general information to third parties, such as the number of website visitors, but not the data that could reveal an individual’s identity.
When they browse the pages at www.taktik.rs, we do not collect personal data of users, such as their name and surname, address of residence, telephone number, etc. However, information about the server to which the user’s computer it is connected, IP address, browser data and similar data can be collected and monitored on a collective basis. Namely, we collect data transmitted by the user’s Internet browser, which is technically necessary for the user to see our website. Also, for analytical purposes, the software itself can collect data on the number of visits.
The Company takes reasonable precautions to protect user data and to prevent unauthorized access to their data, but is not responsible for security vulnerabilities that are beyond our control.
It is understood that users, by their decision to provide their personal data, understand and consent to the fact that the security and privacy of their data may not be fully guaranteed.
What is personal data?
Personal data is any data that refers to a Data Subject and that identifies that person, i.e. all information on the basis of which the Data Subject’s identity is identified or identifiable (directly or indirectly), and especially based on the identity marks (such as name and identification number), location data, identifiers in electronic communications networks or on the basis of one or more features of his physical, physiological, genetic, mental, economic, cultural or social identity.
What data are collected and processed by the Company (Controller)?
The Controller collects and processes the following data about Data Subjects, to the extent necessary to achieve a specific purpose:
general identification data (data from personal (ID) documents – name, surname, place, municipality and country of birth, day, month and year of birth, ID card number, personal ID number, address of residence, bank account number, for foreign citizens – number, date of issue and type of travel document, citizenship);
contact information (contact phone, e-mail address, etc.) hereinafter jointly referred to as the Data.
How are personal data collected?
Personal data are collected by the Controller directly from Data Subjects.
What is the legal basis for data collection and processing?
Before performing any activities aimed at data collection and processing, the Controller identifies the existence of the appropriate legal basis and, if possible, documents it. The Controller collects and processes personal data on the basis of informed consent of a Data Subject, which means that the Data Subject, with his/her unambiguous statement of will, (or other appropriate action such as further use or access to the website content) confirms (expressly or tacitly) to be acquainted with all important aspects of the personal data processing, and consents to such processing. In the case of express consent, its form and content must be in accordance with the LPDP.
The consent is voluntary and can be revoked at any time, provided such revocation shall not affect the processing of personal data that was performed before the revocation.
If the Controller collects and processes data on the basis of a legitimate interest, it must determine whether it violates the fundamental rights, freedoms and interests of a Data Subject, because otherwise the data will not be collected and processed.
What is the purpose of personal data collection and processing?
The Controller collects and processes the data in order to:
comply with the legal regulations in conducting business and registered activities (sales of goods, marketing, etc.)
create a database of Data Subjects;
inform a Data Subject about the Controller’s activities.
How are personal data stored and what security measures are applied?
Personal data are collected and stored by the Controller both physically and/or electronically in the Controller’s internal records (databases) which it maintains and regularly updates, in relation to which it applies all necessary organizational, technical and personnel security measures, aimed to ensure optimal data protection, including also:
control of physical access to the system where data are stored;
data access control;
data transfer control;
data entry control;
data availability control;
other information security measures necessary for the protection of personal data.
The Company reviews all security measures it applies, in order to assess their effectiveness. The Company reserves the right to apply other measures in order to protect the data.
In case of a data breach that may pose a risk to the rights and freedoms of Data Subjects, the Company is obliged to notify the Commissioner for Access to Information of Public Importance and Personal Data Protection (hereinafter referred to as the Commissioner), no later than 72 hours from the moment of becoming aware of such breach. Otherwise, the Company is obliged to explain the reasons why it did not inform the Commissioner about the personal data breach within the prescribed period. The notification is delivered to the Commissioner in writing – directly, by mail or by e-mail: email@example.com. The notice must contain: a description of the nature of the data breach, including the type of data, the approximate number of data subjects and the approximate number of data whose security has been compromised, contact details of the Data Protection Officer or information on other ways in which information about the data breach can be obtained, description of possible consequences of such data breach, description of measures taken or proposed by the Company in connection with the data breach, and measures taken to reduce adverse consequences.
The Company is obliged to notify the Data Subject of such data breach, with no delay, if the personal data breach may produce a high risk to the rights and freedoms of the Data Subject, and is obliged to describe the nature of the data breach in a clear and understandable manner. In the Notice sent to Data Subjects the Company is obliged to provide the contact details of the Data Protection Officer or information on other ways in which information about the data breach can be obtained, description of possible consequences of such data breach, description of measures taken or proposed by the Company; and measures taken to mitigate the adverse consequences.
What are the rights of Data Subjects?
In relation to personal data, Data Subjects have the following rights:
the right to request information on personal data processing from the Controller;
the right to request access to personal data and information related to processing;
the right to request correction of incorrectly entered data and supplements to such data;
the right to request the erasure of data;
the right to restrict processing;
the right to data portability;
the right not to be subject to a decision made solely on the basis of automated processing, including profiling;
the right to be informed of a data breach, if that data breach may pose a high risk to the rights and freedoms of individuals;
the right to file a complaint to the Commissioner for Access to Information of Public Importance and Personal Data Protection;
the right to judicial protection if they believe that the rights from the LPDP have been violated;
other rights guaranteed by the applicable LPDP.
The Controller will provide Data Subjects with all necessary additional information and assistance with regard to the exercise of their rights, all in accordance with the terms and conditions prescribed by the applicable LPDP.
Who, besides the Controller, can have access to the Data?
The Company may conclude a joint controllership agreement or a data processing agreement with another company, the content of which must be in accordance with the LPDP.
The Controller may also disclose personal data to third parties, some of whom are processors and some of whom are data recipients. The processor in terms of Article 4, paragraph 1, item 9) of the LPDP, is a natural or legal person, i.e. a government authority that processes personal data on behalf of the Controller, while the Recipient in terms of Article 4, paragraph 1, item 10) of the LPDP is a natural or legal person , i.e. the government authority to whom the personal data have been disclosed, regardless of whether it is a third party or not.
Access to data is limited to certain persons in accordance with the nature of the work and the performance of specific business tasks. Categories of persons who may have access to personal data:
employees and/or persons otherwise engaged by the Controller, in accordance with the nature of their work;
principals, partners or associates in individual programs;
IT companies that maintain the information systems of the Controller used for storing the collected data.
Certain processors may have access to personal data and may be established in foreign countries, primarily in EU/European Economic Area Member States. The disclosure of data to EU/European Economic Area Member States is done on the basis of the standard level of adequate protection of personal data in those countries, in accordance with the law.
All processors shall conclude special contracts which regulate all important aspects of personal data processing, as well as security measures.
Exceptionally, personal data may be submitted to the competent state authorities, if it is a legal obligation of the Controller, and only to the extent necessary to fulfill a specific legal obligation.
The Company has a developed practice of embedding a confidentiality clause in employment contracts and cooperation agreements or signing a special appropriate confidentiality document with associates, who may have access to data collected and processed by the Company.
How long will personal data be retained?
Data retention periods correspond to the purpose of processing and are in accordance with the relevant regulations and legal obligations. The Controller reserves the right to review and change the retention periods.
How can additional processing notices be obtained?
The Data Protection Officer (hereinafter: the Authorized Person) will respond to any inquiry as soon as possible, but no later than within 30 days from the date of receipt of the request. The deadline can be extended for another 60 days if necessary, depending on the duly received written request, its complexity and the number of submitted requests. The Authorized Person is obliged to inform the Data Subject about the extension of the deadline and the reasons within 30 days from the day of receipt of the request.
If the request is obviously unfounded or excessive or if the same request is frequently repeated, the Authorized Person may refuse to act upon the request, provided that the Authorized Person bears the burden of proof.
The Authorized Person will identify the Data Subject based on the data provided in the submitted Request to Exercise Rights and will compare such data with the data possessed by the Company and will record the date of the review, and, if necessary, the Authorized Person may request additional information from the Data Subject.