Privacy policy

  1. Annex to the Data Management Regulation

DATA MANAGEMENT NOTICE REGARDING THE RIGHTS OF NATURAL PERSONS IN TERMS OF MANAGING THEIR PERSONAL DATA

CONTENTS

INTRODUCTION

CHAPTER I – NAME OF THE DATA CONTROLLER ENTITY

CHAPTER II – NAMES OF DATA PROCESSING ENTITIES

  1. IT provider of our Company
  2. Ticket system programmer of our Company

CHAPTER III – ENSURING DATA MANAGEMENT COMPLIANCE WITH LAWS

  1. Data management based on consent from the data subject
  2. Data management based on fulfilling legal obligations
  3. Promotion of rights of the data subjects

CHAPTER IV – MANAGEMENT OF VISITOR DATA ON THE COMPANY'S WEBSITE – COOKIE USAGE NOTICE

CHAPTER V – NOTICE REGARDING THE RIGHTS OF DATA SUBJECTS

INTRODUCTION

Based on REGULATION 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU) (hereinafter: Regulation), concerning the protection of personal data and the free movement of such data in managing personal data of natural persons, and repealing Regulation (EC) No 95/46, the Data Controller must undertake appropriate actions to ensure that the individual whose data is collected is provided with all necessary information regarding the management of personal data in a concise, transparent, intelligible, and easily accessible form, as well as ensuring conditions for exercising the rights of the data subjects.

The obligation to inform individuals in advance about their right to informational self-determination and freedom of information is also prescribed by Law CXII of 2011.

In the following text, we fulfill our obligations imposed by the aforementioned laws and regulations.

The notice should be prominently displayed on the company's website or sent to the data subject upon request.

CHAPTER I

NAME OF THE DATA CONTROLLER ENTITY

The issuer of this notice, also the Data Controller:

Ime firme: SZR AUTOLAKIRER SALMA ČABA PREDUZETNIK SUBOTICA

Sedište: Subotica

Matični broj: 57121734

PIB: 104071671

Zastupnik: Čaba Salma

Broj telefona: +381 60/01 02 811

E-mail adresa: info@salmaautolimarifarbar.rs

Veb stranica: autolimar-subotica.mysellvio.com

NAMES OF DATA PROCESSING ENTITIES

Entity processing data: natural or legal person, public authority, agency or any other body which processes data on behalf of the data controller; (Regulation Article 4, Section 8)

The use of the data processing entity is not contingent upon prior consent from the individual, but it is necessary to inform them. In accordance with these regulations, we provide the following notice:

  1. IT provider of the Company

The Company utilizes the services of a data processing entity for maintaining and managing its website, which provides IT services (hosting services). Within these services—and in accordance with the terms of the contract between the two parties—the data processing entity manages personal data left on the website by storing it on servers.

Name and details of the data processing entity:

Ime firme: ErdSoft doo

Sedište: 24000 Subotica, Somborski put 33a, Srbija

Matični broj: 21354619

PIB: 110478829

Zastupnik: Daniel Erdudac

Broj telefona: +381 60 44 60 555

Faks: nema

E-mail adresa: daniel.erdudac@erdsoft.com

Veb sajt: erdsoft.com

 

Chapter III

ENSURING DATA MANAGEMENT COMPLIANCE WITH LAWS

  1. Data Management Based on Consent from the Data Subject

(1) If the Company wishes to manage data based on consent, it is necessary to request consent for the management of personal data from the individuals whose data will be managed, using a form specified in the data management regulations.

(2) Consent is considered valid if the user checks the box related to consent for data processing on the Company's website, performs related technical settings regarding the use of information society services, or any other statement or action clearly indicating consent to the planned management of their personal data. Silence, pre-ticked boxes, or inaction does not constitute consent.

(3) Consent applies to all actions related to data management performed for the same purpose or purposes. If data management serves multiple distinct purposes, consent must be obtained for each purpose related to data management.

(4) If an individual gives consent as part of a written statement that also covers other purposes—e.g., sales, service contract conclusion—consent must be requested in a manner that is clear, easily understandable, accessible, and clearly distinguished from other purposes. Portions of such statements containing consent that do not comply with the Regulation are not enforceable.

(5) The Company cannot condition the conclusion or performance of a contract on consent to manage personal data that are not necessary for the performance of the contract.

(6) Withdrawing consent should be as easy as giving consent.

(7) If personal data are processed based on consent, the data controller may use the recorded data in the absence of regulations that differ from the law, for the purpose of fulfilling legal obligations, without additional consent, even after the withdrawal of consent by the individual.

(8) The website does not intentionally collect data from minors (under 16 years of age). If data of a minor are inadvertently collected, upon becoming aware of this fact, the data of the minor are promptly deleted.

  1. Data Management Based on Fulfilling Legal Obligations

(1) In cases of data management based on fulfilling legal obligations, the scope of data, purpose of data management, data retention period, and data users are determined by legal regulations.

(2) Data management based on fulfilling legal obligations does not depend on the consent of the individual, as data management is determined by the law. In this case, individuals must be informed before data collection that the collection of data is mandatory, and they must be fully and clearly informed about all facts related to the management of their data, with specific reference to the purpose and legal basis of data processing, the entity having the right to manage data, the duration of data management, compliance of personal data management with legal provisions, and who may have access to the data. The notice must also cover the rights of individuals and the methods of exercising rights related to the management of personal data. In cases of mandatory data management, the publication of calls for all legal regulations containing the aforementioned information may also be considered notice.

  1. Promotion of Rights of Data Subjects

The Company is obliged to ensure that individuals can exercise their rights in all activities related to data management.

Chapter IV

DATA MANAGEMENT OF VISITORS TO THE COMPANY'S WEBSITE – COOKIE USAGE NOTICE

  1. Visitors to the website must be informed about the use of cookies, and except for technically necessary session cookies, consent from the visitor must be obtained.

  2. General Information about Cookies

2.1. A cookie is data that a visited website sends to the visitor's browser (in the form of a value variable) for storage, and later the same website may retrieve the contents of the cookie. Cookies can be valid until the browser is closed or for an unlimited period. Subsequently, with each HTTP(S) request, the browser sends this information to the server, thereby altering data on the user's device.

2.2. The essence of cookies is to identify and recognize the user (e.g., their entry into the website) and to treat the user appropriately in all subsequent instances. The risk lies in the fact that the user may not always be aware that they are being identified by cookies, which provides an opportunity for tracking by the website owner or other providers whose content is embedded in the site (e.g., Facebook, Google Analytics). Tracking creates a user profile, and in these cases, the contents of cookies are treated as personal data.

2.3. Types of Cookies:

2.3.1. Technically necessary session cookies: Without these, websites simply do not function; they are used to identify users when they enter the site, what they put in their shopping cart, etc. In this case, usually only the session ID is stored, while other data is kept on the server, making them more secure. From a security perspective, when the session cookie value is not properly generated, there is a risk of session hijacking, so it is essential to generate these values correctly. Other terminologies for session cookies refer to each cookie that is deleted when the browser session ends.

2.3.2. Functionality cookies: These include cookies that remember user choices – for example, how the user prefers to view the site. Essentially, these cookies represent configuration data stored in cookies.

2.3.3. Performance cookies: Although not directly related to "performance," this term refers to cookies that collect information about user behavior, clicks, and time spent on the visited page. These are usually applications from independent providers (such as Google Analytics, AdWords, or Yandex.ru). They are suitable for profiling visitors.

Learn more about Google Analytics cookies here: Analytics-cookies

Learn more about Google AdWords cookies here: Google support

2.4. Accepting or enabling cookies is not mandatory. Browser settings can be adjusted to automatically reject all cookies or to prompt the user when a system sends cookies. Most browsers automatically accept cookies by default, but settings can usually be changed to prevent automatic acceptance and to offer the user a choice to accept or reject cookies each time.

Check the links below for cookie settings in popular browsers:

However, it should be noted that certain functions of the site or service may not work correctly without cookies.

  1. Information about Cookies Used on the Company's Website and Data Generated During Visits

3.1. Data Managed During Visits

Our company's website may use the website to record and manage the following visitor or device information:

  • Visitor's IP address,
  • Browser type,
  • Characteristics of the device's operating system used by the visitor (configured language),
  • Visit time,
  • Subpages, functions, or services visited,
  • Clicks.

These data are retained for up to 90 days and are primarily used for security incident testing.

3.2. Cookies Used on the Website

3.2.1. Technically Necessary Session Cookies

The purpose of data management is to ensure the proper functioning of the website. These cookies are necessary to enable visitors to browse the website without issues and to fully utilize all features and services available through the website, including - notably - visitor comments on a specific site or the identity of a logged-in user during the visit. The duration of this cookie management is limited to the visitor's current session; this type of cookie will be automatically deleted from the user's computer when the session ends or when the browser is closed.

The legal basis for managing this data is Section 13/A. § (3) of Act CVIII of 2001 on certain aspects of electronic commerce services and information society services, which allows service providers to manage personal data that are technically necessary for the provision of the service. If the other conditions are unchanged, service providers must select and use tools used for the provision of information society services in a way that personal data are processed only if strictly necessary for the provision of the service and for fulfilling other necessary purposes stipulated in this law, but even then only to the extent and for the time required.

3.2.1. Cookies That Facilitate Use

These cookies remember user choices, such as how the user wants to view the page. These types of cookies essentially store configuration data in cookies.

The legal basis for managing this data is visitor consent.

The purpose of data management is to increase service efficiency, enhance user experience, and provide a more convenient website usage.

This data resides on the user's computer; the website only accesses it and recognizes the visitor based on it.

3.2.2. Performance Cookies

This type of cookie collects information about user behavior, time spent, and clicks on the page the user views. These cookies typically track third-party applications (e.g., Google Analytics, AdWords).

The legal basis for managing data: consent of the data subjects.

The purpose of data management is to analyze the website and send promotional offers.

Chapter V

STATEMENT ON THE RIGHTS OF THE DATA SUBJECTS

I. Summary of the Rights of the Data Subjects

  1. Transparent Information, Communication, and Modalities for Exercising the Rights of the Data Subjects

1.1. The controller takes appropriate measures to provide the data subjects with all information regarding the processing in a concise, transparent, understandable, and easily accessible form, using clear and plain language, particularly for any information specifically aimed at children. Information shall be provided in writing or by other means, including electronically where appropriate. Upon request, information may be provided orally, provided that the identity of the data subject is confirmed by other means.

1.2. The controller facilitates the exercise of the data subjects' rights.

1.3. Upon request, the controller provides the data subject with information about actions taken without undue delay and in any event within one month of receipt of the request. This period may be extended by an additional two months if necessary, and the controller shall inform the data subject of any such extension within one month.

1.4. If the controller does not take action on the request of the data subject, the controller informs the data subject of the reasons for not taking action and of the possibility to lodge a complaint with a supervisory authority and seek a judicial remedy, without undue delay and at the latest within one month of receipt of the request.

1.5. Information provided, all communication, and any actions taken are provided free of charge. However, in certain cases as specified by the Regulation, a fee may be charged.

Detailed rules can be found in Article 12 of the Regulation.

II. Detailed Rights of the Data Subjects

The detailed rights of the data subjects include:

  1. Transparent Information, Communication, and Modalities for Exercising the Rights of the Data Subjects

These rights ensure that data subjects are informed about and able to exercise their rights effectively, with the controller providing clear and accessible information in accordance with legal requirements.

This chapter outlines the comprehensive framework within which individuals' data rights are protected and exercised under applicable laws and regulations.

  1. Right to Prior Information Provided - If Personal Data is Collected from the Data Subject

2.1. If personal data of the data subject is collected from the data subject, the controller shall provide the following information to the data subject at the time of collecting personal data:

a) The identity and contact details of the controller and, where applicable, the controller's representative;

b) The contact details of the data protection officer, if applicable;

c) The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

d) If the processing is based on the legitimate interests pursued by the controller or a third party, or on the performance of a contract or compliance with legal obligations;

e) The recipients or categories of recipients of the personal data, if any;

f) If applicable, the fact that the controller intends to transfer personal data to a third country or international organization.

2.2. When collecting personal data, the controller shall provide the data subject with the following additional information necessary to ensure fair and transparent processing:

a) The retention period of the personal data or, if not possible, the criteria used to determine that period;

b) The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing, as well as the right to data portability;

c) If the processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

d) The right to lodge a complaint with a supervisory authority;

e) Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

f) The existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

2.3. If the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject with information on that other purpose and any relevant further information prior to that further processing.

All additional rules regarding the right to prior information are contained in Article 13 of the Regulation.

  1. Information Provided if Personal Data are not Obtained from the Data Subject

3.1. If personal data have not been obtained from the data subject, the controller is obliged to inform the data subject within one month of acquiring the data of the facts and information described in point 2, about the category of personal data, the source of personal data, or in certain cases whether the data originate from publicly accessible sources: if personal data are used to contact the data subject, at least at the first contact with the data subject; or if they intend to transfer data to other recipients, at the latest at the time of the first transfer.

3.2. The other provisions apply to the facts and obligations from point 2 (Right to Prior Information).

Detailed rules of this notification are contained in Article 14 of the Regulation.

  1. Right of the Data Subject to Access

4.1. The data subject has the right to obtain confirmation from the controller as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and the information specified in points 2 and 3 (Article 15 of the Regulation).

4.2. If personal data are transferred to a third country or international organization, the data subject has the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

4.3. The controller shall provide a copy of the personal data undergoing processing. For any additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.

Detailed rules regarding the right of access by the data subject are contained in Article 15 of the Regulation.

  1. Right to Rectification

5.1. The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them.

5.2. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

These rules are contained in Article 16 of the Regulation.

  1. Right to Erasure ("Right to be Forgotten")

6.1. The data subject has the right to obtain from the controller the erasure of personal data concerning them without undue delay, and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

a) The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b) The data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;

c) The data subject objects to the processing and there are no overriding legitimate grounds for the processing;

d) The personal data have been unlawfully processed;

e) The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

f) The personal data have been collected in relation to the offer of information society services directly to a child.

6.2. The provisions on erasure do not apply where processing is necessary:

a) For exercising the right of freedom of expression and information;

b) For compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

c) For reasons of public interest in the area of public health;

d) For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

e) For the establishment, exercise, or defense of legal claims.

Detailed rules regarding the right to erasure of personal data are contained in Article 17 of the Regulation.

  1. Right to Restriction of Processing

7.1. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

7.2. The data subject has the right to obtain from the controller restriction of processing where one of the following applies:

a) The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

b) The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

c) The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims; or

d) The data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

7.3. The data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is lifted.

Detailed rules regarding the right to restriction of processing are contained in Article 18 of the Regulation.

  1. Obligation to Notify of Rectification or Erasure of Personal Data or Restriction of Processing

The controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

Detailed rules are contained in Article 19 of the Regulation.

  1. Right to Data Portability

9.1. The data subject has the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

a) the processing is based on consent or on a contract; and

b) the processing is carried out by automated means.

9.2. In exercising their right to data portability, the data subject has the right to have personal data transmitted directly from one controller to another.

9.3. The exercise of the right to data portability shall not adversely affect the rights and freedoms of others. This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Detailed rules are contained in Article 20 of the Regulation.

  1. Right to Object

10.1. The data subject shall have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on Article 6(1)(e) or (f), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.

10.2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

10.3. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 10.1 and 10.2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

10.4. The data subject may exercise their right to object by automated means using technical specifications.

10.5. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to their particular situation, shall have the right to object to processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Detailed rules are contained in Article 21 of the Regulation.

  1. Automated individual decision-making, including profiling

11.1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

11.2. Paragraph 1 shall not apply if the decision:

a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;

b) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or

c) is based on the data subject's explicit consent.

11.3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express their point of view, and to contest the decision.

Additional rules are contained in Article 22 of the Regulation.

  1. Restrictions

Under Union or Member State law to which the controller or processor is subject, the scope of the obligations and rights set out in Articles 12 to 22 and Article 34 may be restricted by a legislative measure which respects the essence of the fundamental rights and freedoms.

The conditions and specifics of these restrictions are contained in Article 23 of the Regulation.

  1. Notification of a personal data breach to the data subject

13.1. Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, without undue delay, notify the data subject of the personal data breach. The notification to the data subject shall describe the nature of the personal data breach in clear and plain language and include at least the following information and measures:

a) the name and contact details of the data protection officer or other contact point where more information can be obtained;

b) a description of the likely consequences of the personal data breach;

c) a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

13.2. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:

a) the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;

b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize;

c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

Additional rules are contained in Article 34 of the Regulation.

  1. Right to lodge a complaint with a supervisory authority

Any data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement if the data subject considers that the processing of personal data relating to them infringes this Regulation. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy.

These rules are contained in Article 77 of the Regulation.

  1. Right to an effective judicial remedy against a supervisory authority

15.1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

15.2. Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to an effective judicial remedy where the supervisory authority concerned does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint submitted pursuant to Article 55 and Article 56.

15.3. Proceedings against a decision of a supervisory authority shall be brought before the courts of the Member State where the supervisory authority has its seat.

15.4. Where proceedings are initiated against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board within the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.

These rules are contained in Article 78 of the Regulation.

  1. Right to an effective judicial remedy against a controller or processor

16.1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, each data subject shall have the right to an effective judicial remedy if they consider that their rights under this Regulation have been infringed as a result of the processing of their personal data in non-compliance with this Regulation.

16.2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.

These rules are contained in Article 79 of the Regulation.

Cookie settings

We use cookies to personalise content and ads, to provide social media features and to analyse website traffic. You can read more by clicking on the "Settings" button.
We use cookies to personalise content and ads.