Privacy policy

1. Appendix to the Data Management Regulations

DATA MANAGEMENT ANNOUNCEMENT REGARDING THE RIGHTS OF THE INDIVIDUAL IN RELATION TO THE MANAGEMENT OF THEIR PERSONAL DATA

CONTENT

INTRODUCTION

CHAPTER I – NAME OF THE DATA CONTROLLER

CHAPTER II – NAMES OF DATA PROCESSORS

  1. IT provider of our Company
  2. Ticketing system developer of our Company

    CHAPTER III – ENSURING DATA MANAGEMENT COMPLIANCE WITH LAWS
    1. Data management based on the individual's consent
    2. Data management based on the performance of legal obligations
    3. Promotion of the rights of the individual concerned

      CHAPTER IV – DATA MANAGEMENT OF VISITORS TO THE COMPANY'S WEBSITE – COOKIE USAGE ANNOUNCEMENT
      CHAPTER V – ANNOUNCEMENT OF THE RIGHTS OF THE INDIVIDUAL CONCERNED

INTRODUCTION
Based on REGULATION 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU) (hereinafter: the Regulation), which relates to the protection and free flow of data during the management of personal data of natural persons and the repeal of Directive 95/46/EC, the Data Controller must take appropriate actions to ensure that the individual whose data is being collected is provided with necessary information related to the management of personal data in a concise, clear, transparent, comprehensible, and accessible form and to ensure the conditions for fulfilling the rights of the individual whose data is being collected.

The obligation to inform the individual in advance about their right to informational self-determination and freedom of information is also prescribed by the CXII law of 2011. The following text fulfills our obligations as prescribed by the aforementioned laws and regulations. The notice should be displayed on the company’s website or sent to the individual whose data is being collected upon their request.

CHAPTER I

NAME OF THE DATA CONTROLLER
The issuer of this notice and the Data Controller:
Company name: WIKING GROSS export-import DOO
Headquarters: Aranđelovac
Registration number: 17296345
VAT number: 100764359
Representative: Mikica Babić
Telephone number: 064/67-90-692
Email address: info@elmotori.com
Website: elektromotori.com

(hereinafter: the Company)

CHAPTER II
NAMES OF DATA PROCESSORS

A data processor is a natural or legal person, public authority, agency, or any other body that processes personal data on behalf of the Data Controller (Regulation Article 4, Section 8). The use of a data processor does not require prior consent from the individual, but the individual must be informed. In accordance with these regulations, we provide the following notice:

  1. IT provider of the Company
    The Company uses the services of a data processor to maintain and manage its website, which provides IT services (hosting services) and within these services – in accordance with the content of the contract between the two parties – manages the personal data left on the website by storing them on the server.

Company name: ErdSoft doo
Headquarters: 24000 Subotica, Somborski put 33a, Serbia
Registration number: 21354619
VAT number: 110478829
Representative: Daniel Erdudac
Telephone number: +381 60 44 60 555
Fax: none
Email address: daniel.erdudac@erdsoft.com
Website: erdsoft.com

CHAPTER III

ENSURING DATA MANAGEMENT COMPLIANCE WITH LAWS

  1. Data management based on the individual's consent

    (1) If the Company wishes to manage data based on consent, it is necessary to request consent for the management of personal data from the individual whose data will be managed using a form, the content of which is determined in the data management regulations.

    (2) Consent is also considered given if the user marks a field related to the request for consent for data processing on the Company's website, if they perform related technical settings concerning the use of information society services, as well as any other statement or act that clearly indicates the individual's consent to the planned management of their personal data. Silence, a pre-ticked box, or inactivity is not considered consent.

    (3) Consent applies to all actions related to data management carried out for the same purpose or purposes. If data management serves several different purposes, consent must be requested for all purposes related to data management.

    (4) If the individual gives their consent as part of a written statement, which also relates to other purposes – e.g., sales, service contract – consent must be requested in a manner that is clear, simply expressed, understandable, accessible, and clearly distinguished from other purposes. Parts of such statements that contain the individual's consent and do not comply with the Regulation are not valid.

    (5) The Company cannot condition the conclusion or execution of a contract with consent to manage personal data that is not necessary for the execution of the contract.

    (6) Withdrawal of consent must be as simple as giving consent.

    (7) If personal data is recorded with the individual's consent, the data controller may use the recorded data in the absence of different regulations from the law for the purpose of fulfilling legal obligations without special consent, even after the individual withdraws their consent.

    (8) The website does not intentionally collect data from minors (under 16 years of age). If minor's data is saved, once the fact is known, the minor's data will be deleted without delay.
     
  2. Data management based on the performance of legal obligations

    (1) In the case of data management based on the performance of legal obligations, the scope of data, the purpose of data management, the data retention period, and data users are determined by legal regulations.

    (2) Data management based on the performance of legal obligations does not depend on the individual's consent, as data management is determined by law. In this case, the individual must be informed before data collection that data collection is mandatory and must be informed in detail and clearly about all facts related to data management, with special attention to the purpose and legal basis of data processing, the subject authorized to manage the data, the duration of data management, that personal data is managed in accordance with legal provisions, and who can access the data. The notice must include the individual's rights and the possibilities of exercising the rights related to the management of personal data. In the case of mandatory data management, the notice may also include references to all legal regulations containing the aforementioned information.

    3. Promotion of the rights of the individual concerned 
    The Company is obliged to ensure that the individual can exercise their rights in all data management activities.

CHAPTER IV

DATA MANAGEMENT OF VISITORS TO THE COMPANY'S WEBSITE – COOKIE USAGE ANNOUNCEMENT

1. The visitor to the website must be informed about the use of cookies, and for all except technically necessary session cookies, the visitor's permission must be requested.

2. General information about cookies

2.1. Cookie (cookie) is a data piece that the visited website sends to the visitor's browser (in the form of a variable value) for storage, and later the same website can retrieve the content of the cookie. Cookies can be valid until the browser is closed or for an unlimited period. Later, for each HTTP(S) request, the browser sends this information to the server, thus changing the data on the user’s device.

2.2. The essence of cookies is to mark and identify the user (e.g., their login to the page) and treat the given user appropriately in all subsequent cases. The risk lies in the fact that the user is not always aware that cookies identify them, allowing the site owner or another provider whose content is embedded in the site (e.g., Facebook, Google Analytics) to track the user. During tracking, a profile is created about the user, and in these cases, the content of the cookies is treated as personal data.

2.3. Types of cookies:

2.3.1. Technically necessary session cookies: Without them, the websites simply do not function; they are used to identify the user when they have logged in, what they put in the basket, etc. In this case, usually, the session ID is stored, while other data is stored on the server, making it more secure. From a security aspect, when the session cookie value is not well generated, there is a risk of session hijacking, so it is necessary to generate these values correctly. Other terminologies call session cookies any cookie that is deleted at the end of the browser session (session is the use of the browser from start to exit).

2.3.2. Cookies that facilitate use: These include those cookies that remember the user's selections – e.g., in what form the user wants to view the page. These cookies essentially denote settings data stored in the cookies.

2.3.3. Performance cookies: Although they have little to do with "performance", this is the name for cookies that collect information about the user’s behavior, clicks, and time spent on the visited page. These are usually third-party applications (like Google Analytics, AdWords, or Iandek.ru cookies). They are suitable for profiling visitors.


Learn more about Google Analytics cookies here: Analytics-cookies
Learn more about Google AdWords cookies here: Google support

2.4 Acceptance or enabling of cookies is not mandatory. In the browser settings, you can set to automatically reject all cookies, or for the browser to notify you when the system sends cookies. Most browsers automatically accept cookies by default, but settings can usually be changed to prevent automatic acceptance and offer the user a choice between accepting and rejecting cookies each time.

See links below for cookie settings of the most popular browsers:

However, it must be noted that certain site functions or services may not function properly without cookies.

3. Information about cookies used on the Company’s website and data generated during the visit

These data are stored for up to 90 days and are primarily used for testing security incidents.

3.1. Data managed during the visit:
The Company’s website may use the website to record and manage the following information about the visitor or the device used:

  • Visitor’s IP address
  • Browser type
  • Characteristics of the device’s operating system used by the visitor (configured language)
  • Time of visit
  • (sub)pages, functions, or services visited
  • Clicks

3.2. Session cookies necessary for functionality:

  • Purpose of data management: To ensure the proper functioning of the website. These cookies are necessary to enable visitors to browse the website without problems and to fully utilize all functions and services available through the website, including – especially – visitor comments on a particular site or the identity of a logged-in user during the visit. The duration of such cookie management is limited to the current visit of the visitors; this type of cookie will be automatically deleted from the user’s computer when the session ends or the browser is closed.
  • Legal basis for managing this data: Article 13/A, § (3) paragraph CVIII of the Electronic Commerce Services and Information Society Services Act of 2001, according to which the service provider may manage personal data necessary for providing the service in order to provide the service. If other conditions remain unchanged, service providers must choose and use the tools used to provide information society services in such a way that personal data is processed only if it is strictly necessary for providing the service and for fulfilling other necessary purposes mentioned in this law, but even in such cases only to the extent and time necessary.

3.2. Cookies that facilitate use:

  • Purpose of data management: These cookies remember the user’s choices, for example, in what form the user wants to see the page. These types of cookies are essentially settings data stored in a cookie.
  • Legal basis for managing this data: The visitor’s consent.
  • Purpose of data management: To increase service efficiency, improve the user experience, and ensure a more convenient use of the site. These data are stored on the user’s computer, and the website only accesses them and recognizes the visitor based on them.

3.3. Performance cookies:

  • Purpose of data management: This type of cookie collects information about user behavior, time spent, and clicks on the page viewed by the user. These cookies usually track third-party applications (e.g., Google Analytics, AdWords).
  • Legal basis for managing this data: The consent of the individual concerned.
  • Purpose of data management: Website analysis and sending promotional offers.

CHAPTER V

ANNOUNCEMENT OF THE RIGHTS OF THE INDIVIDUAL CONCERNED

Summary of the rights of the individual concerned:

  1. Transparent information, communication, and modalities for exercising the rights of the individual concerned
  2. Right to prior information provided – if personal data is collected from the individual concerned
  3. Information provided if personal data is not obtained from the individual concerned
  4. Right of access for the individual concerned
  5. Right to rectification
  6. Right to erasure ("right to be forgotten")
  7. Right to restriction of processing
  8. Obligation to notify about rectification or erasure of personal data or restriction of processing
  9. Right to data portability
  10. Right to object
  11. Making automated individual decisions, including profiling
  12. Restrictions
  13. Notifying the individual concerned about a personal data breach
  14. Right to lodge a complaint with a supervisory authority
  15. Right to an effective judicial remedy against a supervisory authority
  16. Right to an effective judicial remedy against a data controller or processor

Detailed rights of the individual concerned:

1. Transparent information, communication, and modalities for exercising the rights of the individual concerned

1.1 . The controller takes appropriate measures to provide the individual concerned with all information related to processing in a concise, transparent, comprehensible, and easily accessible form, using clear and simple language, particularly regarding any information explicitly intended for a child. Information is provided in writing or by other means, including electronically, where appropriate. If the individual concerned so requests, the information may be provided orally, provided the identity of the individual concerned is determined by other means.

1.2. The controller facilitates the exercise of the rights of the individual concerned.

1.3. The controller provides the individual concerned with information about the actions taken upon request without undue delay and, in any case, within one month of receipt of the request. This period may be extended by two additional months if necessary, and the controller must inform the individual concerned of any such extension within the period.

1.4. If the controller does not act upon the request of the individual concerned, the controller informs the individual concerned immediately or within one month of receipt of the request of the reasons for not acting and the possibility of lodging a complaint with a supervisory authority and seeking judicial remedy.

1.5. Information provided, all communication, and measures taken are provided free of charge, but in certain cases prescribed by the Regulation, a fee may be charged.

Detailed rules can be found in Article 12 of the Regulation.

  1. Right to prior information provided – if personal data is collected from the individual concerned

2.1. If the personal data of the individual concerned is collected from the individual concerned, the controller provides all of the following information at the time of data collection:

a) Identity and contact details of the controller and, where applicable, the controller’s representative

b) Contact details of the data protection officer, where applicable

c)Purposes of the processing for which the personal data are intended, as well as the legal basis for the processing

d) If the processing is based on the exercise of legal rights, the legitimate interests of the controller or third party

e) Recipients or categories of recipients of the personal data, where applicable

f) Where applicable, the fact that the controller intends to transfer personal data to a third country or international organization

2.2. At the time of data collection, the controller provides the individual concerned with the following additional information necessary to ensure fair and transparent processing:

a) The period for which the personal data will be stored or, if that is not possible, the criteria used to determine that period

b) The existence of the right to request access to and rectification or erasure of personal data or restriction of processing concerning the individual concerned or the right to object to processing as well as the right to data portability

c) Where the processing is based on the individual's consent, the existence of the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal

d) The right to lodge a complaint with a supervisory authority

e) Whether the provision of personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract, as well as whether the individual concerned is obliged to provide personal data and the possible consequences of failing to provide such data

f) The existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the individual concerned

2.3. If the controller intends to further process personal data for a purpose other than that for which the personal data was collected, the controller provides the individual concerned with information about that other purpose and any additional relevant information before that further processing.

Detailed rules on the right to prior information are contained in Article 13 of the Regulation.

  1. Information provided if personal data is not obtained from the individual concerned

3.1. If personal data has not been obtained from the individual concerned, the controller is obliged to inform the individual concerned within one month of obtaining the data about the facts and information described in point 2, the category of personal data, the source of personal data, or in certain cases whether the data originates from publicly accessible sources: if personal data is used to contact the individual concerned, at least at the first contact with the individual; or if they intend to transfer the data to other recipients, no later than the first transfer.

3.2. The remaining rules apply to the facts and obligations described in point 2 (Right to prior information).

Detailed rules of this notice are contained in Article 14 of the Regulation.

  1. Right of access for the individual concerned
    4.1. The individual concerned has the right to obtain confirmation from the controller as to whether personal data concerning them is being processed and, where that is the case, access to the personal data and information listed in points 2 and 3 (Article 15 of the Regulation).
    4.2. If personal data is transferred to a third country or international organization, the individual concerned has the right to be informed of the appropriate safeguards in accordance with Article 46 relating to the transfer.
    4.3. The controller provides a copy of the personal data undergoing processing. For any additional copies requested by the individual concerned, the controller may charge a reasonable fee based on administrative costs.

Detailed rules on the right of access for the individual concerned are contained in Article 15 of the Regulation.

  1. Right to rectification

    5.1. The individual concerned has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them.

    5.2.Considering the purposes of the processing, the individual concerned has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

These rules are contained in Article 16 of the Regulation.

  1. Right to erasure ("right to be forgotten")

6.1. The individual concerned has the right to obtain from the controller the erasure of personal data concerning them without undue delay, and the controller is obliged to erase personal data without undue delay where one of the following grounds applies:

a) The personal data is no longer necessary for the purposes for which it was collected or otherwise processed

b) The individual concerned withdraws consent on which the processing is based, and where there is no other legal ground for the processing

c) The individual concerned objects to the processing and there are no overriding legitimate grounds for the processing

d) The personal data has been unlawfully processed

e) The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject

f) The personal data has been collected in relation to the offer of information society services directly to a child

6.2. These grounds for erasure do not apply to the extent that processing is necessary:

a) For exercising the right of freedom of expression and information

b) For compliance with a legal obligation that requires processing in Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

c) For reasons of public interest in the area of public health

d) For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes if the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing

e) For the establishment, exercise, or defense of legal claims

Detailed rules on the right to erasure are contained in Article 17 of the Regulation.

  1. Right to restriction of processing

7.1. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the consent of the individual concerned or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.

7.2. The individual concerned has the right to obtain from the controller restriction of processing where one of the following applies:

a) The accuracy of the personal data is contested by the individual concerned, for a period enabling the controller to verify the accuracy of the personal data

b) The processing is unlawful, and the individual concerned opposes the erasure of the personal data and requests the restriction of its use instead

c) The controller no longer needs the personal data for the purposes of the processing, but they are required by the individual concerned for the establishment, exercise, or defense of legal claims

d) The individual concerned has objected to processing pending the verification of whether the legitimate grounds of the controller override those of the individual concerned

7.3. The individual concerned who has obtained restriction of processing is informed by the controller before the restriction of processing is lifted.

Detailed rules are contained in Article 18 of the Regulation.

  1. Obligation to notify about rectification or erasure of personal data or restriction of processing The controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data has been disclosed unless this proves impossible or involves disproportionate effort. The controller shall inform the individual concerned about those recipients if the individual concerned requests it.

Detailed rules are contained in Article 19 of the Regulation.

  1. Right to data portability

9.1. The individual concerned has the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used, and machine-readable format and has the right to transmit those data to another controller without hindrance from the controller to which the personal data has been provided, where:

a) The processing is based on consent or on a contract

b) The processing is carried out by automated means

9.2. In exercising their right to data portability, the individual concerned has the right to have the personal data transmitted directly from one controller to another, where technically feasible.

9.3. The exercise of the right to data portability is without prejudice to Article 17 (Right to erasure, "right to be forgotten"). That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This right must not adversely affect the rights and freedoms of others.

Detailed rules are contained in Article 20 of the Regulation.

  1. Right to object

10.1. The individual concerned has the right to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the individual concerned or for the establishment, exercise, or defense of legal claims.

10.2. Where personal data is processed for direct marketing purposes, the individual concerned has the right to object at any time to the processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. If the individual concerned objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

10.3. At the latest at the time of the first communication with the individual concerned, the individual concerned is explicitly informed of the right referred to in paragraphs 1 and 2, which must be presented clearly and separately from any other information.

10.4. The individual concerned can exercise their right to object by automated means using technical specifications.

10.5. Where personal data is processed for scientific or historical research purposes or statistical purposes, the individual concerned, on grounds relating to their particular situation, has the right to object to the processing of personal data concerning them unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Detailed rules are contained in Article 21 of the Regulation.

  1. Making automated individual decisions, including profiling

11.1. The individual concerned has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

11.2. Paragraph 1 does not apply if the decision:

a) Is necessary for entering into or performing a contract between the individual concerned and the controller

b) Is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the rights and freedoms and legitimate interests of the individual concerned

c) Is based on the explicit consent of the individual concerned

11.3. In the cases referred to in points (a) and (c) of paragraph 2, the controller shall implement suitable measures to safeguard the rights and freedoms and legitimate interests of the individual concerned, at least the right to obtain human intervention on the part of the controller, to express their point of view, and to contest the decision.

Detailed rules are contained in Article 22 of the Regulation.

  1. Restrictions

On the basis of Union or Member State law to which the controller or processor is subject, a legislative measure may restrict the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5, in so far as such a restriction respects the essence of the fundamental rights and freedoms.

The conditions for these restrictions are contained in Article 23 of the Regulation.

  1. Notifying the individual concerned about a personal data breach

13.1. Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the individual concerned without undue delay. The communication to the individual concerned shall describe in clear and plain language the nature of the personal data breach and contain at least the following information and measures:

a) The name and contact details of the data protection officer or other contact point where more information can be obtained

b) A description of the likely consequences of the personal data breach

c) A description of the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects

13.2. The communication to the individual concerned referred to in paragraph 1 shall not be required if any of the following conditions are met:

a) The controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular, those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption

b) The controller has taken subsequent measures that ensure that the high risk to the rights and freedoms of individuals is no longer likely to materialize

c) It would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the individuals concerned are informed in an equally effective manner.

Detailed rules are contained in Article 34 of the Regulation.

  1. Right to lodge a complaint with a supervisory authority

Every individual concerned has the right to lodge a complaint with a supervisory authority, particularly in the Member State of their habitual residence, place of work, or place of the alleged infringement, if the individual concerned considers that the processing of personal data relating to them infringes this Regulation. The supervisory authority with which the complaint has been lodged informs the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy.

These rules are contained in Article 77 of the Regulation.

  1. Right to an effective judicial remedy against a supervisory authority

15.1. Without prejudice to any other administrative or non-judicial remedy, every natural or legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

15.2 Without prejudice to any other administrative or non-judicial remedy, every individual concerned has the right to an effective judicial remedy where the competent supervisory authority does not handle a complaint or does not inform the individual concerned within three months on the progress or outcome of the complaint lodged.

15.3. Proceedings against a supervisory authority are brought before the courts of the Member State where the supervisory authority is established.

15.4. Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or decision of the Board in the consistency mechanism, the supervisory authority forwards that opinion or decision to the court.

These rules are contained in Article 78 of the Regulation.

  1. Right to an effective judicial remedy against a controller or processor

16.1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, every individual concerned has the right to an effective judicial remedy where they consider that their rights under this Regulation have been infringed as a result of the processing of their personal data in non-compliance with this Regulation.

16.2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the individual concerned has their habitual residence, except where the controller is a public authority of a Member State acting in the exercise of its public powers.

These rules are contained in Article 79 of the Regulation.

Place and date, Aranđelovac, 09.07.2024

Cookie settings

We use cookies to personalise content and ads, to provide social media features and to analyse website traffic. You can read more by clicking on the "Settings" button.
We use cookies to personalise content and ads.