GENERAL NOTICE ON PROCESSING OF USER PERSONAL DATA
Foundation Propulsion Fund, established for the purpose of charitable achievement of common goals pursuant to the Article 2, paragraph 2 of the Law on Endowments and Foundations (Official Gazette of the RS, No. 88/10, 99/11 – other law and 44/18 – other law), based in Belgrade at 25 Palmoticeva Street, which has the capacity of a Data Controller pursuant to Article 2, paragraph 1, point 8 of the Law on Personal Data Protection (Official Gazette 87/2018, hereinafter LPDP ), strictly complies with applicable legislation and ensures that personal data are collected and processed for specific purposes, respects the principle of data minimization, and ensures that personal data are only stored for the period of time necessary to achieve the purpose for which it was collected, respecting that personal data are processed solely for legitimate purposes, that they are accurate and current, that they are processed in accordance with an appropriate legal basis, and that they are protected from any unauthorized or illegal access by internal or external persons.
Taking this into consideration, the Data Controller hereby informs users of its programs and projects, employees and otherwise engaged persons (implementers), as well as possibly other persons whose data are being collected, about all important aspects of collecting and processing their personal data.
1. What is personal data?
Personal data is any information that relates to an individual and identifies that person, directly or indirectly, especially based on an identity tag, such as name and identification number, location data, identifiers in electronic communications networks or one or more characteristics of their physical, physiological, genetic, mental, economic, cultural and social identity.
Specific categories of personal data are data that reveal racial or ethnic origin, political opinion, religious or philosophical beliefs or union membership, as well as genetic data, biometric data for the sole identification of a person, health-related information, or data on sexual life or sexual orientation of the individual.
2. From whom do we collect personal data?
The Data Controller collects and processes personal data concerning:
1) Employed persons, persons who are engaged without employment status or employed under a different legal basis, as well as former employees (hereinafter: Employees);
2) Job candidates;
3) Persons representing contacts in companies that are the business partners of the Data Controller (hereinafter: Business Partners);
4) Users of programs, projects, campaigns, etc., organized or supported by the Data Controller (hereinafter: Users)
Hereinafter all are collectively referred to as data subjects.
3. What personal data do we collect and process?
The Data Controller processes personal data only to the extent necessary for the performance of its business activity, or to the extent necessary for the purpose of processing.
The Data Controller collects personal data directly from the data subject, or through their employers, co-contractors, business partners, legal representatives – parents or guardians, or, where applicable, other third parties, only to the extent necessary to accomplish a specific purpose, and depending on the specific category of data subject.
Typically, this is a minimal set of data necessary to accomplish a specific purpose, namely:
- from the Employees, the Data Controller collects and processes: data prescribed by applicable law regulating the field of work, records in the field of work, as well as laws regulating social and health care, and such processing is necessary in order to respect the legal obligations of the Data Controller pursuant to Article 12 paragraph 1 point 3) LPDP;
- from the Job Candidates, in addition to basic contact information (name and surname, contact telephone and e-mail address), the Data Controller collects data on their educational background and qualifications, as well as other information that the person shares about them, and such processing is necessary for undertaking actions, at the request of the data subject, prior to the conclusion of the contract, in order to contact them in case of need for work engagement, pursuant to Article 12, paragraph 1, point 2) of the LPDP. After the expiry of the specific call, this category of persons may opt to keep their data available in the electronic records of the Data Controller and thereafter, which means that from the expiry of the specific call the processing of personal data is performed on the basis of informed consent pursuant to Article 12, paragraph 1, point 1) LPDP. In case the job candidate is hired, further processing of his or her data is done as for the category “Employees”;
- from the Business Partners, the basic contact information is collected: first and last name, contact telephone and e-mail address, and in the case of contact persons within legal entities also the name of the legal entity they represent, and the position of those persons within that legal entity, and such processing is carried out on the basis of the informed consent of the data subject pursuant to Article 12, paragraph 1, point 1) of LPDP;
- from the Users, the following is collected and processed (such processing is done on the basis of informed consent of the data subject, pursuant to Article 12, paragraph 1, point 1) of the LPDP):
– basic identification information (name and surname, ID or passport number);
– contact information (address, contact telephone and e-mail address, information on social networks accounts);
– bank account information.
4. How are personal data collected?
The Data Controller collects personal data either directly from the data subject or through their employers, co-contractors, business partners, legal representatives (parents or guardians) or, where applicable, other third parties. When it does not obtain data directly from the data subject, the Data Controller shall be informed in advance whether the data subject is authorized to forward the data to the Data Controller. The data subject shall be obliged to inform the data subjects of all relevant aspects of processing in accordance with Article 24 of the LPDP, i.e. to inform such persons to familiarize themselves with this Notice. Data from the identity card or passport shall be verified by the Data Controller by accessing the relevant identity document.
5. What is the legal basis for collection?
The Data Controller processes personal data based on:
- informed consent of the data subject pursuant to Article 15 of the LPDP. In the case of processing based on informed consent, the data subject is authorized to revoke that consent at any time, the recall shall entail the termination of any further processing, without prejudice to the processing carried out up to that point, in accordance with point 11 of this Notice);
- for the purpose of executing the contract concluded with the data subject or taking measures at the request of the data subject prior to the conclusion of the contract, pursuant to Article 12, paragraph 1, point 2) of the LPDP;
- for the fulfillment of legal obligations pursuant to Article 12, paragraph 1, point 3) of the LPDP, or the legal basis depends on the category of data subject (see the legal basis for each category of person in point 3 of this Notice) and on the specific purpose of the processing (see point 6). The processing of special categories of data shall be carried out in the manner described in point 3 of this Notice.
6. What is the purpose of processing personal data?
The Data Controller of personal data, depending on their type and category of the person whose data are processed, collected and processed for:
- creation of a database of users of projects, programs, campaigns, etc., for their potential participation in them;
- participation in specific events within projects, programs, campaigns, etc., organized or supported by the Data Controller;
- informing the persons whose data are being processed about the current program, project, campaign, etc. (for example, through the Newsletter, social media page, media post, etc.);
- informing the persons whose data are processed about planned projects and programs of competitions;
- promotion of projects and programs;
- concluding and executing the contract or undertaking preparatory actions for the conclusion of the contract at the request of the data subject;
- fulfillment of legal obligations of the Data Controller.
7. How are personal data stored and what precautionary measures are in place?
The Data Controller shall store and archive personal data in its internal electronic records (databases) based on which it applies all necessary organizational, technical and personnel protection measures in accordance with the requirements of the applicable LPDP, including:
- control of physical access to the system where Personal Data are stored;
- control access to data;
- control of data transmission;
- control of data entry;
- control of data availability;
- other information security measures necessary to protect personal data.
8. What rights do the data subjects have?
In relation to personal data, the person whose data has been collected has the following rights:
- the right to request from the Data Controller access to personal data and information concerning processing (Article 26 of the LPDP);
- the right to request the correction of incorrectly entered data and the supplementation of such data (Article 29 of the LPDP);
- the right to request deletion of data (Article 30 of the LPDP);
- the right to a restriction of processing (Article 31 of the LPDP);
- the right to data portability (Article 36 of the LPDP)
- the right not to be subject to a decision taken solely on the basis of automated processing, including profiling (Article 38 of the LPDP);
- the right to be informed of personal data breaches if such breaches of personal data can create a high risk to the rights and freedoms of natural persons (Article 53 of LPDP);
- the right to file a complaint with the Commissioner for access to information of public importance and protection of personal data – Bulevar kralja Aleksandra number 15, 11120 Belgrade, telephone: +38111 3408 900, e-mail: firstname.lastname@example.org (Article 82 of the LPDP);
- the right to judicial protection if he / she considers that his / her rights under the LPDP have been violated (Article 84 of the LPDP);
- other rights guaranteed by the applicable LPDP.
In relation to the exercise of his / her rights, the Data Controller shall provide to the data subject all necessary assistance, all in accordance with the conditions and in the manner prescribed by the applicable LPDP.
9. Who can have access to the data besides the Data Controller?
The Data Controller may also supply personal data to third parties, some of which are processors and some of the recipients of the data. Processor pursuant to Article 4, paragraph 1, point 9) LPDP is a natural or legal person, that is, a body of authority that processes personal data on behalf of the Data Controller, while the recipient of the data is a natural or legal person or body of authority to which the personal data have been disclosed, whether it is a third party or not.
Categories of persons who may have access to personal data:
- employees and otherwise engaged persons at the Data Controller;
- donors funding the programs implemented by the Data Controller;
- partner organizations or contributors to individual programs;
- IT companies that maintain the Information Systems of the Data Controller;
- bookkeeping agencies providing services to the Data Controller.
Some processors can access personal data, are based in foreign countries, primarily in Bosnia and Herzegovina, EU / EEA Member States, and exceptionally in the USA. The disclosure of data in BiH as well as in EU / EEA countries is done on the basis of the default level of adequate protection of personal data in those countries, since according to Article 64 paragraph 2 of the LPDP, it is considered that an adequate level of protection of personal data is provided in countries and international organizations that are parties to the Council of Europe Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data, i.e. in countries, parts of their territories or in one or more sectors of certain industries in those countries or international organizations designated by the European Union to provide adequate level of protection. The list of members of the Council of Europe Convention is publicly available through the CoE website at the following link: https://pr.fo/2JKL6x2. The transfer of data to the United States is made on the basis of the authorization referred to in Article 69, paragraph 1, point 1 of the LPDP.
All processors conclude separate contracts that regulate all important aspects of personal data processing as well as security measures. In any case, the Data Controller remains responsible for implementing appropriate precautionary measures.
Exceptionally, personal data may also be provided to the competent state bodies, if this is a legal obligation of the Data Controller, and only to the extent necessary for the fulfillment of a specific legal obligation.
10. What is the deadline for storing personal data?
The data are stored for a period in which it is necessary to carry out a specific purpose. In relation to the specific categories of persons whose data are processed:
- data on employees are kept permanently in accordance with the obligations of the law regulating records in the field of work;
- the data collected for the execution of the concluded Contract are kept for a period of 10 years (the general deadline for the statute of limitations for claims in accordance with the law regulating obligations), or longer, if the longer period is prescribed by law;
- the data stored on the basis of informed consent shall be kept until the specific purpose has been exhausted, or until the consent is revoked in accordance with Article 15, paragraph 3 of the LPDP, which also signifies the automatic termination of further processing of personal data, within 5 days from the date of such recall.
After expiry of the prescribed deadlines (where applicable), the data are deleted or unrecognized (anonymized).
The Data Controller, through its website, processes and uses the so-called Cookies.
Cookies represent data stored on a computer (or other device) of a user of a website (website visitor) and that enable the monitoring and analysis of user behavior on the website.
Cookies do not usually lead to the disclosure of the identity of a particular user. In the event that they identify a user, Cookies represent personally identifiable information, and therefore all points of this Notice regulating the processing of personal information apply to them.
Cookies can be removed by changing the settings on your Internet browser (Internet Explorer, Firefox, Chrome, Opera, etc.). You may delete the stored Cookies from your Internet browser, however, removing individual Cookies may impair the functionality of the Website.
The Data Controller uses the following types of Cookies:
- Cookies necessary for the operation of the Website (Necessary Cookies), the removal of such Cookies makes it impossible to use the Website or any of its parts;
- Functional Cookies enable WISA to provide better website functionality and personalize information that is marketed to the user. Such Cookies may be set by the Data Controller or third parties and may be removed as described above. Removing this type of Cookies may cause some services on the Website to not function properly;
- Performance Cookies, which provide information about visitors and how our users use our site, such as number of visits, frequency of visits to a particular page, etc. This information does not identify the user who visits the website, and helps the Data Controller to improve the performance of their own website and provide a better user experience;
12. Special Processing Notices
Based on the specificity of the purpose that the data collection and processing should have accomplished and in relation to the legal basis, the Data Controller shall, as appropriate, in relation to such processing, inform the data subjects of all its specificities (Special Notice). This Notice and Special Notice will apply to such processing.
13. Additional information on the processing of personal data
Any additional questions regarding the processing of personal data, including how to exercise the rights of the data subject, can be sent to the email address: email@example.com.
The Data Controller will respond to all inquiries within 5 working days at the latest.
14. Entry into force and amendment of the Notice
This Notice shall enter into force on the day of its publication on the Website of the Data Controller, and shall apply from 21 August 2019 (the date of application of the LPDP). This Notice may be updated from time to time, but the level of privacy protection attained will not be diminished. Any changes will take effect on the day they are posted on the website of the Data Controller.
Hereby, the persons whose data are processed confirm that they have read, understood and accepted the processing of personal data described above.