Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: Regulation) requires that the Controller shall take appropriate measures to provide any information relating to the processing of personal data to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and that the Controller shall facilitate the exercise of data subject rights.
The obligation to provide data subjects with information prior to processing is also required by Act CXII of 2011 on the freedom of information.
The information below is intended to fulfill this legal obligation of our Company.
CHAPTER I
DATA CONTROLLER
The issuer of this information, which also acts as Controller:
Company name: AsstOffice d.o.o. Novi Sad
Registered address: 21000 Novi Sad, Stražilovska 27/1
Company registration number: 21466158
Represented by: Aleksandar Marinković
Email address: office@asstoffice.com
Website: asstoffice.com
(hereinafter referred to as: Company)
CHAPTER II
NAME OF DATA PROCESSORS
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4(8) of the Regulation).
The use of a processor does not require the prior consent of the data subject but he or she must be informed. Accordingly, we provide the following information:
1. Our Company’s IT service providers
In order to run and manage its IT systems, our Company uses data processors, which provide IT services (hosting services, e-mail services, system administration, CRM services) and process the personal data provided on the website, via email or in any other way in relation to the services provided by our Company – during the period of our contract with them.
2. Our Company’s accounting service providers
Our Company uses a contracted external service provider for fulfilling its tax and accounting obligations, which also processes the personal data of natural persons who are in a contractual or payment relationship with our Company in order to comply with our tax and accounting obligations.
CHAPTER III
PROCESSING DATA IN RELATION TO THE PROVISION OF SERVICES
Visiting the website
Information on the use of cookies
(1) In accordance with common practice on the Internet, our Company uses cookies on its website. A cookie is a small data file with a series of characters that are placed on the visitor’s computer when he or she visits a website. When the visitor visits the website again, thanks to the cookie, it can recognize the visitor’s browser.
(2) Our Company’s website will store and process the following data of visitor and the device used for browsing:
• IP address of the visitor,
• type of the browser,
• settings of the operating system of the device used for browsing (language settings),
• date of visit,
• the (sub)page visited, the function or service used.
(3) It is not mandatory to accept and enable the use of cookies. You can reset your browser’s setting to reject any cookie or to notify you when a cookie is being sent to your machine. Although most browsers automatically accept cookies by default, this can in general be modified in order to prevent automatic acceptance and give you the chance to decide in very individual case.
You can find information about the cookie settings of the most popular web browsers by clicking on the links below:
• Google Chrome
• Firefox
• Microsoft Internet Explorer 11
• Microsoft Internet Explorer 10
• Microsoft Internet Explorer 9
• Microsoft Internet Explorer 8
• Microsoft Edge
• Safari
Furthermore, please note that certain functions or services of the website may not work properly with cookies disabled.
(4) The cookies used on the website by themselves cannot establish the identity of the user.
(5) The cookies used on the Company’s website:
a) Strictly (technically) necessary session cookies
These cookies enable the visitor to browse the website and use its functions and the services provided via the website smoothly and fully, including especially keeping track of the User’s movements on the website during a specific visit. These cookies are retained only for the period of the current visit and once the session is over and the browser is closed, these cookies are automatically deleted from your computer.
The legal basis of this type of processing is Article 13/A (3) of Act CVIII of 2001 on certain issues of electronic trading services and information society services.
The purposes of processing: to ensure the proper operation of the website.
b) Consent based cookies:
These cookies enable the Company to remember the selections made by the user on the website. The visitor may object to this kind of processing at any time before or during the use of the service. These data may not be linked to the identification data of the user and may not be disclosed to a third person without the consent of the user.
c) Functional cookies:
The purposes of processing: To increase the effectiveness of the service and user experience as well as to make the use of the website more convenient.
The period of processing is 6 months.
Scope of processed data: ZOPIM, ADDTOANY
d) Performance cookies you can find linked here:
– Google Analytics cookies
– Google Adwords cookies
– Facebook cookies
Processing related to the newsletter service
(1) A natural person registering for the newsletter service on the website can give his or her consent to processing by ticking the relevant checkbox. The data subject can unsubscribe from the newsletter at any time by clicking on the “Unsubscribe” option in the newsletter or by writing or sending an email to us, which means that the consent is revoked. In this case, we immediately delete every piece of data other than the email address of the relevant person and the fact that he or she has unsubscribed from this service.
(2) The categories of processed data: name of the natural person (first name and last name), email address, country of origin, place of residence (country), service group.
(3) The purposes of processing personal data:
– Sending a newsletter about the products and services of our Company
– Sending promotion material
(4) The legal basis of processing: consent of the data subject.
(5) The recipients of personal data who have access to the eDm database within and outside of the company: the employees of the Company who perform customer service and marketing duties; the employees of the Company’s IT service provider as data processor for the purpose of providing hosting services.
(6) The period for which the personal data will be stored: until the newsletter service is provided or the data subject revokes their consent (requests erasure).
Requesting contact by completing the online form on the website or by sending an email
(1) A natural person completing the online form for requesting contact on the website can give his or her consent to processing by ticking the relevant checkbox.
(2) The categories of processed data (may vary depending on the type of service): name of the natural person (first name and last name), phone number, email address, copy of passport and/or visa, date of birth, marital status, travel information.
(3) The purposes of processing personal data:
– Requesting contact electronically, via phone and SMS or by sending regular mail;
– Sending information on the news related to the products, services, terms and conditions, special offers of our Company;
– Assessing eligibility for the services;
– Giving an offer related to the services provided on the website and delivering these services.
(4) The legal basis of processing: consent of the data subject or the response to the data subject’s request.
(5) The recipients of personal data who have access to the client database within and outside of the company: the employees of the Company who perform customer service and marketing duties; the employees of the Company’s IT service provider as data processor for the purpose of providing hosting services.
The period for which the personal data will be stored: 6 months or until the data subject revokes their consent (requests erasure).
Processing the data of our contracted partners – administration of customers and suppliers
(1) The Company shall process the following personal data of natural persons entering into a business relationship with the Company as customers or suppliers/associates on the basis of its legal obligations for the purposes of entering into, performing and terminating contracts and providing a contractual discount, as specified in applicable laws and regulations: name, name at birth, date of birth, mother’s maiden name, address, tax identification number, number of private entrepreneur’s card, number of primary producer’s card, identity card number, registered address, site address, phone number, email address, website address, bank account number, customer number (client number, order number), online identifier (list of customers and suppliers, list of regular customers). This processing is considered lawful even if it is necessary in order to take steps at the request of the data subject prior to entering into a contract. The recipients of the personal data: the employees and data processors of the Company performing customer service, taxing and accounting duties. The period of processing personal data: 5 years after the relevant contract is terminated.
Contact details of natural persons representing clients, customers and suppliers/associates that are legal entities
(1) The categories of personal data that may be processed: name, address, phone number, email address, online ID of the natural person.
(2) The purposes of processing personal data: to perform the contract made with the Company’s partner as a legal entity and maintain a business relationship; its legal basis: the Company’s legitimate interest.
(3) The recipients or categories of recipients of the personal data: the employees of the Company performing customer services duties.
(4) The period for which the personal data will be stored: 5 years after the business relationship and the assignment of the data subject as representative cease.
Special processing related to the provision of individual services
(1) The Controller may process the personal data of the Data Subject that may include various pieces of sensitive information for the provision of its services.
(2) The categories of personal data our Company processes may vary depending on the type of service. Processing related to the each of the services provided:
Company formation services
The categories of processed data: mother’s maiden name, place of birth, postal address, tax number, social security number, number and copy of residence permit, copy of passport, bank account number, other business assets, travel information.
The recipients and the categories of recipients of the personal data: the employees of the Company performing customer service duties and the relevant authorities, public bodies and business partners (bank, NAV (National Tax and Customs Administration), Court of Registration).
Service related to a residence permit
The categories of processed data: mother’s maiden name, place of birth, postal address, tax number, social security number, number and photocopy of residence permit, photocopy of passport, other business assets, travel information, gender, marital status, bank account number, criminal and judicial history, religion, ethnicity, health condition.
The recipients and the categories of recipients of the personal data: the employees of the Company performing customer service duties and the relevant authorities, public bodies and business partners/associates, NAV (National Tax and Customs Administration), Labor Office, Civil Registration Office, bank, insurance broker and private insurance company, real estate agency, owner of the leased property).
In certain cases, it may be necessary to process the personal data of family members; in this case, the categories of the data and the recipients are the same as those for the Data Subject.Administrative services related to the residence of foreigners in Serbia:
The categories of processed data: mother’s maiden name, place of birth, postal address, tax number, social security number, number and photocopy of residence permit, photocopy of passport, other business assets, travel information, gender, marital status, bank account number, criminal and judicial history, religion, ethnicity, health condition.
The recipients and the categories of recipients of the personal data: the employees of the Company performing customer service duties and the relevant authorities, public bodies and business partners/associates, NAV (National Tax and Customs Administration), Labor Office, Civil Registration Office, bank, insurance broker and private insurance company, real estate agency, owner of the leased property.
For recruitment services, the processing of the personal data of those applying as associate that has been announced include the following:
– The categories of processed data: name, address, previous jobs, field of interest, salary information
– The recipients or categories of recipients of the personal data: the employees of the Company performing customer services duties and the employees of the customer that has ordered the service.
(3) The purposes of processing personal data:
– Providing the ordered service
– Administration based on the customer’s request
– For a recruitment service, finding a job for the applicant.
(4) The legal basis of processing: consent of the data subject; performance of the contract; express consent by applying as associate.
(5) The employees of the Company’s IT service provider as a data processor.
The period for which the personal data will be stored: 12 months or until the data subject revokes their consent (requests erasure).
CHAPTER IV
PROCESSING BASED ON A LEGAL OBLIGATION
Processing for the purpose of fulfilling tax and accounting obligations
(1) The Company shall process the relevant personal data of natural persons entering into a business relationship with the Company as customers or suppliers on the basis of it legal obligations for the purposes of fulfilling its tax and accounting obligations as specified in applicable laws and regulations. The processed data include, in particular, the following: tax number, name, address, taxing status on the basis of Articles 169 and 202 of Act CXXVII of 2017 on Value Added Tax; name, address, name of person or organization that ordered the performance of the business operation, name of the person signing the payment order and the name of the person certifying performance of the operation, as well as the signature of the controller, depending on the particular organization; signature of the recipient on the payment receipt and signature of the payer on the counter receipt; number of the private entrepreneur’s card, number of the primary producer’s card, tax identification number.
(2) The period for which the personal data will be stored: 10 years after the legal relationship establishing the legal basis of processing ceases.
(3) The recipients of the personal data: the employees and data processors of the Company performing taxing, accounting, pay roll and social security duties.
CHAPTER V
INFORMATION ABOUT YOUR RIGHTS IN RELATION TO PROCESSING YOUR PERSONAL DATA
In the interest of clarity and transparency, in this chapter we will give a brief overview of your rights in relation to processing your data.
Right of information
The data subject shall have the right to receive information about the facts and data relating to processing prior to processing.
Right of access
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the related information as specified in the Regulation.
Right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure (‘right to be forgotten’)
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the grounds specified in the Regulation applies:
Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where the conditions specified in the Regulation are fulfilled.
Notification obligation regarding rectification or erasure of personal data or restriction of processing
The Controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom or to which the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Controller shall inform the data subject about those recipients if the data subject requests it.
Right to data portability
Subject to the conditions specified in the Regulation, the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided.
Communication of a personal data breach to the data subject
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall communicate the personal data breach to the data subject without undue delay.
Right to lodge a complaint with a supervisory authority (right to administrative remedy)
Every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
CHAPTER VI
SUBMISSION OF REQUESTS IN CONNECTION WITH DATA PROCESSING ACTIONS TAKEN BY THE CONTROLLER
The Controller shall provide information on action taken upon a request to the data subject for exercising his or her rights without undue delay and in any event within one month of receipt of the request.
That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.
Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
If the Controller does not take action on the request of the data subject, the Controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
Information provided under Articles 13 and 14 of the Regulation and any communication and any actions taken on the right of the data subject (Articles 15 to 22 and 34) shall be provided free of charge by the Controller. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller, taking into account the administrative costs of providing the information or communication or taking the action requested, may either:
a) charge a fee of RSD 6.000,00; or
b) refuse to act on the request.
The Controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
Where the Controller has reasonable doubts concerning the identity of the natural person making a request, the Controller may request the provision of additional information necessary to confirm the identity of the data subject.
