Privacy policy

1. Appendix to the Data Management Regulations

 

DATA MANAGEMENT STATEMENT REGARDING THE RIGHTS OF NATURAL PERSONS IN RELATION TO THE MANAGEMENT OF THEIR PERSONAL DATA

 

CONTENTS

 

INTRODUCTION

 

CHAPTER I – NAME OF THE DATA CONTROLLER

CHAPTER II – NAMES OF DATA PROCESSORS

  1. Our Company’s IT Provider
  2. Our Company’s Ticket System Developer

CHAPTER III – ENSURING COMPLIANCE WITH DATA MANAGEMENT LAWS

  1. Data Management Based on the Consent of the Data Subject
  2. Data Management Based on Legal Obligations
  3. Promotion of Data Subject Rights

CHAPTER IV – DATA MANAGEMENT OF VISITORS TO THE COMPANY WEBSITE – COOKIE USAGE STATEMENT

CHAPTER V – STATEMENT ON THE RIGHTS OF DATA SUBJECTS

 

 

INTRODUCTION

Based on REGULATION 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU) (hereinafter referred to as the Regulation), which concerns the protection and free movement of data in the management of personal data of natural persons, and the repeal of Directive 95/46/EC, the Data Controller is required to take appropriate actions to ensure that the data subject is provided with all necessary information regarding the management of personal data in a concise, clear, transparent, understandable, and accessible form, as well as to ensure conditions for the fulfillment of the data subject’s rights.

The obligation to inform the data subject in advance about the right to informational self-determination and freedom of information is also prescribed by Act CXII of 2011.

The following text fulfills our obligations imposed by the aforementioned laws and regulations.

The notice should be displayed on the company’s website or sent to the data subject upon request.

CHAPTER I

NAME OF THE DATA CONTROLLER

The issuer of this notice, and at the same time the Data Controller:

Company name: PAN ACCOUNTING DOO ZRENJANIN
Headquarters: Zrenjanin
Registration number: 08675031
Tax ID: 100655335
Representative: Sonja Mavrenski
Phone number: +381 23/511-546
Email address: sonja.mavrenski@gmail.com
Website: panknjigovodstvo.rs/sr

(hereinafter referred to as the Company)

CHAPTER II

NAMES OF DATA PROCESSORS

A Data Processor is a natural or legal person, public authority, agency, or any other body that processes data on behalf of the Data Controller; (Regulation Article 4, Point 8).

The use of a Data Processor does not require prior consent from the data subject, but the data subject must be informed. In accordance with these regulations, we provide the following notice:

  1. IT Provider of the Company

The Company uses the services of a Data Processor that provides IT services (hosting services) for the maintenance and management of its website and, as part of these services – in accordance with the content of the contract between the two parties – manages the personal data left on the website by storing them on the server.

Name and details of the Data Processor:

Company name: ErdSoft doo
Headquarters: 24000 Subotica, Somborski put 33a, Serbia
Registration number: 21354619
Tax ID: 110478829
Representative: Daniel Erdudac
Phone number: +381 60 44 60 555
Fax: None
Email address: daniel.erdudac@erdsoft.com
Website: erdsoft.com

CHAPTER III

ENSURING COMPLIANCE WITH DATA MANAGEMENT LAWS

1. Data Management Based on the Consent of the Data Subject

(1) If the Company intends to manage data based on consent, the consent for processing the personal data of the data subject must be requested through a form whose content is defined by the Data Management Regulations.

(2) Consent may be considered given if the user marks the consent field for data processing on the Company’s website, if they make the appropriate technical settings related to the use of information society services, or any other declaration or action that clearly expresses the data subject’s consent to the planned processing of their personal data. Silence, a pre-ticked box, or inaction does not constitute consent.

(3) Consent applies to all actions related to data processing carried out for the same purpose or objectives. If data processing is carried out for multiple different purposes, consent must be obtained for each purpose separately.

(4) If the data subject gives their consent as part of a written statement that also pertains to other matters – e.g., sales, service contract conclusion – consent must be requested in a manner that is clear, easy to understand, and clearly separated from other purposes. Parts of such a statement relating to consent that are not in accordance with the Regulation shall be deemed invalid.

(5) The Company must not condition the conclusion or execution of a contract on consent to the processing of personal data that is not necessary for the execution of the contract.

(6) Withdrawal of consent must be as easy as giving consent.

(7) If personal data is collected with the consent of the data subject, the Data Controller may use the collected data in accordance with legal obligations without requiring additional consent and after the withdrawal of consent by the data subject.

(8) The website does not intentionally collect data from minors (under 16 years of age). If minor’s data is collected, upon learning of this fact, the data will be deleted immediately.

2. Data Management Based on Legal Obligations

(1) In the case of data management based on legal obligations, the scope of data, the purpose of processing, the retention period, and the data users are defined by legal regulations.

(2) Data management based on the performance of legal obligations does not depend on the consent of the data subject, as data processing is determined by law. In this case, the data subject must be informed before data collection about the mandatory nature of the collection and must be clearly and thoroughly informed of all relevant facts related to the management of their data, with particular emphasis on the purpose and legal basis of data processing, the subject entitled to process the data, the duration of the processing, and who may have access to the data. The notice must also include the data subject’s rights and the means of exercising those rights in relation to the management of personal data. In the case of mandatory data processing, the notice may include a reference to the relevant legal provisions.

3. Promotion of Data Subject Rights

The Company is obligated to ensure that, in relation to all data management activities, the data subject can exercise their rights.

CHAPTER IV

DATA MANAGEMENT OF VISITORS TO THE COMPANY WEBSITE – COOKIE USAGE STATEMENT

1. Visitors to the website must be informed about the use of cookies, and for all cookies except technically necessary session cookies, the visitor's permission must be requested.

2. General Information About Cookies

2.1. A cookie is a piece of data that a website sends to the visitor’s browser (in the form of a variable value) for storage, and the same website can later access the content of the cookie. Cookies may be valid until the browser is closed or may last indefinitely. After that, for every HTTP(S) request, the browser sends this information to the server, allowing for user tracking.

2.2. The essence of cookies is to identify the user (e.g., upon entering the website) and to recognize them adequately on all subsequent visits. The risk lies in the fact that the user may not always be aware that cookies are identifying them, which can allow the user to be tracked by the website owner or third parties whose content is integrated into the site (e.g., Facebook, Google Analytics). In cases of tracking, a user profile can be created, and the cookie content then becomes personal data.

2.3. Types of Cookies:

2.3.1. Technically Necessary Session Cookies: Without these cookies, websites would not be functional. They are used to identify the user, e.g., when they enter the website, what they added to the cart, etc. Usually, the session ID is stored, while other data is kept on the server, making it more secure. From a security perspective, if the session cookie value is not well generated, there is a risk of session hijacking, so it is important that these values are properly generated. In other terminologies, session cookies refer to any cookie that is deleted when the browser is closed (a session is the use of the browser from the start to exit).

2.3.2. Cookies That Facilitate Usage: These cookies remember user choices – e.g., how the user wants to view the site. These cookies record user settings stored in cookies.

2.3.3. Performance Cookies: Although not directly related to “performance,” this is the name for cookies that collect information about user behavior, clicks, and time spent on the site. They are usually third-party applications (such as Google Analytics, AdWords, or Yandex.ru cookies). They are suitable for profiling visitors.

Learn more about Google Analytics cookies here: Analytics-cookies

Learn more about Google AdWords cookies here: Google support

2.4. Accepting or enabling cookies is not mandatory. In the browser settings, you can set all cookies to be automatically rejected, or the browser can notify you when the system is sending cookies. Most browsers automatically accept cookies, but settings can usually be changed to prevent automatic acceptance and allow choice between accepting and rejecting cookies.

See the links below for cookie settings in the most popular browsers:

• Google Chrome: Chrome support

• Firefox: Firefox support

• Microsoft Internet Explorer 11: Microsoft support 

• Microsoft Internet Explorer 10: Microsoft support 

• Microsoft Internet Explorer 9: Microsoft support

• Microsoft Internet Explorer 8: Microsoft support

• Microsoft Edge: Microsoft support

• Safari: Apple support

However, it should be noted that certain site functions or services may not function properly without the use of cookies.

3. Information About Cookies Used on the Company’s Website and Data Collected During Visits

3.1. Data Collected During Visits

The Company’s website may record and manage the following data about the visitor or the device used:

  • Visitor’s IP address,
  • Browser type,
  • Characteristics of the device’s operating system used by the visitor (including the set language),
  • Time of visit,
  • (Sub)pages, functions, or services visited,
  • Clicks.

This data is stored for up to 90 days and is primarily used for monitoring security incidents.

3.2. Cookies Used on the Website

3.2.1. Technically Necessary Session Cookies

The purpose of managing these cookies is to ensure the proper functioning of the website. These cookies allow visitors to browse the site smoothly and use all functions and services available on the website, including visitor comments or recognizing a logged-in user during the visit. The duration of these cookies is limited to the current visitor session and they are automatically deleted from the user’s computer at the end of the session or when the browser is closed.

The legal basis for managing this data is Article 13/A, Paragraph 3 of the 2001 Act on Electronic Commerce and Information Society Services, which allows the service provider to manage personal data that is technically necessary for providing the service. The service provider must select and use tools in a way that personal data is processed only when strictly necessary for providing the service and only to the extent and time necessary.

3.2.2. Cookies That Facilitate Usage

These cookies remember user choices, such as page display preferences. Essentially, these cookies store user settings.

The legal basis for managing this data is the visitor’s consent.

The purpose of data management is to increase service efficiency, improve user experience, and facilitate site usage.

This data is stored on the user’s device, and the website accesses it to recognize the visitor.

3.2.3. Performance Cookies

These cookies collect information about user behavior, time spent on the site, and clicks on the page. These cookies typically track third-party applications (e.g., Google Analytics, AdWords).

The legal basis for managing this data is the data subject’s consent.

The purpose of data management is to analyze the website and send promotional offers.

CHAPTER V

STATEMENT ON THE RIGHTS OF DATA SUBJECTS

Summary of Data Subject Rights:

  1. Transparent information, communication, and methods for exercising data subject rights
  2. Right to be informed when personal data is collected from the data subject
  3. Information provided if personal data is not obtained from the data subject
  4. Right of access by the data subject
  5. Right to rectification
  6. Right to erasure ("right to be forgotten")
  7. Right to restrict processing
  8. Obligation to notify regarding rectification or erasure of personal data or restriction of processing
  9. Right to data portability
  10. Right to object
  11. Automated individual decision-making, including profiling
  12. Restrictions
  13. Notification of the data subject about personal data breach
  14. Right to lodge a complaint with a supervisory authority
  15. Right to an effective judicial remedy against a supervisory authority
  16. Right to an effective judicial remedy against the controller or processor.

II. Detailed Data Subject Rights:

1. Transparent Information, Communication, and Methods for Exercising Data Subject Rights

1.1. The controller is required to take appropriate measures to provide the data subject with all information regarding data processing in a concise, transparent, understandable, and easily accessible form, using clear and plain language, especially when the information is addressed to children. Information is provided in writing or by other means, including electronically where appropriate. If the data subject so requests, the information may be provided orally, provided that the identity of the data subject is verified by other means.

1.2. The controller facilitates the exercise of data subject rights.

1.3. The controller is obliged to provide information on the actions taken on the data subject’s request without undue delay and at the latest within one month of receipt of the request. This period may be extended by two additional months if necessary, with the controller required to inform the data subject of any such extension within the time limit.

1.4. If the controller does not take action on the data subject’s request, the controller is obliged to inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

1.5. Information, communication, and actions taken are provided free of charge, but in certain cases as prescribed by the Regulation, a fee may be charged.

Detailed rules can be found in Article 12 of the Regulation.

2. Right to Be Informed When Personal Data Is Collected From the Data Subject

2.1. When personal data is collected directly from the data subject, the controller is required to provide the data subject with the following information at the time of data collection:

a) The identity and contact details of the controller and, where applicable, the controller’s representative;

b) The contact details of the data protection officer, where applicable;

c) The purposes of the processing for which the personal data are intended, as well as the legal basis for the processing;

d) Where the processing is based on the legitimate interests of the controller or a third party, information about those interests;

e) The recipients or categories of recipients of the personal data, if any;

f) Where applicable, the fact that the controller intends to transfer personal data to a third country or international organization.

2.2. In addition to the information referred to above, the controller should provide the data subject at the time of data collection with further information necessary to ensure fair and transparent processing, including:

a) The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

b) The existence of the right to request access to and rectification or erasure of personal data, or restriction of processing, or to object to processing, as well as the right to data portability;

c) Where processing is based on the data subject's consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

d) The right to lodge a complaint with a supervisory authority;

e) Whether the provision of personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of failure to provide such data;

f) The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

2.3. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were originally collected, the controller is required to provide the data subject prior to that further processing with information on that other purpose and with any relevant further information.

Detailed rules on the right to be informed are contained in Article 13 of the Regulation.

3. Information Provided If Personal Data Is Not Obtained From the Data Subject

3.1. Where the controller has not obtained personal data directly from the data subject, the controller is required to provide the data subject with the information referred to in point 2, as well as the categories of personal data concerned, the source of the data, or where applicable, whether the data came from publicly accessible sources, within one month of obtaining the data at the latest. If the data is used to contact the data subject, the controller must inform the data subject at the latest at the time of the first contact; or if the data is to be transferred to another recipient, at the latest when the personal data is first transferred.

3.2. The other rules apply according to the provisions of point 2 (Right to be informed).

Detailed rules of this notice are contained in Article 14 of the Regulation.

4. Right of Access by the Data Subject

4.1. The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them is being processed and, where that is the case, access to the personal data and the information listed in points 2 and 3 (Article 15 of the Regulation).

4.2. Where personal data is transferred to a third country or international organization, the data subject has the right to be informed of the appropriate safeguards pursuant to Article 46 of the Regulation relating to the transfer.

4.3. The controller is obliged to provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.

Detailed rules regarding the right of access by the data subject are contained in Article 15 of the Regulation.

5. Right to Rectification

5.1. The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them.

5.2. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

These rules are contained in Article 16 of the Regulation.

6. Right to Erasure ("Right to Be Forgotten")

6.1. The data subject has the right to obtain from the controller the erasure of personal data concerning them without undue delay, and the controller is obliged to erase personal data without undue delay where one of the following grounds applies:

a) The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;

b) The data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;

c) The data subject objects to the processing and there are no overriding legitimate grounds for the processing;

d) The personal data has been unlawfully processed;

e) The personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

f) The personal data has been collected in relation to the offer of information society services directly to a child.

6.2. The right to erasure does not apply to the extent that processing is necessary:

a) For exercising the right of freedom of expression and information;

b) For compliance with a legal obligation that requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

c) For reasons of public interest in the area of public health;

d) For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes where the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

e) For the establishment, exercise, or defense of legal claims.

Detailed rules regarding the right to erasure are contained in Article 17 of the Regulation.

7. Right to Restrict Processing

7.1. If processing is restricted, personal data may only be processed with the data subject's consent, except for storage purposes, or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or a Member State.

7.2. The data subject has the right to request the restriction of processing from the controller if one of the following conditions is met:

a) The data subject contests the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the data;

b) The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

c) The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims; or

d) The data subject has objected to processing pending the verification of whether the legitimate grounds of the controller override those of the data subject.

7.3. The controller is obliged to inform the data subject before lifting the restriction of processing.

Detailed rules are contained in Article 18 of the Regulation.

8. Obligation to Notify About Rectification, Erasure, or Restriction of Processing of Personal Data

The controller is obliged to inform each recipient to whom the personal data has been disclosed of any rectification, erasure, or restriction of processing, unless this proves impossible or involves disproportionate effort. The controller is also obliged to inform the data subject about these recipients if the data subject so requests.

Detailed rules are contained in Article 19 of the Regulation.

9. Right to Data Portability

9.1. The data subject has the right to receive the personal data concerning them, which they have provided to the controller, in a structured, commonly used, and machine-readable format, and has the right to transmit that data to another controller without hindrance from the controller to which the personal data was provided, provided that:

a) The processing is based on consent or on a contract; and

b) The processing is carried out by automated means.

9.2. In exercising the right to data portability, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.

9.3. The exercise of the right to data portability does not affect the right to erasure ("right to be forgotten") under Article 17 of the Regulation. This right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This right must not adversely affect the rights and freedoms of others.

Detailed rules are contained in Article 20 of the Regulation.

10. Right to Object

10.1. The data subject has the right to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them which is based on Article 6(1)(e) or (f), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.

10.2. Where personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning them for such marketing, including profiling to the extent that it is related to such direct marketing. If the data subject objects, the personal data shall no longer be processed for such purposes.

10.3. At the latest at the time of the first communication with the data subject, the controller shall explicitly bring the right to object to the data subject’s attention, which must be presented clearly and separately from any other information.

10.4. The data subject may exercise the right to object by automated means using technical specifications.

10.5. Where personal data is processed for scientific or historical research purposes or statistical purposes, the data subject has the right to object to processing, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Detailed rules are contained in Article 21 of the Regulation.

11. Automated Individual Decision-Making, Including Profiling

11.1. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

11.2. Paragraph 1 does not apply if the decision:

a) Is necessary for entering into, or the performance of, a contract between the data subject and a controller;

b) Is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights, freedoms, and legitimate interests; or

c) Is based on the data subject's explicit consent.

11.3. In the cases referred to in points (a) and (c) of paragraph 2, the controller shall implement suitable measures to safeguard the data subject's rights, freedoms, and legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express their point of view, and to contest the decision.

Detailed rules are contained in Article 22 of the Regulation.

12. Restrictions

Union or Member State law to which the controller or processor is subject may restrict by legislative measures the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5, in so far as such restrictions respect the essence of the fundamental rights and freedoms.

The conditions of these restrictions are prescribed in Article 23 of the Regulation.

13. Notification of Personal Data Breach to the Data Subject

13.1. When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller is obliged to notify the data subject of the personal data breach without undue delay. The notification to the data subject shall describe in clear and plain language the nature of the personal data breach and shall include at least the following information:

a) The name and contact details of the data protection officer or other contact point where more information can be obtained;

b) A description of the likely consequences of the personal data breach;

c) A description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

13.2. Notification to the data subject is not required if any of the following conditions are met:

a) The controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;

b) The controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize;

c) It would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

Further rules are contained in Article 34 of the Regulation.

14. Right to Lodge a Complaint with a Supervisory Authority

Every data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement, if they consider that the processing of personal data relating to them infringes this Regulation. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy.

Detailed rules are contained in Article 77 of the Regulation.

15. Right to an Effective Judicial Remedy Against a Supervisory Authority

15.1. Without prejudice to any other administrative or non-judicial remedy, every person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

15.2. Without prejudice to any other administrative or non-judicial remedy, every data subject has the right to an effective judicial remedy where the supervisory authority does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged.

15.3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

15.4. Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.

Detailed rules are contained in Article 78 of the Regulation.

16. Right to an Effective Judicial Remedy Against a Controller or Processor

16.1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, every data subject has the right to an effective judicial remedy where they consider that their rights under this Regulation have been infringed as a result of the processing of their personal data in non-compliance with this Regulation.

16.2. Proceedings against a controller or processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has their habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.

Detailed rules are contained in Article 79 of the Regulation.

Cookie settings

We use cookies to personalise content and ads, to provide social media features and to analyse website traffic. You can read more by clicking on the "Settings" button.
We use cookies to personalise content and ads.

Cookies are small text files that can be used by websites to make a user's experience more efficient.
The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission.
This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Your consent applies to the following domains panknjigovodstvo.co.rs

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.

Statistical cookies allow anonymous data collection to allow website owners to analyze website usage.

The purpose of marketing cookies is to track users through multiple websites. The goal is to be able to display ads to our users that are relevant and of interest to them, making them more valuable to publishers and third-party advertising providers.

Cookie declaration last updated on 2020.09.04.