Annex 1 to the Data Management Policy
NOTICE ON DATA MANAGEMENT RELATED TO THE RIGHTS OF INDIVIDUALS REGARDING THE MANAGEMENT OF THEIR PERSONAL DATA
CONTENTS
INTRODUCTION
CHAPTER I – NAME OF THE DATA CONTROLLER
CHAPTER II – NAME OF THE DATA PROCESSORS
- IT provider of our Company
- Ticket system developer of our Company
CHAPTER III – ENSURING COMPLIANCE OF DATA MANAGEMENT WITH THE LAW
- Data management based on the consent of the data subject
- Data management based on legal obligations
- Promotion of the rights of the data subject
CHAPTER IV – DATA MANAGEMENT OF VISITORS TO THE COMPANY'S WEBSITE – NOTICE ON THE USE OF COOKIES
CHAPTER V – NOTICE ON THE RIGHTS OF THE DATA SUBJECTS
INTRODUCTION
Based on REGULATION 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU) (hereinafter: the Regulation), which concerns the protection and free movement of data during the processing of personal data of individuals, and the repeal of Directive 95/46/EC, the Data Controller must take appropriate actions to ensure that the data subject, whose data is being collected, is provided with all necessary information regarding the management of personal data in a concise, clear, transparent, comprehensible, and accessible form, and that the conditions for exercising the rights of the data subject are ensured.
The obligation to inform the data subject in advance about the right to informational self-determination and freedom of information is also prescribed by Law CXII of 2011.
The following text fulfills our obligations as required by the aforementioned laws and regulations.
The notice must be prominently displayed on the company's website or sent to the data subject upon request.
CHAPTER I
NAME OF THE DATA CONTROLLER
The issuer of this notice, and also the Data Controller:
Company name: Specialist Dental Practice “Dr. Maja Radović”
Headquarters: Niš
Registration number: 55705127
Tax ID: 100339345
Representative: Maja Radović
Phone number: +381 (0) 63 864 - 3034
Email address: mayaradovic@yahoo.com
Website: drmajaradovic.rs/sr
(hereinafter: the Company)
CHAPTER II
NAME OF THE DATA PROCESSORS
A Data Processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Data Controller; (Regulation Article 4, Paragraph 8)
The use of a Data Processor does not require the prior consent of the data subject, but it is necessary to inform the data subject. In accordance with these regulations, we provide the following notice:
1. IT Provider of the Company
The Company uses the services of a Data Processor that provides IT services (hosting services) for the maintenance and management of its website, and within these services – in accordance with the contract between the two parties – processes personal data left on the website by storing them on a server.
Name and details of the Data Processor:
Company name: ErdSoft doo
Headquarters: 24000 Subotica, Somborski put 33a, Serbia
Registration number: 21354619
Tax ID: 110478829
Representative: Daniel Erdudac
Phone number: +381 60 44 60 555
Fax: None
Email address: daniel.erdudac@erdsoft.com
Website: erdsoft.com
CHAPTER III
ENSURING COMPLIANCE OF DATA MANAGEMENT WITH THE LAW
1. Data management based on the consent of the data subject
(1) If the Company intends to manage data based on consent, it is necessary to obtain the consent for managing the personal data of the data subject by using a form, the content of which is determined by the Data Management Policy.
(2) Consent is also considered given if the user checks a box related to the request for consent for data processing on the Company’s website, if they perform the related technical settings for using the information society services, as well as any other statement or action that clearly indicates the data subject’s consent to the planned management of their personal data. Silence, pre-checked boxes, or inaction is not considered consent.
(3) Consent covers all data management activities carried out for the same purpose or purposes. If data management serves multiple different purposes, consent must be obtained for all purposes related to data management.
(4) If the data subject gives their consent within a written statement that also concerns other purposes – e.g., sales, conclusion of a service contract – the consent must be requested in a manner that is clear, simple, understandable, accessible, and distinctly separate from other purposes. Parts of such statements that contain the data subject's consent and do not comply with the Regulation are not legally binding.
(5) The Company cannot condition the conclusion or execution of a contract on consent to manage personal data that is not necessary for the execution of the contract.
(6) Withdrawal of consent should be as easy as giving consent.
(7) If personal data is recorded based on the consent of the data subject, the Data Controller may use the recorded data to fulfill legal obligations without special consent, even after the data subject withdraws their consent, unless legal regulations require otherwise.
(8) The website does not intentionally collect data from minors (under 16 years of age). If data of a minor is stored, upon becoming aware of this fact, the minor's data will be deleted without delay.
2. Data management based on legal obligations
(1) In the case of data management based on the fulfillment of legal obligations, the scope of data, the purpose of data management, the duration of data retention, and the data users are determined by legal regulations.
(2) Data management based on the fulfillment of legal obligations does not depend on the consent of the data subject, as data management is determined by law. In this case, the data subject must be informed before data collection that the collection is mandatory, and they must be thoroughly and clearly informed about all facts related to the management of their data, with particular attention to the purpose and legal basis of data processing, the entity entitled to manage the data, the duration of data management, the fact that personal data is managed in accordance with legal provisions, and who may have access to the data. The notice must also include the rights of the data subject and the possibilities for exercising those rights related to personal data management. In the case of mandatory data management, the notice may also be considered as the publication of a reference to all legal regulations containing the above-mentioned information.
3. Promotion of the rights of the data subject
The Company is obliged to ensure that the data subject can exercise their rights in all activities related to data management.
CHAPTER IV
DATA MANAGEMENT OF VISITORS TO THE COMPANY'S WEBSITE – NOTICE ON THE USE OF COOKIES
1. Visitors to the website must be informed about the use of cookies, and consent must be obtained from the visitor for all cookies except for technically necessary session cookies.
2. General information about cookies
2.1. A cookie is data sent by the visited website to the visitor's browser (in the form of a value variable) for storage, and later the same website can fill in the content of the cookie. Cookies can be valid until the browser is closed, or they can remain for an unlimited period of time. Later, with each HTTP(S) request, the browser will send this information to the server, thus updating the data on the user’s device.
2.2. The essence of cookies is to mark and identify the user (e.g., their login to the site) and to treat that user accordingly in all subsequent instances. The risk lies in the fact that the user is not always aware that cookies identify them, which provides an opportunity for the user to be tracked by the site owner or another provider whose content is embedded in the site (e.g., Facebook, Google Analytics). During tracking, a profile of the user is created, and in such cases, the content of the cookie is treated as personal data.
2.3. Types of cookies:
2.3.1. Technically necessary session cookies: Without them, websites simply are not functional; they are used to identify the user when they log in to the site, what they have placed in the cart, etc. In this case, the session ID is usually stored, while other data is stored on the server, making them more secure. From a security perspective, if the session cookie value is not well-generated, there is a risk of session hijacking, so these values need to be generated correctly. In other terminologies, session cookies are referred to as any cookies that are deleted when the browser is closed (the session is the use of the browser from start to exit).
2.3.2. Cookies that facilitate use: These cookies remember the user's choices, such as the preferred way to view the page. These cookies essentially mark setting data stored in cookies.
2.3.3. Performance cookies: Although they are not much related to "performance," this is the name for cookies that collect information about user behavior, clicks, and the time spent on the page they are visiting. These are usually third-party applications (such as Google Analytics, AdWords, or Yandex.ru cookies). They are suitable for profiling visitors.
Learn more about Google Analytics cookies here: Analytics-cookies
Learn more about Google AdWords cookies here: Google support
2.4. Accepting or enabling cookies is not mandatory. In the browser settings, you can configure it to automatically reject all cookies, or to notify you when the system sends cookies. Most browsers automatically accept cookies by default, but the settings can usually be changed to prevent automatic acceptance and to offer the user a choice between accepting and rejecting cookies each time.
See the links below for cookie settings in the most popular browsers:
• Google Chrome: Chrome support
• Firefox: Firefox support
• Microsoft Internet Explorer 11: Microsoft support
• Microsoft Internet Explorer 10: Microsoft support
• Microsoft Internet Explorer 9: Microsoft support
• Microsoft Internet Explorer 8: Microsoft support
• Microsoft Edge: Microsoft support
• Safari: Apple support
However, it should be noted that certain site functions or services may not work properly without cookies.
3. Information about Cookies Used on the Company's Website and Data Collected During the Visit
3.1. Data Collected During the Visit
The Company’s website may use cookies to collect and manage the following information about the visitor or the device being used:
- Visitor's IP address,
- Browser type,
- Characteristics of the device’s operating system used by the visitor (language settings),
- Time of visit,
- (Sub)pages, features, or services the visitor interacts with,
- Clicks.
This data is retained for up to 90 days and is primarily used for monitoring security incidents.
3.2. Cookies Used on the Website
3.2.1. Technically Necessary Session Cookies
The purpose of data management is to ensure the proper functioning of the website. These cookies are necessary for visitors to seamlessly navigate the website and fully utilize all available features and services, including - particularly - visitor comments on the site or the identity of a logged-in user during a visit. The duration of such cookie management is limited to the current visit, and the cookies will be automatically deleted from the user's computer after the session ends or the browser is closed.
The legal basis for managing this data is Section 13/A, Paragraph (3) of Act CVIII on Electronic Commerce and Information Society Services from 2001, which allows the service provider to manage personal data that is technically necessary for providing the service. If other conditions remain unchanged, the service provider must choose and use tools for providing information society services in such a way that personal data is processed only if strictly necessary for providing the service and fulfilling other necessary purposes specified by this law, and only to the extent and for the duration necessary.
3.2.2. Cookies That Facilitate Use
These cookies remember the user’s choices, such as display preferences for the website. These cookies actually contain user setting data, which is stored in the cookies.
The legal basis for managing this data is the consent of the visitors.
The purpose of data management is to increase service efficiency, improve user experience, and ensure more convenient use of the site.
This data is stored on the user’s computer, and the website accesses it and recognizes the visitor based on this information.
3.2.3. Performance Cookies
This type of cookie collects information about user behavior, the time spent on the page, and the clicks made by the user. These cookies are usually associated with third-party applications (e.g., Google Analytics, AdWords).
The legal basis for data management is the consent of the data subject.
The purpose of data management is to analyze the website and send promotional offers.
CHAPTER V
NOTICE ON THE RIGHTS OF DATA SUBJECTS
I. Summary of the Rights of Data Subjects:
- Transparent information, communication, and modalities for exercising the rights of data subjects.
- Right to prior information when personal data is collected from the data subject.
- Information provided when personal data is not obtained from the data subject.
- Right of access for the data subject.
- Right to rectification.
- Right to erasure ("right to be forgotten").
- Right to restrict processing.
- Obligation to notify about rectification or erasure of personal data or restriction of processing.
- Right to data portability.
- Right to object.
- Automated individual decision-making, including profiling.
- Restrictions.
- Notification of the data subject about personal data breaches.
- Right to lodge a complaint with a supervisory authority.
- Right to an effective judicial remedy against a supervisory authority.
- Right to an effective judicial remedy against a controller or processor.
II. Detailed Rights of Data Subjects:
1. Transparent Information, Communication, and Modalities for Exercising the Rights of Data Subjects
1.1. The controller shall take appropriate measures to provide the data subject with all information regarding processing in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, particularly when the information is addressed specifically to a child. The information shall be provided in writing or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
1.2. The controller shall facilitate the exercise of the rights of the data subject.
1.3. The controller shall provide information on actions taken in response to a request by the data subject without undue delay and in any event within one month of receipt of the request. This period may be extended by two additional months where necessary, and the controller shall inform the data subject of any such extension within the deadline.
1.4. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
1.5. The information provided, all communication, and any actions taken shall be provided free of charge, but in certain cases as prescribed by the Regulation, a fee may be charged.
Detailed rules can be found in Article 12 of the Regulation.
2. Right to Prior Information Provided When Personal Data Is Collected from the Data Subject
2.1. If personal data is collected from the data subject, the controller shall provide the data subject with all of the following information at the time when personal data is obtained:
- The identity and contact details of the controller and, where applicable, the controller's representative;
- The contact details of the data protection officer, where applicable;
- The purposes of the processing for which the personal data is intended, as well as the legal basis for the processing;
- If processing is based on the performance of legal rights, the legitimate interests of the controller or a third party;
- The recipients or categories of recipients of the personal data, if any;
- Where applicable, the fact that the controller intends to transfer personal data to a third country or international organization.
2.2. When collecting personal data, the controller shall provide the data subject with the following additional information necessary to ensure fair and transparent processing:
- The period for which the personal data will be stored or, if that is not possible, the criteria used to determine that period;
- The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject, or to object to such processing, as well as the right to data portability;
- Where processing is based on the data subject’s consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
- The right to lodge a complaint with a supervisory authority;
- Whether the provision of personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of failing to provide such data;
- The existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
2.3. If the controller intends to further process personal data for a purpose other than that for which the personal data was collected, the controller shall provide the data subject with information on that other purpose and any additional relevant information prior to that further processing.
All additional rules regarding the right to prior information can be found in Article 13 of the Regulation.
3. Information Provided When Personal Data Is Not Obtained from the Data Subject
3.1. If personal data is not obtained from the data subject, the controller is obliged to inform the data subject within one month of the date of obtaining the data of the facts and information described in point 2, including the categories of personal data, the source of personal data, or, in certain cases, whether the data comes from publicly accessible sources. If personal data is used to contact the data subject, the controller shall at least inform the data subject at the time of the first communication; or, if the data is intended to be transferred to other recipients, no later than the first transfer.
3.2. Other rules are governed by the facts and obligations described in point 2 (Right to Prior Information).
Detailed rules for this notification can be found in Article 14 of the Regulation.
4. Right of Access by the Data Subject
4.1. The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and the information listed in points 2 and 3 (Article 15 of the Regulation).
4.2. Where personal data is transferred to a third country or an international organization, the data subject has the right to be informed of the appropriate safeguards under Article 46 relating to the transfer.
4.3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.
Detailed rules regarding the right of access by the data subject can be found in Article 15 of the Regulation.
5. Right to Rectification
5.1. The data subject has the right to obtain from the controller the rectification of inaccurate personal data concerning them without undue delay.
5.2. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
These rules are contained in Article 16 of the Regulation.
6. Right to Erasure ("Right to Be Forgotten")
6.1. The data subject has the right to obtain from the controller the erasure of personal data concerning them without undue delay, and the controller is obliged to erase personal data without undue delay if one of the following grounds applies:
- The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
- The data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
- The data subject objects to the processing and there are no overriding legitimate grounds for the processing;
- The personal data has been unlawfully processed;
- The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- The personal data has been collected in relation to the offer of information society services directly to a child.
6.2. The grounds for erasure do not apply where processing is necessary:
- For exercising the right of freedom of expression and information;
- For compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- For reasons of public interest in the area of public health;
- For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, where the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- For the establishment, exercise, or defense of legal claims.
Detailed rules related to the right to erasure are contained in Article 17 of the Regulation.
7. Right to Restriction of Processing
7.1. When processing is restricted, such personal data may only be processed with the consent of the data subject, except for storage, or for the establishment, exercise, or defense of legal claims, the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.
7.2. The data subject has the right to request the restriction of processing from the data controller if one of the following conditions is met:
a) The data subject contests the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data;
b) The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) The controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise, or defense of legal claims; or
d) The data subject has objected to processing, pending the verification of whether the legitimate grounds of the controller override those of the data subject.
7.3. The controller is obliged to inform the data subject before lifting the restriction of processing.
Detailed rules are set out in Article 18 of the Regulation.
8. Obligation to Notify About Rectification or Erasure of Personal Data or Restriction of Processing
The controller is obliged to notify each recipient to whom the personal data has been disclosed of any rectification or erasure of personal data or restriction of processing, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
Detailed rules are set out in Article 19 of the Regulation.
9. Right to Data Portability
9.1. The data subject has the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used, and machine-readable format, and has the right to transmit those data to another controller without hindrance from the controller to which the personal data has been provided, provided that:
a) The processing is based on consent or on a contract; and
b) The processing is carried out by automated means.
9.2. In exercising their right to data portability, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.
9.3. The exercise of the right to data portability shall be without prejudice to Article 17 (Right to Erasure, i.e., "Right to be Forgotten"). This right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This right must not adversely affect the rights and freedoms of others.
Detailed rules are set out in Article 20 of the Regulation.
10. Right to Object
10.1. The data subject has the right to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them which is based on Article 6, paragraph 1, point (e) or (f), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.
10.2. Where personal data is processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
10.3. At the latest at the time of the first communication with the data subject, the right referred to in the preceding paragraphs shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
10.4. The data subject may exercise their right to object by automated means using technical specifications.
10.5. Where personal data is processed for scientific or historical research purposes or statistical purposes, the data subject shall have the right to object, on grounds relating to their particular situation, to processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Detailed rules are set out in Article 21 of the Regulation.
11. Automated Individual Decision-Making, Including Profiling
11.1. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
11.2. Paragraph 1 shall not apply if the decision:
a) Is necessary for entering into, or performance of, a contract between the data subject and a data controller;
b) Is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
c) Is based on the data subject's explicit consent.
11.3. In the cases referred to in paragraph 2, points (a) and (c), the controller shall implement suitable measures to safeguard the data subject's rights, freedoms, and legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express their point of view, and to contest the decision.
Detailed rules are set out in Article 22 of the Regulation.
12. Restrictions
Union or Member State law to which the controller or processor is subject may restrict by a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5, in so far as such a restriction respects the essence of the fundamental rights and freedoms.
The conditions for these restrictions are defined in Article 23 of the Regulation.
13. Notification of Personal Data Breach to the Data Subject
13.1. Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. The notification to the data subject shall describe in clear and plain language the nature of the personal data breach and shall at least include the following information and measures:
a) The name and contact details of the data protection officer or other contact point where more information can be obtained;
b) A description of the likely consequences of the personal data breach;
c) A description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
13.2. Notification to the data subject shall not be required if any of the following conditions are met:
a) The controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular, those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
b) The controller has taken subsequent measures that ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize; or
c) It would involve disproportionate effort. In such a case, a public communication or similar measure whereby the data subjects are informed in an equally effective manner shall be made.
Detailed rules are set out in Article 34 of the Regulation.
14. Right to Lodge a Complaint with a Supervisory Authority
Every data subject has the right to lodge a complaint with a supervisory authority, particularly in the Member State of their habitual residence, place of work, or place of the alleged infringement, if the data subject considers that the processing of personal data relating to them infringes this Regulation. The supervisory authority with which the complaint has been lodged is obliged to inform the complainant about the progress and the outcome of the complaint, including the possibility of a judicial remedy.
These rules are set out in Article 77 of the Regulation.
15. Right to an Effective Judicial Remedy Against a Supervisory Authority
15.1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
15.2. Without prejudice to any other administrative or non-judicial remedy, every data subject has the right to an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 does not handle a complaint or does not inform the data subject within three months of the progress or outcome of the complaint lodged.
15.3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
15.4. Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.
These rules are set out in Article 78 of the Regulation.
16. Right to an Effective Judicial Remedy Against a Controller or Processor
16.1. Without prejudice to any other available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, the data subject has the right to an effective judicial remedy where they consider that their rights under this Regulation have been infringed as a result of the processing of their personal data in non-compliance with this Regulation.
16.2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has their habitual residence unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.
These rules are set out in Article 79 of the Regulation.