Annex 1 of the Data Management Policy
NOTICE ON DATA MANAGEMENT REGARDING THE RIGHTS OF INDIVIDUALS IN RELATION TO THE MANAGEMENT OF THEIR PERSONAL DATA
TABLE OF CONTENTS
INTRODUCTION
CHAPTER I – NAME OF THE DATA CONTROLLER
CHAPTER II – NAME OF THE DATA PROCESSORS
- The IT provider of our Company
- The ticketing system developer of our Company
CHAPTER III – ENSURING COMPLIANCE WITH DATA MANAGEMENT LAWS
- Data management based on the consent of the data subject
- Data management based on legal obligations
- Promotion of the rights of the data subject
CHAPTER IV – DATA MANAGEMENT OF VISITORS TO THE COMPANY'S WEBSITE – COOKIE NOTICE
CHAPTER V – NOTICE ON THE RIGHTS OF DATA SUBJECTS
INTRODUCTION
Based on the EU General Data Protection Regulation (Regulation 2016/679 of the European Parliament and of the Council, hereinafter referred to as the "Regulation") concerning the protection and free movement of personal data of individuals, and repealing Directive 95/46/EC, the Data Controller is required to take appropriate actions to ensure that individuals whose data are being collected are provided with all necessary information regarding the management of their personal data in a concise, clear, transparent, understandable, and accessible manner. The Controller is also obliged to ensure that the rights of the individuals whose data are collected are upheld.
The obligation to inform individuals in advance of their right to informational self-determination and freedom of information is also prescribed by the Hungarian Law CXII of 2011.
With the following text, we fulfill our obligations as prescribed by the above-mentioned laws and regulations.
The notice should be displayed on the company’s website or sent to the individual whose data is being collected upon their request.
CHAPTER I – NAME OF THE DATA CONTROLLER
The issuer of this notice, and at the same time the Data Controller:
Company Name: EUROSHOP DOO SENTA
Registered Office: Subotica
Company ID: 08800294
Tax ID: 103133828
Representative: Predrag Preradov
Phone Number: +381 24 / 827 - 505
Email Address: euroshop24400@gmail.com
Website: secondhand-srbija.rs/en
(hereinafter referred to as the “Company”)
CHAPTER II – NAME OF THE DATA PROCESSORS
A Data Processor is a natural or legal person, public authority, agency, or any other body that processes personal data on behalf of the Data Controller (Regulation Article 4(8)).
The use of a Data Processor does not require the prior consent of the individual, but the individual must be informed. In accordance with these regulations, we provide the following notice:
1. IT provider of the Company
The Company uses the services of a Data Processor that provides IT services (hosting services) to maintain and manage its website. Under the agreement between the two parties, the processor manages personal data left on the website by storing them on a server.
Name and contact details of the Data Processor:
Company Name: ErdSoft doo
Registered Office: 24000 Subotica, Somborski put 33a, Serbia
Company ID: 21354619
Tax ID: 110478829
Representative: Daniel Erdudac
Phone Number: +381 60 44 60 555
Fax: Not available
Email Address: daniel.erdudac@erdsoft.com
Website: erdsoft.com
CHAPTER III
ENSURING COMPLIANCE WITH DATA MANAGEMENT LAWS
1. Data management based on the consent of the data subject
(1) If the company intends to manage data based on consent, it is necessary to request consent for the processing of personal data from the individual whose data will be processed via a form, the content of which is defined by the data management policy.
(2) Consent is considered given when the user checks a box indicating their consent for data processing on the company’s website, completes related technical settings regarding the use of information society services, or performs any other action or makes a statement clearly indicating their consent to the intended processing of their personal data. Silence, pre-ticked boxes, or failure to act shall not be considered as consent.
(3) Consent applies to all data management actions that are carried out for the same purpose or purposes. If the data management serves multiple purposes, consent must be requested for each specific purpose.
(4) If a person gives their consent as part of a written statement that also pertains to other matters – for example, sales or service contracts – the consent must be clearly expressed, understandable, and distinct from other purposes. Parts of such statements containing the individual’s consent that do not comply with regulations will not be valid.
(5) The company cannot condition the conclusion or performance of a contract on the consent to process personal data that is not necessary for the performance of that contract.
(6) Withdrawal of consent must be as easy as giving consent.
(7) If personal data is recorded with the individual’s consent, the company may continue to use the data in accordance with the law, even after the consent has been withdrawn, in order to fulfill legal obligations, without requiring further consent.
(8) The website does not intentionally collect data from minors (under the age of 16). If any data from minors is collected, it will be deleted immediately upon becoming aware of the situation.
2. Data management based on legal obligations
(1) When data is processed based on legal obligations, the scope of data, purpose of processing, retention period, and data recipients are defined by the law.
(2) Data management based on legal obligations does not depend on the individual's consent, as the law mandates such data processing. The individual must be informed of the mandatory nature of data collection and all facts related to the processing, particularly the purpose and legal basis for processing, the entities that have the right to process the data, the retention period, and who has access to the data. The notice must also include the individual's rights and the means of exercising those rights in relation to data processing. The notice may also include references to legal provisions containing this information.
3. Promotion of the rights of the data subject
The company is obligated to ensure that individuals can exercise their rights related to data management at all stages of processing.
CHAPTER IV
DATA MANAGEMENT OF WEBSITE VISITORS – COOKIE NOTICE
1. Website visitors must be informed about the use of cookies, and consent must be obtained for all cookies that are not technically necessary.
2. General information about cookies
2.1. A cookie is a piece of data that the visited website sends to the visitor’s browser (in the form of a variable value) for storage, and later the same website can retrieve the cookie’s content. Cookies can remain valid until the browser is closed or for an unlimited period. During each HTTP(S) request, the browser sends these cookies back to the server.
2.2. The purpose of cookies is to identify the user (e.g., during login) so that the user can be recognized during future sessions. The risk lies in the fact that users are not always aware that cookies are tracking their activity, enabling the website owners or third parties (e.g., Facebook, Google Analytics) to monitor the user’s behavior and create profiles. In such cases, the content of the cookie is treated as personal data.
2.3. Types of cookies:
2.3.1. Technically necessary session cookies: Without these cookies, websites are not functional; they are used to identify users (e.g., what the user added to their cart). These cookies store the session ID, while other data is stored on the server.
2.3.2. User-friendly cookies: These cookies remember the user’s preferences (e.g., how the user wants to view the website). They store settings in the cookies.
2.3.3. Performance cookies: These cookies collect information about the user’s behavior, such as clicks and time spent on the website. These cookies are usually provided by third-party applications (e.g., Google Analytics, AdWords).
2.4. Accepting cookies is not mandatory. You can set your browser to automatically reject cookies or notify you before sending cookies. Most browsers automatically accept cookies by default, but these settings can usually be changed to prevent automatic acceptance and to offer the user the choice of accepting or rejecting cookies each time.
Please see the links below for cookie settings in the most popular browsers:
• Google Chrome: Chrome support
• Firefox: Firefox support
• Microsoft Internet Explorer 11: Microsoft support
• Microsoft Internet Explorer 10: Microsoft support
• Microsoft Internet Explorer 9: Microsoft support
• Microsoft Internet Explorer 8: Microsoft support
• Microsoft Edge: Microsoft support
• Safari: Apple support
However, it should be noted that certain site functions or services may not operate properly without cookies.
3. Information about cookies used on the company’s website and data collected during the visit
3.1. Data managed during the visit
The website of our company may collect and process the following information about the visitor or the device they are using:
- The visitor’s IP address,
- The type of browser,
- The characteristics of the operating system on the visitor’s device (language settings),
- The time of the visit,
- (Sub)pages, features, or services visited,
- Clicks.
This data is stored for up to 90 days and is primarily used to investigate security incidents.
3.2. Cookies used on the website
3.2.1. Technically necessary session cookies
The purpose of processing this data is to ensure the proper functioning of the website. These cookies are necessary for visitors to seamlessly browse the site and use all of its features, including – in particular – visitor comments or identifying a logged-in user during the visit. This type of cookie is valid only during the current visit and is automatically deleted when the session ends or when the browser is closed.
The legal basis for processing this data is Article 13/A, paragraph (3) of Law CVIII on Electronic Commerce and Information Society Services from 2001, which allows service providers to process personal data necessary for providing the service. If other conditions remain unchanged, the service provider must choose tools that minimize personal data processing to what is strictly necessary for providing the service and fulfilling legal obligations.
3.2.2. User-friendly cookies
These cookies remember user choices, such as display settings for the website. They store settings within the cookies.
The legal basis for processing this data is the visitor’s consent.
The purpose of processing this data is to improve service efficiency, enhance user experience, and enable easier use of the site.
This data is stored on the user’s computer, and the website accesses it to recognize the visitor.
3.2.3. Performance cookies
This type of cookie collects information about user behavior, the time spent on the site, and the number of clicks. These cookies are typically provided by third-party applications (e.g., Google Analytics, AdWords).
The legal basis for processing this data is the user’s consent.
The purpose of processing this data is to analyze the website’s performance and send promotional offers.
CHAPTER V
STATEMENT ON THE RIGHTS OF THE DATA SUBJECT
I. Rights of the data subject, summarized:
- Transparent information, communication, and methods for exercising the rights of the data subject
- The right to prior information when collecting data
- The right to information when data is not collected directly from the person
- The right to access data
- The right to correct data
- The right to delete data ("right to be forgotten")
- The right to restrict data processing
- The obligation to inform about corrections or deletion of data or restriction of processing
- The right to data portability
- The right to object to data processing
- The right to automated decision-making, including profiling
- Restrictions
- Notification of data security breaches
- The right to lodge a complaint with the supervisory authority
- The right to effective legal remedies against the supervisory authority
- The right to effective legal remedies against the controller or processor
II. Rights of data subjects, in detail:
1. Transparent information, communication, and modalities for exercising the rights of data subjects
1.1. The controller is obliged to take appropriate measures to provide data subjects with all the necessary information regarding the processing of their data in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, especially in the case of information intended for children. The information is provided in writing or by other means, including electronic format when appropriate. Upon the data subject’s request, the information can also be provided orally, provided the identity of the data subject is reliably verified.
1.2. The controller facilitates the exercise of the data subjects' rights.
1.3. The controller is required to provide information on the measures taken in response to the data subject's request without undue delay, and in any case within one month of receiving the request. If necessary, the deadline may be extended by two additional months, with the data subject being informed of the extension within the original timeframe.
1.4. If the controller does not act on the data subject's request, they must inform the data subject of the reasons for the refusal within one month and inform them of their right to file a complaint with a supervisory authority and seek legal remedies.
1.5. Information, communication, and actions taken are provided free of charge, except in cases specified by the Regulation, where the controller is authorized to charge a reasonable fee.
Detailed rules are outlined in Article 12 of the Regulation.
2. Right to be informed prior to data collection
2.1. When the controller collects personal data directly from the data subject, they are obliged to provide the data subject with the following information:
a) The identity and contact details of the controller and, where applicable, their representative;
b) Contact details of the data protection officer, if applicable;
c) The purpose of the processing and the legal basis for the processing;
d) If the processing is based on the legitimate interests of the controller or a third party, details of those interests;
e) The recipients or categories of recipients of the personal data, if any;
f) Where applicable, information about the transfer of data to third countries or international organizations.
2.2. In addition to this information, the controller must provide additional information necessary to ensure fair and transparent processing, including:
a) The period for which the data will be stored or the criteria used to determine that period;
b) Information about the rights of the data subject, including the right to access, rectify, erase, restrict processing, object to processing, and the right to data portability;
c) If the processing is based on consent, the right to withdraw consent at any time;
d) The right to file a complaint with a supervisory authority;
e) Whether providing personal data is a legal or contractual requirement and the possible consequences of failing to provide the data;
f) The existence of automated decision-making, including profiling, and meaningful information about the logic involved and the consequences of such processing.
2.3. If the controller intends to further process the data for purposes other than those for which the data was originally collected, they are required to inform the data subject of the new purpose and relevant information before further processing.
Detailed rules are outlined in Article 13 of the Regulation.
3. Information provided when data is not collected directly from the data subject
3.1. When personal data is not collected directly from the data subject, the controller must inform the data subject of all relevant information, including the source of the data, no later than one month after obtaining the data, or at the time of first contact with the data subject, or before transferring the data to third parties.
3.2. Other information requirements are the same as those specified in point 2 (Right to be informed prior to data collection).
Detailed rules are outlined in Article 14 of the Regulation.
4. Right of access to data
4.1. The data subject has the right to obtain confirmation from the controller as to whether their personal data is being processed, and if so, the right to access that data and the information specified in points 2 and 3 (Article 15 of the Regulation).
4.2. If the data is transferred to a third country or international organization, the data subject has the right to be informed about the appropriate safeguards.
4.3. The controller provides a copy of the processed personal data, and for additional copies, they may charge a reasonable fee.
Detailed rules are outlined in Article 15 of the Regulation.
5. Right to rectification
5.1. The data subject has the right to request the rectification of inaccurate data without undue delay.
5.2. The data subject also has the right to have incomplete data completed, including by providing a supplementary statement.
These rules are outlined in Article 16 of the Regulation.
6. Right to erasure ("right to be forgotten")
6.1. The data subject has the right to request the erasure of data, and the controller is obliged to erase the data without undue delay if any of the following conditions are met:
a) The data is no longer necessary for the purposes for which it was collected;
b) The data subject has withdrawn their consent, and there is no other legal basis for processing;
c) The data subject has objected to processing, and there are no overriding legitimate grounds for the processing;
d) The data was processed unlawfully;
e) The data must be erased to comply with a legal obligation;
f) The data was collected in relation to the provision of information society services to a child.
6.2. The right to erasure does not apply if the processing is necessary for:
a) Exercising the right to freedom of expression and information;
b) Compliance with a legal obligation;
c) Public interest in the area of public health;
d) Archiving purposes in the public interest, scientific research, or statistical purposes;
e) The establishment, exercise, or defense of legal claims.
Detailed rules regarding the right to erasure are outlined in Article 17 of the Regulation.
7. Right to restrict processing
7.1. If processing is restricted, personal data may only be processed with the consent of the data subject, except for storage, or for the establishment, exercise, or defense of legal claims, or to protect the rights of another natural or legal person, or for reasons of significant public interest of the Union or a Member State.
7.2. The data subject has the right to request the restriction of processing by the controller if one of the following conditions is met:
a) The data subject contests the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the data;
b) The processing is unlawful, and the data subject opposes the erasure of the data and requests the restriction of its use instead;
c) The controller no longer needs the personal data for processing purposes, but the data subject requires them for the establishment, exercise, or defense of legal claims; or
d) The data subject has objected to the processing and is awaiting verification of whether the legitimate reasons of the controller override those of the data subject.
7.3. A data subject who has obtained restriction of processing will be informed by the controller before the restriction is lifted.
Detailed rules regarding this right are contained in Article 18 of the Regulation.
8. Obligation to notify about rectification, erasure, or restriction of processing
The controller is obliged to inform each recipient to whom personal data has been disclosed about any rectification, erasure, or restriction of processing, unless this proves impossible or involves disproportionate effort. At the request of the data subject, the controller must inform them about these recipients.
Detailed rules are contained in Article 19 of the Regulation.
9. Right to data portability
9.1. The data subject has the right to receive their personal data, which they have provided to a controller, in a structured, commonly used, and machine-readable format, and has the right to transmit those data to another controller without hindrance from the controller to whom the data were provided, provided that:
a) The processing is based on consent or a contract; and
b) The processing is carried out by automated means.
9.2. The data subject has the right to have their personal data transmitted directly from one controller to another, where technically feasible.
9.3. Exercising this right must not adversely affect the rights and freedoms of others.
Detailed rules are contained in Article 20 of the Regulation.
10. Right to object
10.1. The data subject has the right to object at any time to the processing of their data, which is based on Article 6(1)(e) or (f), including profiling. The controller must no longer process the personal data unless they demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.
10.2. If personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of their data for such marketing, including profiling related to direct marketing. If the data subject objects, the personal data must no longer be processed for these purposes.
10.3. The data subject must be clearly informed of the right to object no later than at the first communication.
10.4. The data subject may exercise their right to object by automated means using technical specifications.
10.5. Where personal data is processed for scientific or historical research or statistical purposes, the data subject has the right to object to the processing of their data, unless the processing is necessary for a task carried out for reasons of public interest.
Detailed rules are contained in Article 21 of the Regulation.
11. Automated decision-making, including profiling
11.1. The data subject has the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
11.2. This right does not apply if the decision:
a) Is necessary for entering into, or the performance of, a contract between the data subject and the controller;
b) Is authorized by Union or Member State law; or
c) Is based on the explicit consent of the data subject.
11.3. In cases referred to in points (a) and (c), the controller will implement appropriate measures to safeguard the data subject's rights, freedoms, and legitimate interests, including the right to obtain human intervention, express their point of view, and contest the decision.
Detailed rules are contained in Article 22 of the Regulation.
12. Restrictions
On the basis of Union or Member State law, legal measures may restrict the scope of the rights provided in Articles 12 to 22 and Article 34 if such restrictions respect the essence of the fundamental rights and freedoms.
Detailed rules on restrictions are contained in Article 23 of the Regulation.
13. Notification of a data breach
13.1. If a data breach is likely to result in a risk to the rights and freedoms of individuals, the controller must notify the data subject of the breach without undue delay. The notification must contain at least the following information:
a) The name and contact details of the data protection officer or other contact points where more information can be obtained;
b) A description of the likely consequences of the breach;
c) A description of the measures taken or proposed by the controller to address the breach, including, where appropriate, measures to mitigate its adverse effects.
13.2. Notification is not required if:
a) The controller has implemented appropriate technical and organizational protection measures (e.g., encryption);
b) Subsequent measures have been taken to eliminate the risk; or
c) Notification would involve disproportionate effort, in which case a public communication or similar measure should be used to inform the data subjects in an equally effective manner.
Detailed rules are contained in Article 34 of the Regulation.
14. Right to lodge a complaint with a supervisory authority
Every data subject has the right to lodge a complaint with a supervisory authority if they believe that the processing of their personal data violates the Regulation. The supervisory authority will inform the complainant of the outcome.
These rules are contained in Article 77 of the Regulation.
15. Right to a judicial remedy against a supervisory authority
15.1. Every data subject has the right to a judicial remedy against a legally binding decision of a supervisory authority.
15.2. The data subject has the right to a judicial remedy if the supervisory authority does not handle the complaint within three months.
15.3. Proceedings shall be brought before the courts of the Member State where the supervisory authority is established.
These rules are contained in Article 78 of the Regulation.
16. Right to a judicial remedy against a controller
16.1. The data subject has the right to a judicial remedy if they believe that their rights have been infringed as a result of the processing of their personal data in violation of the Regulation.
16.2. Proceedings shall be brought before the courts of the Member State where the controller or the data subject is established.
These rules are contained in Article 79 of the Regulation.