Annex 1 – Rulebook on data management
STATEMENT ON DATA MANAGEMENT IS LINKED WITH RIGHTS OF NATURAL PERSON REGARDING PERSONAL DATA MANAGEMENT
CHAPTER I – NAME OF THE SUBJECT HANDLING DATA
CHAPTER II – NAME OF THE SUBJECT PROCESSING DATA
IT provider in our company
CHAPTER III – SECURING CONFORMITY OF DATA MANAGEMENT WITH LAWS
Data management based on approval given by persons the data refer to
Data management based on legal obligations performance
Promotion of rights of persons data refer to
CHAPTER IV – DATA MANAGEMENT OF VISITORS ON THE WEB PAGE OF THE COMPANY – STATEMENT ON COOKIES USE
CHAPTER V – STATEMENT ON LEGAL ENTITIES DATA REFER TO
Pursuant to the DIRECTIVE 2016/679 of the EUROPEAN PARLIAMENT AND COUNCIL (EU) (Hereinafter: Directive) referring to the data protection and free flow during the personal data management procedure of natural persons, or to revoking of the Directive 95/46/EK, the data operator must execute certain activities in order to secure to the person whose data are collected all mandatory information regarding personal data management in concise, clear, neat, understandable, and accessible form; and to secure conditions for fulfillment of rights for persons whose data are collected.
The obligation to inform in advance the person about right of informative self-determination and information freedom as already prescribed by the law CXII 2011.
The text below is intended to fulfill obligations imposed by the aforementioned laws and directives.
Information should be posted on the web page of the company, or sent to the person whose data are collected, and upon request.
NAME OF THE SUBJECT HANDLING DATA
Editor of this information – Data manager
Name of the company: Special hospital for rehabilitation GEJZER
Headquarter: Srbija, Kralja Milana 16, Sijarinska Banja
Registration no.: 07207883
Tax ID: 101465084
Responsible person: Marko Savić
Telephone: +381 60 74 71 226
NAME OF THE SUBJECT PROCESSING DATA
Subject processing data: natural or legal person, state entity, agency, or any other entity managing data in the name of data operator (Directive 4, article 8)
Using the subject who manages data is not related with former approval by the person, but it is mandatory to inform the person. According to these directives we give the following information:
IT Provider of the Company
Company for web page maintenance and management uses services of the subject, who processes data, who provides IT services and in the framework of these services – according to content of the agreement between two parties – manages personal data that were submitted on the web page in a way that archives data on the server.
Name and data of the subject who manages data
Name and surname: ErdSoft doo
Head office: 24000 Subotica, Somborski put 33/a, Srbija
Registration number: 213546619
Tax ID number: 1100478829
Representative: Daniel Erdudac
Telephone: +381 60 44 60 555
SECURING DATA MANAGEMENT CONFORMITY WITH LAWS
Data management based on consent of the person data refer to
If the company wants to manage data based on consent, it is mandatory to request such consent for personal data management from the person whose data will be managed using application form the content of which is determined in the Rulebook on data management.
It is deemed approved even when user marks the field relating with request for data processing consent on the web page of the Company, if executes connected technical adjustments regarding use of the IT company services, and any other statement, or act, that clearly marks the consent of the person on planned personal data management. Silence, checked field in advance or failure to undertake any action shall not be deemed consent.
Consent refers to all actions relating with data management that is executed with the same aim, or aims. In case that data management is intended to its purpose with several different aims, the consent must be requested or all aims relating with data management.
In case that person gives the own consent in the framework of written statement relating with other aims – for example sale, conclusion of service agreement – the consent must be requested in a way to make it clear, expressed in simple manner, understandable, accessible, and clearly distinguished among other aims. Parts of such statements holding the consent of persons, and which are not conformed to the Directive, are not valid.
Company cannot condition conclusion or execution of the agreement by consent to personal data management for data not needed for the agreement execution.
Consent withdrawal should be as simple as consent giving.
In case that personal data are recorded by consent of the person, then data operator can use recorded data, with the lack of directives different than the law, in order to fulfill legal obligation without any special consent, and after consent withdrawal by the person.
The webpage shall not collect data of underage persons (under 16). In case that data of underage person are saved, and after having insight of this fact, such data of underage person shall be deleted with no delay.
Data management based on legal obligations performance
In case of data management based on legal obligations performance, the scope of data, aim of data management, timeline of data archiving and data users are stipulated by the legal directives.
Data management based on legal obligation performance does not depend on consent given by the person since data management is prescribed by the law. In this case, the person, prior to data collection, must be informed that data collecting is mandatory, and must get detailed and clear explanation about all facts relating with this person data management, with special review on the aim and legal ground for data processing, subject, who has the right to manage data, timeline of data management, and fact that personal data management is in accordance with the law provisions, and also who may have access to data. The information must include rights of person and possibilities using rights relating with personal data management. In case of mandatory data management, there can be deemed information the publication of the call for all legal acts containing aforementioned information.
Rights promotion data refer to
Company is obliged, in case of all data management activities, to secure that person can exercise own rights.
DATA MANAGEMENT OF THE COMPANY PAGE VISITORS – RELEASE ON COOKIES USE
Web page visitor must be informed on cookies implementation, and there must be requested consent for the visitor for everything, except technical mandatory sessions (cookies)
2. General information about cookies
Cookie is a data that visited web page shall send to web explorer of visitor (in the form of variable) for archiving, and later the same web page can fill in the content of the cookies. The cookies can be valid until the explorer is closed, and also for indefinite period of time. Later, with each HTTP(S) request, explorer will send these information to the server, while changing data on the user`s device.
The essence of cookies is to mark and identify (for example, enter the page), and in all further cases to treat the subject user in proper way. The risk is in the fact that user is not always aware that cookies identify him, and this gives an opportunity to monitor the user by the station owner or other provider, whose content is installed within the page (for example: Facebook, Google, or Analytics). During the monitoring there is a profile crated about the user, and in these cases the cookies content is treated as personal data.
Session on technically mandatory cookies: without those web pages are simply not functional, they are used for identification of user, when entered the web page, what put into basket, etc. In this case usually are saved the ID sessions, while other data are saved on the server, making it safer. Considering the safety aspect, when the value of cookie session is not well generated, there is certain risk of the session smuggling, so it is mandatory to generate these values in correct manner. Other terminologies name after cookies session each cookie deleted in the moment when exit explorer (session means use of explorer from the beginning to exit).
Cookies that facilitate use: here belong those cookies able to save user`s selection – for example, in which form the user desires to watch a page. Those cookies essentially mark settings data that are saved in cookies.
Performance cookies: although are not much related with performances, this is the name for cookies that collect data about user`s behaviour, by clicking and by time spent on the web page that is visited. Usually those are applications of independent producers (such as cookies by Google Analytics, AdWords or Yandex.ru). They are convenient for profiling the visitors.
Learn more about cookies with Google Analytics at the following addresses:
Learn more about AdWords cookies at the following address:
Acceptance or enabling the cookies is not mandatory. In the settings can be adjusted that all cookies are automatically rejected, or the explorer notifies when the system is sending the cookies. Majority of explorers automatically accept cookies by default, but setting usually can change in order to prevent automat acceptance and to offer, each time, to the user selection between cookies acceptance and rejection.
See links below for adjustment the cookies of the most popular explorers:
• Google Chrome: https://support.google.com/accounts/answer/61416?hl=rs
• Firefox: https://support.mozilla.org/sr/kb/enabling-and-disabling-cookies
• Microsoft Internet Explorer 11: https://support.microsoft.com/sr-latn-rs/help/17442/windows-internet-explorer-delete-manage-cookies#
• Microsoft Internet Explorer 10: https://support.microsoft.com/sr-latn-rs/help/17442/windows-internet-explorer-delete-manage-cookies#ie=ie-10-win-7
• Microsoft Internet Explorer 9: https://support.microsoft.com/sr-latn-rs/help/17442/windows-internet-explorer-delete-manage-cookies#ie=ie-9
Microsoft Internet Explorer 8: https://support.microsoft.com/sr-latn-rs/help/17442/windows-internet-explorer-delete-manage-cookies#ie=ie-8
• Microsoft Edge: https://privacy.microsoft.com/sr-latn-rs/windows-10-microsoft-edge-and-privacy
However, it must be notified, that certain functions of the web site, or services, maybe do not function correctly without cookies.
Information about cookies implemented on the web location of the Company and about data generated during the visit.
Data managed during the visit
Web location of our Company may use the web page for recording and managing the following information about any visitor or applied device:
Visitor`s IP address
Characteristics of the operational system on device used by visitor (configuration, language),
Time of visit
(Sub) pages, functions or services that are visited
These data are saved up to 90 days and used primarily for resting the safety incidents.
Cookies used on the web page
Technical mandatory session cookies
Purpose of data management is to secure correct web page functioning. These cookies are intended to enable visitors to explore web page with no problems, and to fully use all functions, services available via web page, including particularly comments given by visitors on certain site or identity of registered user during the visit. Duration of such cookies management is limited to current search of visitors, and this type of cookies will be automatically deleted from user`s computer when session ends, or explored closes.
Legal base for these data management is 13 / a ⸹ (3) paragraph CVIII of the Law on Electronic Trade Services and IT Community Services 2001, according to which service supplier, in order to deliver services, may manage personal data that are mandatory regarding service delivery. If all other data are not changed, the service suppliers must select and use tools intended to the IT society service delivery, in a way that personal data are processed only when this is mandatory for service delivery and fulfillment of other needed purposes stipulated by this Law, but in such case, only to the needed extent and time.
Cookies that facilitate use
These cookies remember the users` election, for example, in which shape user want to see the page. This kind of cookies is, in fact, a data about adjustments that are saved in the cookie.
Legal base for these data management is consent given by a visitor.
The purpose of data management is to increase service efficiency, improve users experience and secure more convenient use of the site.
These data are placed on the users` computer and web page just accesses them and based on this, recognizes the visitor.
This type of cookies collects information about users’ behaviour; time spent and clicks on the page the users watch at the moment. These cookies usually follow up with applications of third persons (for example Google Analytics, AdWords).
The legal base for data management: Consent given by person data relates with.
The aim of data management is to analyse web page and to send promotional offers.
RELEASE ABOUT RIGHTS OF PERSONS DATA RELATE WITH
Transparent information, communication and modes intended to exercise rights of persons data relate with.
Right to former data that are delivered – if data about the person are collected from persons data relate with.
Information delivered if data about person are not obtained from persons data relate with.
Right to access data that relates with person exercises the right
Right to data correction
Right to delete data (right to oblivion)
Right to limit processing
Obligation to inform about correction or deletion of data about personality or limiting processing
Right to data transfer
Right to response
Tight to appeal
Bringing automated individual decisions including profiling
Information delivery to persons data relating with about personal data safety breach
Right to complaint before supervising authority
Right to efficient legal means against supervising authority
Right to efficient legal means against operator or data processor.
II. Right to persons data relate with, detailed
Transparent information, communication and modes for rights exercise of persons data relate with
Operator undertakes corresponding measures in order to deliver all information to person data relate with, considering processing in brief, transparent, understandable, and accessible form, while using clear and simple language, that particularly relates to all information that are explicitly intended to a child. The information is delivered in written form or in other ways, including electronic format when proper. Upon request by person data relate with, information may be delivered orally provided that identity of persons data relate with is determined in some other ways.
Operator facilitates rights exercise for persons data relate with.
Upon request operator shall deliver information to person data relate with about undertaken actions without unnecessary delay, and not alter than one month after request was received. This deadline can extend, if needed, for additional two months, and operator shall promptly inform the person data relate with about such extended deadline.
When operator fails to act upon request of person data relate with , then operator shall inform the person data relate with immediately or not later than one month after receipt of the request with included all explanations why failed to act upon request, and about possibility to file the charge to the supervisory authority, while searching legal remedy.
Delivering information, all communication and undertaken measures shall be delivered with no compensation, but in certain cases, prescribed by the Regulative, can be calculated the compensation.
Detailed rules you may found in the article 12 of the Regulative.
Right to former information that is delivered – if personal data are collected from person data relate with.
If personal data for persons data relate with are collected from persons data relate with, the operator shall deliver the following information during data collection about that person:
Identity data for operator`s contact, and , if applicable, operator`s representative;
Contact data of authorized person for data protection, if applicable;
Purposes of processing data and legal base for data processing;
If data processing is based on legal rights exercise, legitimate interests of the operator or third person;
Users or categories of personal data users, if exist;
If applicable, the fact that operator intend to transfer personal data to a third country or international organization.
During personal data collection, the operator shall deliver to person data relate with the following additional information necessary to secure fair and transparent data processing:
Deadline for data keeping, and if not possible, criteria implemented for such deadline determination;
Existence of the right to request from operator access to personal data, correction or delete of personal data or limitation of data processing referring to the person data relates with or right to appeal. As right to transfer data;
If data processing is embedded in user`s acceptance, existence of right to withdraw such acceptance at any time, with no impact to legality of data processing based on acceptance prior to the acceptance withdrawal;
Right to file charges to supervisory authority;
Information about personal data delivery is legal or contractual or mandatory condition for the agreement conclusion, and whether person, data relate with, has any obligation to deliver personal data and which are possible consequences if such data are not delivered;
Existence of automated decision making procedure including proliferating, and at least in such cases, informative data about applied logic, and importance and foreseen consequences for such dat person data relate with a processing for the person data relate with.
If the operator intends to further process personal data for the purpose different than purpose for personal data collecting, the operator, prior to do further processing, shall deliver to the person data relating with all information about this second purpose and additional relevant data.
All additional rules regarding rights to former information are contained in the article 13 of the Regulation.
Information delivered if personal data are not obtained from person data relate with.
If personal data are not obtained from person data relate with, the operator is obliged, not later than one month counting from date of data purchase to inform person data relate with the point 2. by described facts and information about category of personal data, source of personal data, or in certain cases if data are embedded in publicly available sources: if personal data are used for contact by persons data relate with, at least with the first contact with person; or if intend to transfer data to other users, not later than to the first transfer.
Other rules shall implement facts and obligations stipulated in the item 2. (Right to former information)
Detailed rules of this information are stipulated in the article 14 of the Regulative.
Right to person data relate with to access data
Person data relate with has the right to obtain certificate from the operator saying if his personal data are processed, and, if such data are processing, has the right to access personal data and information quoted in the items 2 and 3 (article 14 of the Regulative).
If personal data are transferring into third country or international organization, the person data relate with has the right to be informed about corresponding protective measures in accordance with the article 46 stipulating such data transfer.
Operator shall secure a copy of personal data that are processing. For all additional copies requested by person data relate with, the operator may charge reasonable fee based on administrative costs.
Detailed rules regarding rights to person data relate with stipulate the right to data access in the article 15 of the Regulative.
Right to correction
Person data relate with has the right to correct inaccurate personal data relate to such person and enabled by the operator without unnecessary delay.
Having in mind purpose of data processing, the person data relate with is entitled to update inaccurate personal data by providing additional statement.
These rules are stipulated in the article 16 of the Regulative.
Right to delete data (Right to oblivion)
Person data relate with is entitled to delete personal data relating to such person, and enabled by the operator without unnecessary delay, and operator is obliged to delete such personal data without unnecessary delay if it is fulfilled one of the following conditions:
Personal data are not mandatory for purposes they were collected for, or processed in other way,
Person data relate with has withdrawn consent as the base for data processing, and if there is no another legal base for data processing,
Person data relate with has filed complaint regarding data processing and there are no prevailing legal reasons for data processing,
Personal data are processed illegally,
Personal data must be deleted due to acting in accordance with legal obligation toward right to the Union or member state to apply it to operator,
Personal data are collected in relation with service offer of the IT Company directly to a child.
Article stipulating data deleting shall not apply if the processing is mandatory:
Due to exercise right to freedom of speech and informing,
Due to complying with legal obligation requesting data processing in the Union law or member state law that applies to the operator due to task execution that is performed in the public interest, or in the framework of the public authorities completion delegated to the data operator;
Due to public interest in the field of public health;
Due to needs to archive data according to the public interest, for the purpose of historical research or statistical examination if the right to delete data would probably disable or endanger the accomplishment of aims of such processing, or
Due to establishment, achievement and defend of legal requests.
Detailed rules regarding right to delete data are stipulated in the article 17 of the Regulative.
Right to limit data processing
If data processing is limited, such personal data shall be processed only by the consent of the person data relate with, except archiving or establishment, accomplishment and defend of legal requests, or protection the right of other natural or legal person, or because of critical public interest of the Union or member state.
Person data relate with is entitled to secure limitation to data processing by the operator if there is fulfilled one of the following conditions:
Person data relate with challenge personal data accuracy within the deadline enabling the operator to check accuracy of personal data and information;
Data processing is illegal and person data relate with is against data deleting, instead asks to limit data processing and use;
Data operator needs no more personal data for the purpose of processing, but person data relate with asks them due to establishment, realization or legal request defend; or
Person data relate with has filed a complaint to data processing and it is still not confirmed if the legitimate reasons of the Operator are prevailing over the reasons of person data relate with.
Person data relate with that obtained data processing limiting the operator shall inform prior to termination of data processing limiting.
Detailed rules are stipulated in the article 18 of the Regulative.
Obligation to inform about personal data correction or deleting or limiting processing
Operator shall inform each user who got personal data released about any correction or deleting the personal data or limiting the data processing as executed, unless it is impossible or requests are disproportional to efforts. The operator shall inform the person data relate with about such users if the person data relate with requests that.
Detailed rules are stipulated in the article 19 of the Regulative.
Right to transfer data
Person data relate with is entitled to receive relevant personal data and who delivered data to the operator in structured, regular and mechanically decipherable format, and is entitled to transfer these data to another data operator with no conflicts by the operator who had got such personal data, if:
Data processing is based on consent or agreement;
Data processing is performed automatically.
During the right exercising regarding data transfer, the person data relate with is entitled to direct data transfer from one operator to another.
Right exercise regarding data transfer shall not question the article 17 (right to delete data, or right to oblivion). This right shall not apply to data processing mandatory for jobs that are executed in public interest, or in the framework of public authorization completion hat is assigned to the operator. This right must not negatively affect rights and freedoms of others.
Detailed rules are stipulated in the article 20 of the Regulative.
Right to complaint
Person data relate with is entitled to file the complaint at any moment and based on the reasons relating to his status and about personal data in accordance with the article 6, paragraph 1, item e) or f), including profiling embedded in these provisions. The operator must not process personal data unless in case that can prove convincing and legitimate reasons for data processing prevailing over the interests, rights and freedoms of the person data relate with, or due to establishment, accomplishment or defend the legal requests.
If personal data are processed for needs of direct marketing, the person data relate with has right to file the complaint anytime regarding personal data processing that relate with himself anf for needs of such marketing, including profiling of connected with such direct marketing. Of the person data relate with files the complaint to data processing for the purpose of direct marketing, the personal data must not be processed aimed at purposes as such.
Not later than the first communication with the person data relate with, and there is explicit attention paid to the person data relate with regarding this right, and which must be presented clearly and separated from all other information.
Person data relate with may achieve the right to complain automatically using technical specifications.
If personal data are processed for the purpose of scientific, historical or statistical research, the person data relate with based on reasons refer to his status has right to file the complaint to personal data processing, unless if such processing is mandatory for completion of task that is relevant to the public interest.
Detailed rules are stipulated in the article 21 of the Regulative.
Bringing automated individual decision including profiling
Person data relate with is entitled to apply to him decision embedded exclusively to mechanical data processing including profiling, that produces legal effects relating to him now, or similarly affects him.
Paragraph 1 shall not apply if it is decision.
Mandatory for concluding or executing the agreement between the person data relate with and operator;
Permitted by the law of Union or member state that is implemented to the operator, with corresponding protective measures relevant to rights and freedoms and legitimate interests of the person data relate with; or
Embedded in explicit consent of the person data relate with.
In cases stipulated in the paragraph 2, items a) and c), the operator undertakes corresponding measures aimed at protection of rights and freedoms and legitimate interest of the persons data relate with, and minimum right to human intervention of the operator, right to express own attitude and right to decision rejecting.
Additional rules are stipulated in the article 22 of the Regulative.
Based on the law of the Union or member state that is applied to the operator or processor, it is possible to limit the volume of obligations and right by the legal measure as stipulated in the articles 12-22 and the article 34, and the article 5 if such limitation is aimed at respecting the essence of the basic rights and freedoms.
Terms of these imitations are stipulated in the article 23 of the Regulative.
Informing the persons data relate with about breach of personal data safety
When it is probable that safety of personal data breach will cause great risk to rights and freedoms of the natural persons, then the operator shall with no unnecessary delay inform the persons such data relating with that there occurred breach of personal data safety. Such information to the person such data relating with shall describe using clear and simple language the nature of this breach of personal data safety and it shall include at least the following information and measures:
Name and contact data of authorised person responsible for data protection or other contact points for more data obtaining.
Description of probable consequence of the personal data safety;
Description of measures the operator undertook or measures proposed by operator due to removal of the personal data safety violation including, when needed, measures for alleviation of such damage.
Informing the persons such data relating with is not mandatory if there is fulfilled any of the following conditions:
If the operator has undertaken corresponding technical and organizational protective measures and these measures are implemented to personal data where occurred personal data safety breach, and, first of all, measures that make personal data not understandable to any person not authorized to access the data such as encryption;
If the operator has undertaken additional measures in order to secure less probability to high risk occurrence regarding risks and freedoms to the persons such data relate with;
If this would request irrational effort. In this case there shall be performed public announcement or undertaken similar measure in order to equally and efficiently inform the persons such data relate with.
Additional rules are stipulated in the article 34 of the Regulative.
Right to sue supervisory authority
Any person with data relating to has right to file the lawsuit to supervisory authority, particularly in a member state where have regular residence, and working place or place of alleged violation, if the person such data relate with considers that personal data processing violates this Regulative. The supervisory authority who got the lawsuit shall inform the plaintiff about the progress and result of the lawsuit including possibility of applying the legal means.
These rules are stipulated in the article 77 of the Regulative.
Right to efficient legal means against supervisory authority
Not challenging any other legal or extra judicial legal means, any natural person or legal person is entitled to efficient legal means against legally binding decision issued by the supervisory authority.
Not challenging any other legal or extra judicial legal means, any person that these data are relating with is entitle to efficient legal means in case that supervisory authority competent on the basis of the article 55 and article 56 fails to settle such lawsuit or to inform the person these data relate with within three months about progress or result of submitted lawsuit.
To settle proceeding against the supervisory authority there shall be competent courts in the member states where the supervisory authority has the head office.
If the proceedings is already initiated against any decision brought by the supervisory authority with former opinion or Board decision within the mechanism of consistency, the supervisory authority shall submit to the court this opinion or decision.
These rules are stipulated in the article 78 of the Regulative.
Right to efficient legal means against the operator or processor
Not challenging any other available legal or extra judicial legal means, including the right to lawsuit filing to the supervisory authority, the person these data relate with is entitled to efficient legal means if considers that his/her rights stipulated in this Regulative are violated due to his/her personal data processing contrary to this Regulative.
For the actions against the operator or processor there are competent courts in member states where the operator or processor has the head office. Alternatively, these disputes shall be settled by the court in member states where the operator or processor has the residence, unless when the operator or processor is the public administration entity in a member state performing its public competencies.
These rules are stipulated in the article 79 of the Regulative.
Place and date: Sijarinska Banja, 01.04.2021