Processing of personal data

This notice was issued in accordance with the Law on the Protection of Personal Data (“Official Gazette of the RS”, No. 87/2018) (hereinafter: ZZPL) for the purpose of providing information on the processing of personal data by the Corporate Compliance Association, with headquarters in Belgrade – Savski venac, at the address Rajko Mitića 32a, name in English: Corporate Compliance Association, as a personal data handler (hereinafter: CCA or Controller), with the aim of providing legal security to the persons to whom the data refer and transparency in the processing of personal data related to them.

In the continuation of the notice, information is provided on the meaning of the terms used, the persons to whom the data refer, the purposes and legal processing of personal data, storage periods, the rights of the persons to whom the data refer, the transfer of personal data to other countries and international organizations, legal remedies for the protection of personal data in the event of a violation, as well as amendments to the Rulebook.

The meaning of the basic terms used in this notice is identical to the meaning given in the ZZPL. All other terms and concepts can be interpreted in accordance with the spirit of the ZZPL and the practice of the Commissioner for Information of Public Importance and Protection of Personal Data (hereinafter: the Commissioner).

Basic expressions:

  • Personal data – any data relating to a natural person whose identity is determined or determinable, directly or indirectly, especially on the basis of an identity marker, such as name and identification number, location data, identifiers in electronic communication networks or one, i.e. more features of his physical, physiological, genetic, mental, economic, cultural and social identity;
  • Person to whom the data refer – natural person whose personal data is processed;
  • Processing of personal data – is any action or set of actions performed automatically or non-automated with personal data or their sets, such as collection, recording, sorting, grouping, i.e. structuring, storing, adapting or changing, revealing, viewing, using , disclosure by transmission, i.e. delivery, reproduction, dissemination or otherwise making available, comparing, limiting, deleting or destroying;
  • Data collection – any structured set of personal data that is available in accordance with specific criteria, regardless of whether the collection is centralized, decentralized or classified on functional or geographical grounds;
  • Controller – a natural or legal person, i.e. the authority that independently or together with others determines the purpose and method of processing. The law that determines the purpose and method of processing can also determine the operator or prescribe the conditions for its determination;
  • Processor – natural or legal person, i.e. authority that processes personal data on behalf of the controller;
  • Recipient – a natural or legal person, i.e. a government body to which personal data has been disclosed, regardless of whether it is a third party or not, unless it is a government body that, in accordance with the law, receives personal data as part of the investigation of a specific case and process this data in accordance with the rules on the protection of personal data related to the purpose of processing;
  • Third party – a natural or legal person, i.e. a government body, which is not the person to whom the data refer, the handler or the processor, as well as the person who is authorized to process personal data under the direct supervision of the handler or processor;
  • Consent – any voluntary, definite, informed and unequivocal expression of the will of the person to whom the data refer, whereby that person, by statement or clear affirmative action, gives consent to the processing of personal data relating to him;
  • Breach of personal data – breach of security of personal data that leads to accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to personal data that has been transferred, stored or otherwise processed;
  • Making available – any action that makes content available to third parties, the general public or government authorities;

This notice applies to the following persons, to whom the personal data processed by CCA relate:

  • natural persons and representatives of legal entities who are interested in membership and who are in communication with CCA on their own initiative, or on the initiative of CCA;
  • natural persons and representatives of legal persons who are members of CCA;
  • associates, visitors and participants of events organized by CCA;
  • visitors to the CCA website;
  • other natural persons who come into contact with CCA.

CCA collects and processes personal data as a controller for the following purposes:

  • achieving direct communication with persons who are interested in membership in CCA;
  • unhindered performance of activities and achievement of CCA goals, keeping records, contacting, notifying and determining the presence of CCA members when necessary, all in accordance with the CCA Statute and the law;
  • enabling unhindered access and use of the CCA website;
  • enabling attendance and participation in events in CCA organizations, inviting, informing and engaging, reporting and additional communication if necessary, as well as keeping records related to that purpose;
  • publishing photos and videos from the event for the purpose of reporting on the events, on the CCA website and social networks, with prior notice that the event itself will be recorded, i.e. that participants will be photographed.

CCA processes personal data in accordance with the principles of processing prescribed by ZZPL:

  • Legality, honesty and transparency – personal data will be processed legally, fairly and transparently in relation to the person to whom the data refer. Legal processing is processing that is carried out in accordance with the Law, that is, another law that regulates processing;
  • Limitation in relation to the purpose of processing – personal data is collected for purposes that are specifically determined, explicit, justified and legal and still cannot be processed in a way that is not in accordance with those purposes;
  • Minimization of data – personal data will be appropriate, essential and limited to what is necessary in relation to the purpose of processing;
  • Accuracy – Personal data will be accurate and, if necessary, updated. Taking into account the purpose of the processing, all reasonable measures must be taken to ensure that inaccurate personal data is deleted or corrected without delay;
  • Limitation of storage – personal data will be stored in a form that enables the identification of the person only for the period necessary to achieve the purpose of the processing;
  • Integrity and confidentiality – personal data will be processed in a way that ensures adequate protection of personal data, including protection against unauthorized or illegal processing, as well as against accidental loss, destruction or damage by applying appropriate technical, organizational and personnel measures;
  • Responsibility for action – the responsibility of the CCA to be able to demonstrate the application of the aforementioned principles.

CCA processes the minimum personal data that is necessary to achieve the above processing purposes:

  • general data for identification, contact and communication (name, middle name or middle name initial if necessary, surname, phone number, e-mail address, gender, etc.);
  • data on education and professional experience (educational profile, level and institution of education, employment status, name of employer (current, previous), personal and business skills relevant to the activity and achievement of CCA’s goals, other relevant data contained in the professional curriculum vitae (CV ) which person specified and provided CCA, etc.)
  • data that are necessary for the performance of a status or contractual obligation (employment status, address of residence/residence if necessary, date of birth, JMBG, number of identification document, signature, account number, amount of the agreed remuneration, evaluation of the fulfillment of what was agreed upon and what will be person executed for CCA, etc.);
  • personal data collected from publicly available sources (eg register of business entities, media, internet, real estate cadastre), for a specific permitted purpose in accordance with an adequate legal basis;
  • data originating from the IT equipment used by individuals when visiting and viewing the CCA website (data on consent given for cookies, possible network identification, device, user account data in case of access to the forum or another part of the CCA website, etc.);
  • photos, videos and posts from events that contain personal data.

CCA collects personal data directly from the persons to whom the data refer, and from publicly available sources only if the conditions specified in the section relating to types of data are met.

CCA carries out the following processing operations: collection, use, recording, storage, classification, disclosure by delivery or transmission, verification and updating, duplication, making available, comparison, access restriction, erasure and destruction and other operations that are performed and necessary for the performance activities and achieving goals.

CCA stores personal data as long as it is necessary to achieve the purpose of processing, and if it is prescribed by law or acts passed on the basis of law, as long as it is determined, after which the data is anonymized or deleted.

If CCA acted as a processor, it would carry out the storage and deletion of personal data exclusively on the basis of tasks entrusted by a legally binding legal act and in accordance with the orders of the operator, i.e. in accordance with the rules prescribed by law if so regulated.

When it comes to the legal basis, i.e. legality of processing, CCA processes personal data in order to:

CCA lawfully processes data when it performs the processing in order to:

  • compliance with obligations prescribed by law;
  • execution of the contract concluded with the person to whom the data refer or for undertaking actions at the request of the person to whom the data refer, before the conclusion of the contract;
  • based on the consent of the person whose data is being processed;
  • realization of CCA’s legitimate interests.

If CCA intends to process personal data on the basis of consent, the person to whom the data refers will, before the start of processing, deliver a written notice containing all necessary information regarding the specific processing, in accordance with the ZZPL. The request for consent will be clearly presented, in an understandable and easily accessible form, as well as with the use of clear and simple words, and in such a way that it stands out from other issues if they are included in the written statement. The person to whom the data refers has the right to revoke his consent at any time, and the revocation of consent does not have retroactive effect, i.e. does not affect the permissibility of the processing that was carried out until the moment of revocation.

The rights of persons to whom the data refer

  • right of access and other access-related rights;
  • the right to correction, amendment, deletion and limitation of processing;
  • the right to portability of personal data, if it is technically feasible, if the processing is done automatically and on the basis of a contract or consent;
  • the right to be informed about the correction, limitation, deletion and portability of data;
  • the right to object to processing;
  • the right to object to the automated making of individual decisions, if CCA will carry out such processing and if such a decision may produce legal consequences or that decision affects the position of the person to whom the data refer.

If the CCA automatically makes individual decisions that may produce legal consequences or affect the position of a person, this notice will be supplemented in that regard.

CCA will always assist the data subject in exercising his rights, regardless of whether he acts as a handler or processor, providing him with all the necessary

information without delay and informing him about his actions, that is, his failure to act.

CCA will inform the person to whom the data refers about the action based on the request for exercising the right to access personal data, the right to correction and amendment, the right to delete personal data, the right to be informed in connection with the correction or deletion of data and the restriction of processing , the right to transfer data, the right to object and the right to object to the automated making of individual decisions without delay, and at the latest within 30 days from the date of receipt of the request. This deadline may be extended by another 60 days if necessary, taking into account the complexity and number of requests received by the CCA from the applicant.

Recipients of personal data handled by CCA can be competent state authorities, banks in case of payment of contracted fees, other organizers of events attended or participated by CCA members as well as collaborators with whom CCA has a contractual relationship, as independent handlers or processors.

CCA undertakes appropriate technical, organizational and personnel measures, in order to ensure the effective application of the principles of protection of personal data and processing in accordance with the ZZPL, taking into account the nature, scope, circumstances and purpose of processing, as well as the probability of occurrence of risk and the level of risk to rights and freedom of natural persons.

Protection measures are aligned with the level of technological achievements and the costs of their application, the nature, scope, circumstances and purpose of processing, as well as the probability of occurrence of risk and the level of risk for the protection of personal data.

CCA undertakes protection measures so that any natural person who is authorized to access personal data processes data only at the behest of CCA or if required to do so by law, ensuring that without the participation of a natural person, personal data cannot be made available to an unlimited number of natural persons.

If the person to whom the data refers wishes to file a complaint about the CCA’s actions in relation to his/her data, below are the contact details of the Commissioner, the authority responsible for supervising the implementation of the ZZPL and performing other tasks prescribed by that law: address of the headquarters – Bulevar Kralja Aleksandra 15, 11120 Belgrade; email address: office@poverenik.rs ; phone: +381 11 3408 900 .

CCA does not have a designated person for the protection of personal data, and for all questions, requests for the exercise of rights and additional information of the person to whom the data refer, you can contact the e-mail address: office@cca.rs, or the address of the headquarters in Belgrade, municipality Savski venac, Rajka Mitića street 32a.

CCA does not transfer data to another country or international organization, and if it does, data transfer will be done in accordance with the provisions of the ZZPL, in which part this notice will also be supplemented.

CCA reserves the right to make changes and additions to this notice in accordance with the relevant regulations, and all issues not regulated by this notice are subject to the ZZPL as well as other relevant regulations containing provisions on the processing and protection of personal data.

In Belgrade, on September 21, 2023. years

©Copyright 2024 | Corporate Compliance Association | All rights reserved

Secretary of the association

Chairman and member of the Supervisory Board