Company Vision Stack doo Beograd, Hercegovačka 14B, Belgrade – Savski venac, as a Controller within the meaning of Article 4 paragraph 1 item 8) of the Law on Personal Data Protection (Official Gazette of RS”, No: 86/18, hereinafter : LPDP), that is, a company who organizes the processing of personal data and determines the purpose of that processing, hereby informs business partners, employees and other persons whose personal data the company processes about all important aspects of processing such data in accordance with the provisions of the valid LPDP.
1. Categories of persons whose data are collected
The Controller collects and processes personal data concerning:
· employed persons, persons engaged outside employment or employed on other legal grounds, as well as former employees (hereinafter: Employees).
· job candidates.
· persons visiting the business premises of the Controller.
· suppliers who are natural persons/entrepreneurs – business associates and natural persons who represent business associates – who are legal entities (hereinafter: Business Partners).
· persons who follow the Controllers accounts on social networks (such as Linked-in, etc.).
· visitors to the website https://softwarehaus.io/
Hereinafter collectively referred to as the persons whose data is being processed.
2. Types of data that is being collected and processed
Controller processes personal data only to the extent necessary for the performance of his business activity and to the extent necessary for the purpose of processing. The Controller collects personal data directly from the person to whom the data relates to, or through their employers, co-contractors, business partners or, where applicable, other third parties, only to the extent necessary for the realization of specific purpose and depending on the specific category of persons whose data is being processed.
Typically, this is a minimal set of data that is necessary to accomplish a specific purpose, for example:
· from Employees, Controller collects and processes:
· the data prescribed by the applicable law governing records in the field of Labor, as well as by the laws governing social and health care and insurance of employees, and such processing is necessary in order to respect the legal obligations of the Controller within the meaning of article 12, paragraph 1, item 3) of LPDP.
· employee contact data: phone contact and email address, and such processing is necessary in order to achieve the legitimate interests of the Controller in case of emergency, within the meaning of article 12, paragraph 1, item 6) of LPDP etc., in accordance with the Special Notice for Employees.
· from job candidates, in addition to basic contact information (first name , last name, email, mobile, city and country), the Controller also collects information about vocational education and qualifications, as well as other information that is shared by that person, and such processing is necessary to take action upon request from person to whom data relates to, prior to the conclusion of the contract, for the purpose of contacting them in case of need for work engagement, within the meaning of article 12, paragraph 1, item 2) of the LPDP. The data is stored until the expiration of a period of two years since the last contacting of the Controller and the job candidate. In the event that a job candidate is hired, further processing of his or her data is done as for the category of “Employee”.
· from the persons visiting the business premises, the Controller collects and processes the recording of character through video surveillance (video surveillance recordings are automatically deleted after 30 days), and such processing is necessary in order to achieve the legitimate interests of the Controller or a third party, that is protection of people and property within the meaning of article 12 paragraph 1 item 6) LPDP, that is, it does not serve the unique identification of the person entering the business premises.
· from Business partners basic contact information is collected: name and surname, job title, contact telephone and e-mail address, and in the case of contact persons in legal entities, the name of the legal entity they represent, and the position of those persons in that legal entity, and such processing is performed for the purpose of executing a contract concluded with a legal entity within the meaning of article 12 paragraph 1 item 2) LPDP.
· from persons who follow the Controller on social media data is being collected and processed that is marked as publicly available in accordance with the policy of the specific social network, and such processing shall be done on the basis of informed consent of the data subjects within the meaning of article 12 paragraph 1 item 1) LPDP.
3. Note on special categories of data. Controller respects the processing prohibition, which is used to revels rase or ethnic origin, political opinion, religious or philosophical beliefs or trade union membership, as well as processing of genetic data, biometric data for the purpose of unique identification of a person, health status or sexual life or sexual orientation data of a natural person referred to in article 17, paragraph 1 of the LPDP.
Exceptionally, Controller can process certain data under that category, namely special categories of employee personal data, to the extent that the processing of such data is prescribed by applicable law governing records in the field of labor, as well as the laws governing social and health care, for the purpose of fulfilling obligations or exercising the authorizations of the Controller or the person to whom data relates in the field of labor, social security and social protection in accordance with article 17, paragraph 2, item 2) of the LPDP. For example, the Law on Labor Records prescribes the keeping of records in the field of work that may contain specific categories of data.
4. Means of data collecting
Controller collects personal data either directly from the person to whom data relates to or through their employers, co-contractors, business partners or, where applicable, other third parties (for example from the Infostud website in relation to the personal data of the job candidate). When it does not obtain data directly from the person to whom data relates to, the Controller will be informed in advance whether the person that is giving the data is authorized to forward the data to the Controller. Person that is giving the data shall be obliged to inform the person to whom data relates too of all relevant aspects of processing in accordance with article 24 of the LPDP, that is to instruct such persons to familiarize themselves with this Notice.
5. Legal ground of processing
Controller personal data processing preforms on basis of:
· informed consent of the person to whom data relates to within the meaning of article 15 of the LPDP. In the case of processing based on informed consent, the person whose data is being processed is authorized to revoke that consent at any time, the revoke shall entail the termination of any further processing, provided that it does not affect the processing carried out up to that point, in accordance with item 11 of this Notice.
· for the purpose of executing the agreement concluded with the person to whom data relates to or taking measures at the request of the person to whom data relates to prior to the conclusion of the agreement, within the meaning of article 12, paragraph 1, item 2) of the LPDP;
· for the purpose of fulfilling legal obligations, within the meaning of article 12 paragraph 1 item 3) of LPDP, or
· for the purpose of fulfilling the legitimate interests of the Controller or third party, within the meaning of article 12, paragraph 1, item 6) of the LPDP, all depending on the category of personal data being processed and the purpose of processing personal data.
The legal basis depends on the category of person to whom the data relates too (see the legal basis for each category of person in point 2 of this Notice) and on the specific purpose of the processing (see point 6). The processing of special categories of data shall be carried out in the manner described in point 3 of this Notice.
6. Purpose of processing
Depending on category of persons whose data is being processed, personal data processing is done for:
· establishment of employment relation or other type of employment engagement (processing is performed to execute an agreement concluded with the person to whom data relates to or to take action at the request of the person to whom data relates to prior to the conclusion of the agreement) and refers to job candidates until the expiration of a specific competition.
· fulfilment of the legal obligations concerning the Employees (processing is performed in order to fulfil the obligations prescribed by the laws governing the records in the field of labor, as well as social and health insurance), and it relates to the Employees.
· ensuring the security of the business premises and for the purposes of video surveillance (processing is carried out to fulfil the legitimate interests of the Controller or third party), refers to the following categories of persons whose data are processed:
– Persons visiting the business premises of the Controller.
· informing the persons whose data are processed on the activities of the Controller, promoting the activities of the Controller and sending advertisement messages through the various communication methods available (sending promotional materials and periodic announcements – Newsletter, etc.). Such processing is done on the basis of informed consent of the person.
7. Means of data storage
The personal data shall be stored and protected by the Controller in his internal records, in paper and/or electronic form, in relation to which he applies all necessary organizational, technical and personnel protection measures in accordance with the requirements of the applicable LPDP (see item 9). Internal records (so-called records of processing activities), for each category of persons whose data is being processed, the Controller keeps in accordance with the requirements of article 47 of the LPDP.
8. Rights of person whose data is being processed
Person whose data is being processed has the following rights:
· the right to request processing information (articles 23 and 24 of LPDP).
· the right to request access to personal data from the Controller (article 26 of LPDP).
· the right to request the correction, supplementation or deletion of personal data, as well as the limitation of processing (article 29, 30, 31 and 33 of LPDP).
· the right to data transferability (article 36 of LPDP).
· the right to process complaints (articles 37-39 of LPDP).
· the right to file a complaint with the Commissioner for access to information of public importance and protection of personal data, the right to judicial protection, as well as the right to compensation for damages in cases of unlawful processing (articles 82, 84 and 86 of LPDP).
· other rights guaranteed by the applicable LPDP.
Request for exercising rights is available in the work premises of Controller and is issued upon request.
In relation to the exercise of his/her rights, the Controller shall provide the person whose data is being processed with all necessary assistance, all in accordance with the conditions and in the manner prescribed by the applicable LPDP.
9. Security measures
In relation to personal data, the Controller applies all necessary organizational, technical and personnel protection measures, including but not limited to:
· restriction of physical access to the system where the personal data is stored, which in particular implies that the server on which the data is stored is protected by a “rack”, which is kept only by authorized persons.
· control of access to data, physical and electronic access is only for authorized persons, on the principle Need to Know – only those persons whose jobs require access to records. In addition, as far as electronic access is concerned, it is only possible for authorized persons, and only with the knowledge of a password that changes periodically and which respects valid industry recommendations regarding password formation (combination of lower and uppercase letters, characters, appropriate lengths, etc.).
· control of data entry, which implies that only the authorized person collects personal data and stores them in the records.
· control of data transmission, which implies that the transfer to any authorized person (for example, the Processor) is done only by the usual protected forms of communication.
· other information security measures, in line with best industry practice.
· all other measures necessary to protect personal data.
10. Processors and/or recipients of data
The Controller may also supply personal data to third parties, some of which are processors, and some are recipients of the data. Processor within the meaning of Article 4, paragraph 1, item 9) of LPDP is a natural or legal person, or authority that processes personal data on behalf of the Controller, while the recipient of the data is a natural or legal person or authority to which the personal data have been disclosed, regardless whether it is a third party or not.
Category of Processors that can have access to personal data:
· Video surveillance service providers.
· Accounting agencies.
· Other persons who perform certain processing operations on behalf of the Controller.
Recipients of the data may also be state bodies authorized to access personal data, or who are authorized to be disclosed with such data, but only to the extent and in the manner prescribed by law.
The Controller has with each Processor a data processing agreement, which regulates all relevant issues regarding the processing operations performed by the Processor, including his obligations regarding that specific processing, with the Controller remaining responsible to the person to whom data relates.
Recipients are obliged to access and process the data in a manner that respects their obligations as stipulated by the LPDP and other applicable law.
11. Time limit of data storage
The data shall be stored for a period in which it is necessary to carry out a specific purpose. In relation to the specific categories of persons whose data is being processed:
· employee data is stored permanently in accordance with the obligations of the law governing records in the field of Labor.
· data collected for the purpose of executing the concluded agreement are stored for a period of 10 years (the general time limit for the statute of limitation of claims), or for another time limit if it is provided by law or internal procedures and regulations.
• data retained on the basis of informed consent are stored until the specific purpose has been exhausted, or until the consent is revoked within the meaning of article 15, paragraph 3 of the LPDP, which also signifies the automatic termination of further processing of personal data, within 5 days from the date of sending that revoke, and the data itself is deleted or anonymized.
· video surveillance footage is stored for 30 days after which it is automatically deleted.
The Controller, through his website, processes and uses the so-called Cookies.
Cookies are data that are stored on the computer (or other device) of website user (website visitor) and which enable monitoring and analysis of user behaviour on the website.
Cookies usually do not lead to the discovery of the identity of a specific user. In case that they identify the user, Cookies represent personal data, and therefore all points of this Notice that regulate the processing of personal data apply to them.
Cookies can be removed by changing the settings in your internet browser (internet Explorer, Firefox, Chrome, Opera, etc.). You can delete stored cookies from your internet browser, provided that removing individual cookies may reduce the functionality of the Internet site.
The Controller uses the following types of cookies:
· Cookies that are necessary for the functioning of the website (Necessary Cookies), the removal of such cookies leads to the impossibility of using the website or certain parts of it.
· Performance Cookies, which provide information about visitors and how our users use our website, for example the number of visits, information about the frequency of visits to a particular page, etc. This information does not identify the user visiting the website, and helps the Controller to improve the performance of their own website and provide a better user experience.
13. Special notification on processing
Given the specificity of the purpose that the collection and processing of data should achieve and in relation to the legal basis, the Controller shall, as appropriate, in relation to such processing, inform the persons to whom data relates to of all its specificities (Special Notice). Such notice and this General Notice will apply to such processing.
14. Additional information on personal data processing
Any additional questions regarding the processing of personal data, including the manner of exercising the rights of persons whose data is being processed, can be directed to the e-mail address: firstname.lastname@example.org. The Controller will respond to all inquiries within 5 working days at the latest.
15. Notification changes
This Notice may be updated periodically, but so that the level of privacy protection achieved will not be diminished.
By this means, the persons whose data is being processed confirm that they have read, understood and accepted the processing of personal information described above.