“Personal data” is any data relating to a natural person whose identity is determined or determinable, directly or indirectly, in particular on the basis of an identity marker, such as name and identification number, location data, identifiers in electronic communication networks or one , that is, more features of his physical, physiological, genetic, mental, economic, cultural and social identity;
“Data Subject”/ “Person” is a natural person whose personal data is processed;
“Processing of personal data” is any action or set of actions performed automatically or non-automated with personal data or sets thereof, such as collection, recording, classification, grouping, i.e. structuring, storage, adaptation or modification, disclosure, inspection, use, disclosure by transmission, i.e. delivery, duplication, dissemination or otherwise making available, comparison, restriction, deletion or destruction (hereinafter: “processing”)
“Controller” is a natural or legal person, i.e. an authority that alone or together with others determines the purpose and method of processing. The law that determines the purpose and method of processing can also determine the operator or prescribe the conditions for its determination;
“Processor” is a natural or legal person, i.e. an authority that processes personal data on behalf of the controller;
“Recipient” is a natural or legal person, i.e. a public authority to whom personal data has been disclosed, regardless of whether it is a third party or not, unless it is a public authority that, in accordance with the law, receives personal data in the context of research of a specific case and process this data in accordance with the rules on the protection of personal data related to the purpose of processing;
“Third party” is a natural or legal person, i.e. an authority, which is not the person to whom the data refer, the handler or the processor, as well as the person who is authorized to process personal data under the direct supervision of the handler or processor;
“Consent” of the data subject is any voluntary, definite, informed and unequivocal expression of the will of that person, by which that person, by statement or clear affirmative action, consents to the processing of personal data relating to him;
“Personal Data Breach” is a personal data security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data transmitted, stored or otherwise processed.
When collecting, processing and storing personal data, the Controller acts in accordance with the following principles:
Lawfulness, fairness and transparency – Processing is carried out lawfully, fairly and transparently in relation to the Data Subject;
Data minimization – Data is adequate, essential and limited to what is necessary in relation to the purpose of the processing;
Accuracy – Data will be accurate and, if necessary, updated. In this regard, the Controller will take all reasonable measures to ensure that incorrect data is deleted or corrected without delay, and Persons are requested to always notify the Controller in a timely manner of any change in data;
Storage limitation – Data is stored in a form that enables the identification of the Person only for the period necessary to achieve the purpose of the processing;
Integrity and confidentiality – Data is processed in a way that ensures adequate protection of personal data, including protection against unauthorized or illegal processing, as well as against accidental loss, destruction or damage by applying appropriate technical, organizational and personnel measures.
PERSONAL DATA THAT IS COLLECTED AND PROCESSED AND THE METHOD OF COLLECTION OF THAT DATA
Data that the Persons decide to share with the Manager, when booking an apartment or a conference room, as well as in an inquiry on the contact form or another type of interaction such as posting a comment in the blog section or signing up for the newsletter.
When reserving an apartment, the Manager can receive information about the Person such as: name and surname, address (street and number, city, postal code, country), e-mail address (email), telephone number. Also, the Operator can receive other data such as: the number of apartments on the reservation, the number of people on the reservation (adults and children), the age of the children, as well as other data necessary to perform the service, such as arrival data and selected dates of stay.
When making a conference room reservation, the Handler may receive personal data such as: first and last name, email address, phone number, but also information contained in the content of the message itself and/or attachments that the Person may send with the content of the message, as well as any other information that the Person decides to share with the Handler.
By contacting the Handler through the contact form, the Handler can obtain information about the Person such as name and surname, e-mail address, phone number, but also information contained in the content of the message itself and/or attachments that the Person can send with the content messages, as well as any other information that the Person decides to share with the Handler. The contact form has a clearly presented purpose, with the aim that the responsible person of the Handler gets in touch with the Person who sent the inquiry and provides the requested information.
By signing up for the newsletter, the Controller can receive data about the Person such as name and surname and e-mail address.
Data that the Operator can automatically collect when the Person visits the website, and from the device from which the Person accesses the website.
Data automatically collected by the Controller may include information such as IP address, device type, unique device identification number, browser type, and broader geographic location (eg, country or city-level location). Also, the Operator can collect information about how the Person’s device behaves on the Operator’s website, as well as the Person’s browsing habits, including the pages the Person has accessed, i.e. the links they have clicked on.
This data is primarily collected using cookies and similar tracking technologies. “Cookies” (engl.cookies) are text files that contain small amounts of information that are downloaded to a computer or mobile device when visiting a website. They are stored locally in the visitor’s browser and are exchanged by the website with the user’s device for short-term memory of the visitor’s activities on the page. Cookies are used to collect data about the use of the website and they do not cause any damage to the device and do not contain viruses. The purpose of collecting data through cookies is not to personally identify website visitors, but to enable the website to recognize the visitor’s device and thereby improve the content of the website and enhance the visitor experience.
The website of the Operator uses several types of cookies, which are used for different purposes:
Necessary cookies – help visitors use the website, enabling basic functions such as navigation through the site and access to its protected parts. The website cannot function properly without these cookies;
Functional cookies – enable improved functionality and personalization of the website. If Persons do not allow these cookies, they will disable certain functionalities of the page that help in efficient use of the page, by remembering information based on which certain functions or the appearance of the page are changed. These cookies remember the choices made by the Individuals, such as the country from which the website is visited, language and search parameters, such as the number of guests, time of stay and the like.
Statistical cookies – help the Controller to understand how visitors use the site by anonymously collecting and reporting data;
Marketing cookies – help the Operator to provide visitors with a good user experience, adjust the content of the page and continuously improve the page.
Cookies can be enabled or disabled by modifying the settings in the specific browser. If they are disabled, it is possible that certain activities on the Operator’s website will not be able to be completed or that certain parts of the website will not be able to be properly accessed.
The operator also uses Google Analytics, which is a free service provided by the third-party provider Google, Inc., which is used to track visits to Internet pages. Google Analytics enables statistical displays of visits by type of source (browser, e-mail, direct visits, etc.), details about visitors (geographical location, language they use, web browser, etc.) and other data needed to evaluate the use of the website.
Data that the Operator collects from third parties
PURPOSE OF COLLECTION AND PROCESSING OF PERSONAL DATA
The operator collects and processes personal data for the following purposes:
- performance of activities, i.e. provision of services in accordance with relevant laws and by-laws;
- improvement of performance of activities, i.e. improvement of service provision;
- development and termination of new services;
- providing requested information by answering the Person’s inquiries, i.e. providing support;
- providing adequate functioning of the website;
- development and improvement of the website;
- analysis of website visits and use;
- business and marketing communication;
- business administration and legal compliance;
- security and surveillance.
The operator collects personal data for specific, explicit and legal purposes and does not process them in a way that is inconsistent with the purpose for which they were collected. Data that has been collected for one, predetermined purpose, will not be used for any other purpose or in a way that is inconsistent with the approved purpose.
LEGAL BASIS OF PERSONAL DATA PROCESSING
In accordance with the principle of legality, personal data is collected and processed on the basis of various bases prescribed by law, such as:
- consent – The person to whom the data being processed refers has given consent for one or more specifically specified processing purposes;
- contract – processing is necessary for the execution of the contract concluded with the Person to whom the data refer or for undertaking actions, at the request of the Person to whom the data refer, before the conclusion of the contract;
- legal obligation of the Controller – processing is necessary in order to comply with the prescribed obligations of the Controller;
legitimate interest of the Controller or a third party – processing is necessary for the purpose of real, concrete and legally permissible benefit of the Controller or a third party, for the realization of which the processing of certain personal data is necessary and which is not overridden by the interests or basic rights and freedoms of the person to whom the data is relations.
PERIOD OF STORAGE OF PERSONAL DATA
The period of storage of personal data depends on the purpose and legal basis of personal data processing.
The operator will store personal data for the period of time prescribed for certain purposes by the relevant regulations or until the purpose for which they were collected is fulfilled, after which they will be deleted.
Personal data that is processed solely on the basis of consent is stored until consent is revoked. Consent can be revoked at any time, but it does not affect the admissibility of processing that was carried out on the basis of consent before the revocation.
RECIPIENT AND THIRD PARTY
The Controller also discloses personal data to certain recipients, i.e. third parties: related persons of the Controller in the territory of the Republic of Serbia; to its employees; communication services; IT service providers; providers of tourist and catering services with whom the Operator cooperates when performing activities (commercial partners of the Operator); expert advisors to persons who provide consulting, legal, banking, accounting, insurance services, such as lawyers, bankers, bookkeepers, insurers, auditors; state authorities. The mentioned third parties have access to the personal data needed to perform the tasks for which they are engaged, but they may not use them for other purposes (if they use them for other purposes, they will be considered independent operators). The operator treats personal data as confidential information and takes all appropriate necessary measures to protect them in accordance with the Law. Access to personal data can only be given to persons who, given the description of the work they perform, need to be familiar with personal data and only to the extent necessary for the performance of their work. The operator requires all recipients and third parties to protect personal data and act in accordance with applicable regulations, and to process personal data exclusively for specific purposes.
REAL PERSONS TO WHOM THE PERSONAL DATA RELATES
The right to information and the right to access
The person has the right to request information on whether the Controller processes his/her personal data, and if the answer is affirmative, to request access to that data, as well as the following information: on the purpose of processing; on the types of personal data processed; about the recipient or types of recipients to whom the personal data has been disclosed or will be disclosed to them, especially recipients in other countries or international organizations; on the expected period of storage of personal data, or if this is not possible, on the criteria for determining that period; on the existence of the right to request from the Controller the correction or deletion of his personal data, the right to limit processing and the right to object to processing; on the right to submit a complaint to the Commissioner; on available information about the source of personal data, if the personal data were not collected from the persons to whom they refer; about the existence of an automated decision-making procedure and, at least in those cases, purposeful information about the logic used in that process, as well as about the importance and expected consequences of that processing for the person to whom the data refer. If personal data is transferred to another country or international organization, the Person to whom it relates has the right to be informed about the appropriate protection measures related to the transfer.
The operator is obliged to provide a copy of the data it processes to the Person to whom the data refer upon his request. The operator may request compensation for the necessary costs for the production of additional copies requested by the person to whom the data refer. If the request for a copy is submitted electronically, the information is submitted in a commonly used electronic form, unless the Person to whom the data relates has requested a different submission.
Right to correction and addition
The data subject has the right to have his/her inaccurate personal data corrected without undue delay. Depending on the purpose of the processing, the Data Subject has the right to complete his/her incomplete personal data, which includes providing an additional statement.
The right to erasure of personal data
The person to whom the data refers has the right to have his/her personal data deleted by the Controller and may submit a separate request to the Controller for this.
The operator is obliged to delete personal data without undue delay in the following cases:
- The data are no longer necessary to achieve the purpose for which they were collected or otherwise processed;
- The person revoked the consent on the basis of which the processing was carried out, and there is no other legal basis for the processing;
- The person has filed an objection to the processing;
- Data were illegally processed;
- Data must be deleted in order to fulfill legal obligations;
The data was collected in connection with the use of information society services in the sense of the Law.
Right to restriction of processing
The data subject has the right to have the processing of his/her personal data restricted by the Controller if one of the following cases is met:
- The person to whom the data refers contests the accuracy of the personal data, within the time limit that allows the Controller to check the accuracy of the personal data;
- The processing is illegal, and the Person to whom the data refers opposes the deletion of personal data and instead of deletion requests restriction of the use of data;
- The controller no longer needs personal data to achieve the purpose of the processing, but the Person to whom the data refers has requested it in order to submit, implement or defend a legal claim;
- The person to whom the data refers has submitted an objection to the processing, and an assessment is underway as to whether the legal basis for the processing by the Controller outweighs the interests of that person.
Right to portability
The person to whom the data refers has the right to receive the data that he previously submitted from the Controller in a structured, commonly used and electronically readable form and has the right to transfer that data to another controller without interference from the Controller, if the processing is based on consent or on on the basis of the contract and if the processing is performed automatically.
The right to object
If he considers that it is justified in relation to the special situation in which he is, the Person to whom the data refers has the right to submit an objection to the processing of his/her personal data to the Controller at any time, in accordance with the Law.
THE HANDLER’S PROCEDURE IN CASE OF PERSONAL DATA BREACH
If a violation of personal data can cause a high risk to the rights and freedoms of the Person, the Controller is obliged to, without undue delay, inform the Person to whom the data relates about the violation that has occurred, and all in accordance with the Law, as well as to notify the Commissioner for access to information of public importance and protection of personal data (hereinafter: the Commissioner) without undue delay, or if possible, within 72 hours of becoming aware of the violation.
THE RIGHT TO COMPLAINT TO THE COMMISSIONER AND THE RIGHT TO COURT PROTECTION AGAINST THE DECISION OF THE COMMISSIONER
The person to whom the data refers has the right to file a complaint with the Commissioner if he/she believes that the processing of personal data on his/her person has been carried out contrary to the provisions of the Law, and submitting a complaint to the Commissioner does not affect the right of this Person to initiate other administrative or judicial protection procedures. In order to simplify the filing of a complaint, the Commissioner prescribed a complaint form that can be found on the Commissioner’s website www.poverenik.rs, in the data protection/forms section. Complaints can be submitted electronically to the email address email@example.com or by mail to the address Bulevar kralja Aleksandra no. 15, Belgrade 11120.
The commissioner is obliged to inform the complainant about the course of the procedure he is conducting, the results of the procedure, as well as the right of the person to initiate court proceedings. If the Commissioner does not act in this way or if he does not act on the complaint at all within 60 days from the date of submission of the complaint, the Person to whom the data refers has the right to initiate an administrative dispute.
Against the Commissioner’s decision on the complaint, the Person to whom the data refers has the right to initiate an administrative dispute within 30 days from the date of receipt of the decision, whereby filing a claim in an administrative dispute does not affect his/her right to initiate other administrative proceedings or judicial protection.
TRANSFER OF PERSONAL DATA OUTSIDE THE TERRITORY OF THE REPUBLIC OF SERBIA
The transfer of personal data to another country or international organization, without prior approval, may be carried out if it has been established that that other country/international organization provides an adequate level of personal data protection. In this regard, the Decision on the list of countries, parts of their territories or one or more sectors of certain activities in those countries and international organizations in which an adequate level of protection of personal data is considered to be provided (“Official Gazette of RS”, No. 55 /2019) has been determined where it is considered that an adequate level of protection of personal data is provided.
The operator collects and processes personal data on the territory of the Republic of Serbia. Personal data may be transferred outside the territory of the Republic of Serbia exclusively to countries that have ensured the appropriate level of protection of personal data in accordance with the Law and the aforementioned Decision.
LINKS TO THIRD PARTY WEBSITES
PERSONAL DATA PROTECTION OFFICER
For all questions and requests related to the processing of personal data, it is possible to contact the personal data protection officer Nikola Ršumović at the e-mail address: firstname.lastname@example.org or the address of the headquarters: Panta Mijailovica 30b, Zlatibor.