General Privacy Policy

---

Personal Data Protection Information for Clients
Publisher: ORBICO TRGOVINA I USLUGE DOO BEOGRAD, Partizanske avijacije 4, matični broj: 105564523
Use: 01.03.2020

1. Important notes
These are the privacy rules (hereinafter: the "Privacy Policy") issued by ORBICO TRGOVINA I USLUGE DOO, 11000 Belgrade, Partizanske avijacije 4, registration number: 105564523 (hereinafter: the "Company"). In this sense, the company has the position of controller of the processing of your personal data.

1.1. These Privacy Policy apply to all individuals who interact with the Company in the role of consumers, customers, service users, those who are interested in becoming, business partners, suppliers, subcontractors, contractors or other persons who are with the Company in business relationship. (hereinafter: "Clients").

1.2. The company has a Rulebook on personal data protection which regulates the obligations of the Company and its employees regarding the collection and processing of personal data. These privacy rules further regulate the privacy and protection of your personal data as Clients, and you are provided with information in accordance with Articles 23 and 24 of the Law on Personal Data Protection ("Official Gazette of RS", No. 87/2018).

1.3. The privacy policy applies only to individuals or their personal data. Personal data is all data through which we can, directly or indirectly, identify you.

1.4. Please, read this Privacy Policy. If you do not agree with our actions, please do not provide us with your personal information

1.5. In case of any questions or requests regarding the handling or protection of your personal data, please contact us at privacy.orbicors@orbico.com. 

2. What is covered by the Privacy Policy?
• The Privacy Policy covers the ways in which your personal data is processed when you interact with us, e.g. when:
• You visit our websites
• Use our channels on social networks
• Purchase and use our products and services, systems and applications 
• Subscribe to our newsletter
• Provide your goods and services, systems or applications
• Contact our customer support
• Attend our business events
• Participate in our competitions
• Participate in our promotions
• Communicate with us in some other way in the role of you as a consumer, costumer, business partner, supplier, subcontractor, or other person who is in a business relationship with us

2.1. Processing of personal data is any action or set of actions performed on personal data, whether automated or non-automated means such as collecting, recording, organizing, structuring, storing, adapting or modifying, finding, restoring, discovering, using, and consulting related to personal data.

3. What personal data do we process?

3.1. We process the personal data that you have given us, either during the initial contact, or during later communication (eg through a phone call, e-mail, etc.) or those that resulted from our business cooperation.

3.2. We process the following personal information we have collected from you:

3.2.1. Your identification data: Name, surname, adress (street and house number, place, postal code, country, apartment, floor), JMBG; tax (registration) number;
3.2.2. Your contact data: Mobile phone, telephone, Fax, Email address; contact adress (street and house number, place, postal code, country, apartment, floor);
3.2.3. Your user data: user ID, password;
3.2.4. Additional information necessary for business needs: Company name, type of user(private or business); business atribute; Current account data (number and bank);
3.2.5. Data derived from our business relationship: Sales data, pictures from the point of sales
3.2.6. Change history of all listed data: Initially given data, their changes,as well as the change was made
3.2.7. Your other data: Data related to your household, your interests, your occupation;

3.3. We also process personal data related to your use of products and/or services, which are collected automatically.

3.4. We process the following personal information we have collected automatically:

3.4.1. Information obout your device: Device model ,unique device identifier, MAC address, IP address, operating system version, device settings you use to access websites, applications and services;
3.4.2. Your login details: The time and duration of use of our digital channel or product;
3.4.3. Your location information: The actual location(derived from the IP adress or other location-based technologies) that we may collect when you provide us with this through product or location-related settings;
3.4.4. Your other data: The applications you use, the websites you visit, the links you click within our advertising email;

3.5. We process the personal information we receive about you from publicly available sources(within the legal framework) such as public databases , as well as those we receive from our marketing partners or social networking platforms when you choose to use such services. We may combine the information obtained in this way with other information we have received from you.

3.6. You are not obligated to provide us with certain types of information, but this may affect the functionality  of the product or service we offer.

3.7. In accordance with the law, we will not process data related to:
• Racial or ethnic origin;
• Political opinion;
• Religious or philosophical beliefs;
• Trade union membership;
• Genetic functions;
• Health;
• Sex life;
• Criminal convictions or related security measures;
• Biometric data;
• Genetic data.
If there is a need to process some of the above personal data we will always need your explicit consent.

4. Why we process your personal data?

4.1. We process your personal data because you are our customer or user of our services or you are interested  in becoming one(e.g. you have subscribed to our newsletter or sent us certain questions). 

4.2. We process your personal data for the following purposes: 

4.2.1. Conclusion and implementation of contracts
We process your personal data  that we need in order to process, accept and fulfill some of your inquiries, orders, purchases or other mutual agreements.
4.2.2. Fulfilling our legal duties 
We process your personal informations in order to fulfill our legal duties. For example, disclosure of information to state institutions or supervisory bodies related to reporting obligations , compliance audits, tax deductions, mandatory records, conducting inspections and compliance with requirements by state bodies or other public bodies.In that case, the basis for processing your personal requests is the fulfillment of our legal duties. 
4.2.3. Information on orders and requests
We process your personal data in order to inform you about the status of an individual request, the execution of a service or the like, all for the purpose of your full information. In that case, the basis for the processing of your personal data is our legitimate interest.
4.2.4. Sending a newsletter
We process your personal data in order to inform you about interesting events, our services and products, all the for the purpose of your full information. In that case,  the basis for the processing of your personal data is our legitimate  interest or your consent, depending  on the specific case.
4.2.5. Other cases
In order to protect our legitimate interests as a company(eg. When it is necessary to ensure an adequate level of protection). In that case, the basis for processing your personal requests is our legitimate interest.

5. Who has access to your personal data?

5.1. We consider your personal data to be a business secret and as such we protect them in accordance with applicable legal regulations and best practice. 

5.2. We will process your personal data ourselves, as well as the entities within Orbico group. Third parties have the right to access and process your personal data only in the situations described below:

5.2.1. Legal entities with which we cooperate in business and which enable or assist us in regular business. These are e.g. individuals who develop and maintain the IT solutions we use. In that case, these legal entities process your personal data exclusively for our needs;
5.2.2. Persons with whom we cooperate in business, when we assess that it is necessary for the protection of certain of our justified interests. For example tax advisors, accountants, lawyers and other advisors. In that case, these persons process your personal data exclusively for our needs; 
5.2.3. Competent bodies in conducting supervision over the legality of business and actions , as well as other legal entities when it is necessary for the performance of some of our legal duties , e.g. auditor. In that case, these legal entities process your personal data for the purpose assigned to them by law;
5.2.4. Other parties in connection with business transactions such as e.g. sale  of the company or part of the company, reorganization, merger, joint venture, or any other type of disposal of our company, property or stocks) including bankruptcy or similar proceedings).

5.3. Third parties are limited in their ability to use your personal information for any purpose  other than those listed, and are required to protect and process your personal information in accordance with  legal, regulatory and contractual obligations.

6. Is my personal data transferred to other countries?

6.1. In order to realize the legitimate interests of the Company and the implementation of loyalty programs to Clients, your personal data may be transferred to other countries, specifically certain EU countries in which the Orbico group has entities, and the Company always complies with legal regulations relating to such transfer.  

7. How do we protect your personal data?

7.1. The protection of your personal data is extremely important to us. Some of the protection measures we implement are the following: 

7.1.1. Implement database pseudonymization whenever possible;
7.1.2. Application of modern methods of protection and control access to data resources containing  personal data;
7.1.3. Continuous monitoring  of all resources (physical spaces where your data is stored) that are used to process personal data.

7.2. The purpose of implementing these measures is to prevent the risk of destruction , loss, alteration, unauthorized disclosure or access to your personal data.

7.3. We also request the use of appropriate protection measures , in relation to your personal data, from third parties who have the right to access and process your personal data , as stated in Article 5, paragraph 5.2.

8. In what period do  we keep your personal data?

8.1. For data where there is a statutory retention period, we store your data in that period and delete them for an additional period of one year.  

8.2. We keep your personal data as our Clients , for which there is no defined legal retention period, for the entire duration of the contract we have concluded with you. Upon termination of the contract , we delete your data within an additional period of 6 years from the termination of the contract (statute of limitations of 5 years , increased by 1 year period for deletion).

8.3. Personal data that we process based on our legitimate interest, we store as long as our legitimate interest exists, and we delete it within a period od 2 years from the termination of our legitimate interest. 

8.4. We store personal data that we process on the basis of your consent as long as we have your consent. In case of withdrawal of consent , we delete them as soon as possible.

8.5. The above periods of storage of your personal data are defined based on the following criteria:
• The period during which we need your personal data in order to be able to provide you with our services , products or manage your business;
• If you have registered account with us, then we process your personal data as long as you are an active user of the account;
• Whether there is a legal, contractual or similar obligation to retain your personal data.

9. What regulations apply?

9.1. The protection of your personal data is regulated by the Law on Personal Data Protection(„Official Gazette of RS“, No.87/2018).

10. Your rights

10.1. If you choose to exercise one or more of your rights below, the Company  has the right to verify your identity , all for the purpose  of protecting personal information.
10.2. You exercise your rights for free. 
Exceptionally, if your request is obviously unfounded or excessive (e.g. you are asking  for personal data that you have), and especially if the same request is repeated frequently (e.g. less than 6 months have passed since the last request), the Company has  the right to charge  necessary costs to act on your request or to refuse to act on your request.  

10.3. Access to your personal data:
You have the right to ask us for information on whether we process  your personal data , access to that data, as well as information on processing in accordance with Article 26 of the Law. Please send questions and requests, in writing and signed , to privacy.orbicors@orbico.com. We will respond  to your request immediately , and within a month at the latest, unless the exceptional complexity  of an individual case  does not require an extension of the specified deadline.

10.4. Correction  of inaccuracies, additions, deletions, restrictions on the use of personal data:
You have the right to request the correction of your inaccurate personal data, as well as the right to supplement, delete  and limit the use of your personal data. Please send questions and requests, in writing and signed, to privacy.orbicors@orbico.com.   We will respond to your request immediately, and at the latest within a month, unless the exceptional complexity of the individual case requires an extension of the specified deadline. 

10.5. Portability of personal data
You have the right to download and request the transfer of your personal data. Please send questions and requests, in writing and signed, to the adress
privacy.orbicors@orbico.com. We will respond to your request immediately, and at the latest within a month, unless the exceptional complexity of the individual case requires an extension of the specified deadline. 

10.6. The right to withdraw consent and forget 
You have the right to withdraw your consent to the processing of personal data as well as to request that your personal data that we have processed on the basis of your consent be permanently deleted. Please send the question and requests, in writing and signed, to the adress 
privacy.orbicors@orbico.com. We will respond to your request immediately, and at the latest within a month, unless the exceptional complexity of a particular case requires an extension of the specified deadline.

10.7. Complaint against the processing or handling of your personal data:
You have the right to object to the processing of your personal data as well as to our way of handling your  personal in general. Your request to us is privacy.orbicors@orbico.com  send by e-mail to to the adress, where in the title of  the message you state the Objection against processing and in the message itself you explain the reason for the objection and your request.

10.8. The right to complain to the Commissioner for Information of Public Importance and Personal Data Protection
As a Client, at any time you have the right to complain to the competent authority for personal data protection-the Commissioner for Information of Public Importance and Personal Data Protection (https://www.poverenik.rs/) .