BIRN is committed to safeguarding the privacy of the users of www.BalkanInsight.com. This Privacy Policy statement explains the data processing practices of BIRN.

PRIVACY NOTICE

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC – GDPR, regulates all important aspects of the data processing activities of the Data Controllers and Data Processors in EU, as well as for data processing activities of the Data Controllers and Data Processors in non-EU countries when the data processing operations are related to:

• The offering of goods or services to the data subjects in EU, irrespective of whether a payment of the data subject is required (e.g. e-commerce services, tourist services etc.);
• The monitoring of behaviour of data subjects in EU as far as their behaviour takes place within the Union.

BIRN DOO BEOGRAD, with the registered seat at Kosovska 17, Belgrade Serbia, collects, processes and uses the particular data from the data subjects, as Data Controller within the meaning of the Article 4 Paragraph 1 Point 7 of the GDPR, in order to send them the media content produced by BIRN DOO and its affiliates and transfer organizations.

Although the Serbian entity that falls under the scope of Serbian data protection regulatory framework, the BIRN DOO is fully dedicated to ensure the highest level of protection of the personal data, and therefore it shall be complaint with the GDPR requirements.

1. TYPE OF PERSONAL DATA THAT ARE PROCESSING

BIRN DOO collect, use and in other manner process the following personal data of the data subjects:

• name and family name;
• e-mail of the data subject;
• user name and password of the data subject.

2. LEGAL BASIS OF DATA PROCESSING AND PURPOSE OF PROCESSING

Legal basis for the processing of the above mentioned data is the performance of a contract to which the data subject is party, pursuant to the Article 6 Paragraph 1 Point b) of GDPR.

BIRN DOO collect, use and process the personal data of the data subject exclusively for the purpose of sending of the Newsletter, and other media content produced by BIRN DOO or its affiliates and partners.

3. DATA PROCESSING ACTIVITIES

BIRN DOO performs the following data processing activities: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available to the authorized persons, alignment or combination, restriction, erasure or destruction, other processing activities which are necessary for the purpose defined in Point 2 of this Privacy Notice.

4. CATEGORIES OF SUBJECTS THAT HAS ACCESS TO THE PERSONAL DATA

Beside BIRN DOO, the following categories of subjects have access to personal data:

• BIRN affiliates;
• BIRN partners;
• Companies that install and maintain the ICT system of BIRN;
• Companies that perform the security services to BIRN DOO;
• Other companies that fall under category of the Data Processor within the meaning of the Article 4 Paragraph 1 Point 8 of the GDPR that performs the tasks for BIRN SERBIA (such as the incorporation of data base, technical support for realization of the purpose from Point 3 of this Privacy Notice etc.) or Recipient within the meaning of the Article 4 Paragraph 1 Point 9

The above mentioned subjects have access and in other manner process the data only within the purpose described in Point 3 of this Privacy Notice, and are not authorized to process data in the manner that exceeds such purpose.

The above mentioned subjects will be obliged to implement the data protection standards and requirements of GDPR. BIRN DOO will conclude the data processing agreements (DPA) in order to ensure the compliance with such requirements.

The above mentioned subjects will be obliged to implement the encryption or pseudonymisation measures whenever it is technically feasible.

For the sake of clarity, even in the case of transfer of the personal data to the above mentioned subjects, the BIRN DOO as Data Controller should be responsible for the enabling of the adequate level of protection of the personal data.

5. DATA SUBJECTS RIGHTS

• The data subject pursuant to GDPR has to following rights:
• Right of the data subject to access to the personal data processed by BIRN DOO, right of the data subject to request the information from the BIRN DOO whether or not his/her personal data are being processed, and in what purpose. In the case of such request, BIRN is obliged to deliver the copy of the personal data which is processed in electronic form and free of charge (Article 15 of GDPR);
• Right to rectification, right of the data subject to obtain the rectification of his/her inaccurate personal data without undue delay (Article 16 of GDPR);
• Right to be forgotten, right of data subject to request the erasure of the personal data if certain conditions from the Article 17 of GDPR are met, i.e.;
• Right to restriction of processing, right of the data subject to request the restriction of processing from, if specific conditions are met (Article 18 of GDPR);
• Right on data portability, right of the data subject to receive his/her personal data, which he or she has provided to BIRN DOO, in a structured, commonly used and machine-readable format, as well as the right to transmit those data to another controller (Article 19 of GDPR);
• Right to object, right of the data subject to object at any time to the processing of his/her personal data. In case of objection, Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims (Article 21 of GDPR);
• Rights in relation to the automated individual decision-making, including profiling, pursuant to the Article 22 of GDPR;
• Right to be informed in case of data breach pursuant to the conditions set in Article 34 of GDPR;
• Right to address to the data protection authority.

6. PROTECTION MEASURES

BIRN DOO within its organization implements all the necessary organizational, technical and personnel measures in order to ensure the highest possible protection of the personal data, including but not limited to:

• Technical measures of protection;
• Control of the physical access to the system where the personal data are storage;
• Control of the data transfer;
• Control of the personal data entry;
• Personal data access control;
• Applicable information security measures;
• All other measures necessary to ensure the adequate level of data protection.
• For the sake of clarity the subjects from the Point 4 of this Privacy Notice are also obliged to implement the above mentioned measures.

BIRN DOO hereby warrants to the data subjects the implementation of such measures by the subjects from the Point 4 of this Privacy Notice.

7. STORAGE TIME

BIRN DOO storage the personal data, as long as they are needed in order to fulfil the purpose from the Point 3 of this Privacy Notice, i.e. sending the Newsletter and other media content materials.

If the data subject unilaterally terminate the agreement with BIRN DOO (i.e. it does not want to receive Newsletter and other media content materials anymore), it will send the notice pursuant to the Terms of Use of the BIRN DOO service that could be found on the following link: www.balkaninsight.com/en/static-page/terms-of-use.

After the termination, the BIRN DOO will erase all the stored personal data of the data subject, as soon as possible but not later than 10 days from the day of the termination of the agreement.

8. DPO CONTACTS

For all additional questions, comments and information in relation to the exercising of the data subjects rights you may address to the BIRN DOO data protection officer, via telephone +381 11 4030302, or via following e-mail address: [email protected]. DPO will answer on any question of the data subject as soon as possible, and not later than 10 working days.

This Privacy Notice enters into force on May 25, 2018.