HUMANITARIAN FOUNDATION,, KUĆA OD SRCA” Pančevački put 32, 11 000 BEOGRAD MB 28834152 PIB 113605576
Based on the Personal Data Protection Law (“Official Gazette of RS”, No. 87/2018, hereinafter: the Law), the Management Board of the HUMANITARIAN FOUNDATION “KUĆA OD SRCA” (hereinafter: Manager/Foundation), on_________, adopts the following act: REGULATION ON THE PROTECTION OF PERSONAL DATA.
1. PURPOSE OF THE RULE BOOK
With the Rulebook on Personal Data Protection HUMANITARIAN FOUNDATION “KUĆA OD SRCA” (hereinafter: the Foundation) regulates the organizational, technical and methodological procedures and measures, to protect personal data in the Foundation, with the intention to prevent accidental/inadvertent or intentional unauthorized destruction of data, their changes or loss, as well as unauthorized access, processing, use or delivery of personal data. The provisions of the currently valid regulations governing the protection of personal data are directly applied to the issues that are not regulated by this Rulebook, namely: the Personal Data Protection Law (“Official Gazette of RS” 87/2018 – hereinafter: Law)
Application of the Rulebook
The provisions of this Rulebook apply to the processing of personal data of the following categories of natural persons: 1. employees / candidates.
2. family members of employees 3. Beneficiaries 4. donors 5. business partners.
Employee is any person employed by the operator (employed, working outside of employment, volunteering, performing a function in management and/or supervisory roles). Family members are persons who are insured as members of the insured person’s family, in accordance with the regulations of insurance company, namely, persons who are considered family members in accordance with the Labor Law. Beneficiaries – are recipients of services. Donors – independent, anonymous or identified financiers within the Foundation.
Business partners – users and service providers, buyers, suppliers, contractors and subcontractors, consortium partners, bidders and all other business partners from the country and abroad, (entrepreneurs, legal representatives, proxies and other representatives of legal entities, natural persons who are responsible for implementation of contracts, natural persons who represent the state and state organizations in the broadest sense, and other natural persons). 4 Candidates for employment – persons who apply for open job positions published through appropriate internet portals, public media and/or on the operator’s website – persons who submit their CV independently via electronic or regular mail.
2. KEY TERMS of Personal Data Protection Law
– Personal Data Protection Law (“Official Gazette of RS” No. 987/2018). Personal data is any data related to a natural person whose identity is determined or determinable, directly or indirectly, based on an identity marker, such as name and identification number, data on the location of an identifier in electronic communication networks or one or more features of his physiological, genetic, mental, economic, cultural and social identity (hereinafter: data). The person to whom the data refers is the natural person whose personal data is being processed. Personal data processing is any action or set of actions that are performed automatically or non-automated, such as: collection, recording, sorting, grouping, i.e., structuring, storing, modifying or changing, revealing, viewing, using, disclosure by transmission or delivery, duplication, multiplying or otherwise making available, comparison, restriction, deletion or destruction (hereinafter: processing). Limitation of processing is marking of stored personal data to limit their processing in the future. Profiling is any form of automated processing that is used to assess a certain personality characteristic specifically for the purpose of analyzing or predicting the work performance of a natural person, his economic position, state of health, personal preferences, interests, reliability, behavior, location or movement areas. Pseudonymization is the way of processing that makes it impossible to attribute personal data to a specific person without using additional data, provided that these additional data are stored separately and that technical, organizational and personnel measures are taken to ensure that personal data cannot be attributed to a specific or identifiable person. Data controller is a natural or legal person, that is, a government body that determines the purpose and method of processing, independently or together with others. A processor is a natural or legal person, namely, a government authority that processes personal data on behalf of Data controller. The authorized person for personal data processing is the person in charge of personal data processing in the Foundation. Processing of personal data is the responsibility of that person, namely, the work of the organizational part of the Foundation in which the processing is carried out, including the managers of that department, as well as the persons in charge in the Foundation. The consent of the data subject is any voluntary, specific, informed and unambiguous expression of the will of that person, consented by the statement or clear affirmative action, to the processing of personal data related to that person. A personal data breach is a breach of personal data security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data transmitted or stored or otherwise processed. Special types of personal data are those types of personal data that reveal racial or ethnic origin, political opinion, religious or philosophical belief or trade union membership, genetic data, biometric data for the purposes of unique identification of individuals, health-related data or data related to with an individual’s sex life or sexual orientation. Health data are data on the physical or mental health of a natural person, including those on the provision of health services, which reveal information about his state of health.
Data carriers are all types of media on which data is recorded (documents, files, materials, records, computer equipment including magnetic, optical or other computer media, photocopies, sound, graphic or video material, microfilms, data transmission devices, etc. .), The third party is a natural or legal person, i.e. a government body, which is not the person to whom the data refers, the handler or the processor, as well as the person who is authorized to process personal data under the direct supervision of the handler or processor. The Commissioner for Information of Public Importance and Personal Data Protection (hereinafter: the Commissioner) is an independent and autonomous authority established based on the Law, who is responsible for supervising the implementation of the Law and performing other tasks prescribed by the Law. Competent authorities are authorities responsible for the investigation, detection and prevention of criminal acts, as well as the prosecution of perpetrators of criminal acts or the execution of criminal sanctions, including the protection and prevention of threats to public and national security, a legal entity authorized by the Law.
3. PRINCIPLES AND REGULATIONS OF PERSONAL DATA PROCESSING
The basic principles of personal data processing at the Foundation are:
1. Legality, honesty and transparency – personal data is processed legally, honestly and transparently
2. Limitation in relation to the purpose of processing – personal data is collected for specific, justified and legal purposes
3. Data minimization – personal data must be relevant and appropriate
4. Accuracy – personal data must be accurate and timely updated
5. Storage Limitations
6. Integrity and confidentiality – personal data must be processed with protection against unauthorized or illegal processing
Data operator is responsible for the implementation of the provisions from paragraph 1 of this article and must be able to demonstrate their implementation. Data processing can only be done if there is a Consent of the person. If the processing is based on the consent, the controller must be able to demonstrate that the person has consented to the processing of their personal data. The data subject has the right to withdraw consent at any time. Revocation of consent does not affect the admissibility of processing that was carried out based on consent before the revocation. Before giving consent, the person to whom the data refer must be informed about the right to revocation, as well as the effect of revocation. Withdrawing consent must be as simplified, same as giving consent.
4. LEGAL PERSONS TO WHOM THE DATA REFERS TO
In accordance with the review and comprehensive analysis of the provisions related to the rights of individuals of the Personal Data Protection Act (“Official Gazette of the RS”, No. 87/2018), it is stipulated that the person to whom the data relates shall exercise: the right to be informed about the processing , in accordance with Articles 23 and 24 of the Law; the right to access data, including the right to a copy of the data processed by the data operator – in this case, the Foundation, according to Article 26 of the Law; the right to request from the Foundation the correction, addition or deletion of personal data in accordance with Article 29 and Article 30 of the Law; the right to request from the operator a restriction of processing in accordance with Article 31 of the Law; 7 the right to be notified of all recipients to whom personal data has been disclosed (when it comes to any correction, deletion or restriction of processing), in accordance with Article 33 of the Law, except in cases specified by the Law; the right to data portability in accordance with Article 36 of the Law; the right to donor anonymously; the right to object in accordance with Article 37 of the Law; the right not to be subject to a decision made solely on the basis of automated processing, including profiling, if that decision produces legal consequences for that person or that decision significantly affects his position, in accordance with Article 38 of the Law; the right to be informed about the violation of personal data, in the event that the violation of personal data may cause a high risk to the rights and freedoms of natural persons, in accordance with Article 53 of the Law; the right to submit a complaint to the Commissioner for Information of Public Importance and Personal Data Protection, in accordance with Article 82 of the Law.
5. OBLIGATIONS AND RESPONSIBILITIES OF HUMANITARIAN FOUNDATION „KUĆA OD SRCA“
The operator is obliged to take appropriate technical, organizational and employee performance measures to ensure that the processing is carried out in accordance with the Law.
1. Technical measures ensure that the responsible person in the Foundation implements and maintains all necessary IT programs that serve to process personal data. This person is responsible for taking all technical measures necessary to prevent the destruction, loss and alteration of personal data, i.e. unauthorized disclosure or access to personal data. Individual technical measures include, but are not limited to, physical-technical measures (locking of offices and business buildings), the use of access codes for computers, and the use of appropriate computer software for the protection, identification and removal of computer viruses and other harmful programs.
2. Organizational measures refer to access to the servers and computers where personal data can be processed, and only authorized persons have access to the same. Hard copies of documentation containing personal data is kept in locked rooms.
3. Employee performance measures are implemented first by appointing a person for the protection of personal data. Also, access to personal data is only available to persons employed by the operator who, as part of their work duties, must process such data. Personal data is considered a business secret, in accordance with the general acts of the operator, while disclosure of a business secret is a violation of work discipline. If the processor will handle personal data on behalf of data controller, the duties of the processor will be defined by the contract or other legally binding act, in accordance with the Law. Only the person or authority that fully guarantees the application of appropriate technical, organizational and personnel measures for the legal processing of personal data can be designated as a processor. If the data is collected from the person to whom it relates, the Foundation is obliged to provide the following information, at the time of collection of personal data: about the identity and contact details of the Foundation and its representative (the head of the department that collects personal data), contact information of the person for the personal data protection, the intended purpose of processing and the legal basis for the processing, the existence of a legitimate interest of the Foundation or a third party for processing (if the data collection is carried out on that basis), about the recipient or the group of recipients (if any).
6. DATA PUBLISHING
In specific circumstances, Personal Data Protection Law (“Official Gazette of RS”, No. 87/2018) allows the disclosure of personal data to agencies and government officials that enforce the law, without the consent of the data owner/respondent. In such circumstances, the Foundation will disclose the requested information. However, the responsible person of the Foundation will, before disclosing data, ensure that the request is legitimate, seeking the help of legal advisors or supervisory personnel in the field of personal data protection. The Foundation must ensure that personal information is not disclosed to unauthorized third parties which include family members, friends, government organizations and, in certain circumstances, the police. All employees must be familiar with the procedure if they are asked to disclose personal data to a third party. All requests for delivery of personal data must be accompanied by appropriate documentation, and any publication must be specifically approved by the Person Responsible for the Protection of Personal Data.
7. SAFEKEEPING AND HANDLING DATE OF HUMANITARIAN FOUNDATION „KUĆA OD SRCA“
HUMANITARIAN FONDATION KUĆA OD SRCA is safekeeping personal data processing records containing: name of personal data records; types of persons to whom the data refers and types of personal data in the records; names and contact information of the handlers, joint handlers, representatives of the handlers and persons for personal data protection; data on the purpose of processing; data on the type of recipients to whom personal data has been disclosed or will be disclosed, including recipients in other countries; transfer of personal data to other countries as well as documents on the implementation of measures if personal data are transferred in accordance with the Law; data on the deadline, after the expiration of which certain types of personal data are deleted if such a deadline has been set.
Foundation appoints a person or persons who will manage the collection of personal data if they are kept in several organizational parts in which personal data processing operations are carried out and who are obliged to take care of the accuracy and to ensure the content of the records is updated. Records of personal data processing are kept in written and electronic form. The Foundation is obliged to make them available to the Commissioner for Information of Public Importance at his request.
Video surveillance OF HUMANITARIAN FOUNDATION KUĆA OD SRCA- video surveillance is used for the purpose of protecting people and property. Use for other purposes is not allowed. Anyone who wants to view the video, must submit a written request to the Foundation, which must allow him/her to see it. He/she must also sign an information protection statement committing himself to keep all data safe. If an employee, beneficiary, or a visitor wants to view the recording, the manager of IT Security is also present during the review of those recordings.
8. LEGAL MEANS
The person to whom the data refers has the right to file a complaint with the Commissioner if he/she believes that the processing of his/her personal data has been carried out contrary to the provisions of the Personal Data Protection Act. In the complaint procedure, the provisions of the law regulating supervision in the part related to handling complaints shall be applied accordingly. Filing a complaint to the Commissioner does not affect the right of this person to initiate other administrative or judicial protection procedures.
Commissioner is obliged to inform the complainant about the course of the procedure he is conducting, the results of the procedure, as well as the right of the person to initiate court proceedings in accordance with the Law. The person to whom the data refers has the right to judicial protection if he/she believes that contrary to the Law, his/her right given by the Law has been violated by the handler or processor by the action of processing his/her personal data. Filing a lawsuit does not affect the right of this person to initiate other administrative or judicial protection procedures. A person who has suffered material or non-material damage due to a violation of the provisions of the Law has the right to monetary compensation for this damage from the Operator, namely, the Processor who caused the damage. This Rulebook enters into force on the day of its publication.