PRIVACY POLICY AND PERSONAL DATA PROCESSING NOTICE
Association CRTA, Bulevar kralja Aleksandra 70, Belgrade (hereinafter: CRTA, Organization), as a data controller, is aware of the importance of personal data protection. Therefore, CRTA treats your personal data in accordance with the applicable regulations governing the protection of personal data, including the Personal Data Protection Act of the Republic of Serbia (“Official Gazette of RS” No. 87/2018, hereinafter “PDPA”) and the General Data Protection Regulation (EU) 2016/679 [1](“GDPR”).
In order to transparently process personal data, with this Privacy Policy and Notice CRTA provides basic information regarding personal data processing actions, protection of personal data and the rights of persons whose data is processed, and in relation to the activities of the organization, namely:
- Election observation
- Organization and conducting of petitions
- Informing citizens about our work and activities
- Communication with citizens
- Fundraising for our work.
The information we provide to you in this Privacy Policy:
- Basic terms of the Privacy Policy
- Information about CRTA as the Controller and contact information of the Data protection officer
- Types of personal data we process
- Purpose of data processing
- Legal basis of data processing
- Recipients of your personal data
- Transfer of personal data to another country or international organization
- Personal data retention periods
- Processing of personal data of persons under 18 years of age
- Security of personal data processing
- Automated decision making and profiling
- The rights of Data Subjects
- Obligation to provide data
- Changes to these rules
- Contact
Basic terms of the Privacy Policy
Personal data is any data relating to a natural person whose identity is determined or determinable, directly or indirectly, in particular on the basis of an identifier, such as name and identification number, location data, an online identifier or one, i.e., more features of his physical, physiological, genetic, mental, economic, cultural and social identity.
Personal data processing is any operation or set of operation performed automatically or non-automatically with personal data or their sets, such as collection, recording, sorting, grouping, i.e., structuring, storing, adapting or changing, revealing, viewing, using, disclosure by transmission, i.e., delivery, duplication, dissemination or otherwise making available, comparison, limitation, deletion or destruction (hereinafter: processing).
Data subject is a natural person whose personal data is processed (such as visitors to the CRTA website, signatories of petitions and initiatives, etc.).
The Controller is a natural or legal person, that is, a government body that independently or together with others determines the purpose and method of processing.
A processor is a natural or legal person, that is, a government authority that processes personal data on behalf of the controller.
The recipient is a natural or legal person, i.e., a government body to which the personal data was disclosed, regardless of whether it is a third party or not, unless it is a government body that, in accordance with the law, receives personal data as part of the investigation of a specific case and process this data in accordance with the rules on the protection of personal data related to the purpose of processing.
Profiling is any form of automated processing that is used to assess a specific personality trait, in particular for the purpose of analyzing or predicting a natural person’s work performance, economic status, health status, personal preferences, interests, reliability, behavior, location or movements.
Other terms used in this document will be interpreted in accordance with the provisions of the Personal Data Protection Act, relevant by-laws, opinions and positions of the Commissioner for Information of Public Importance and Protection of Personal Data (hereinafter: “Commissioner”), and GDPR- a (including the Preamble).
Information about CRTA as the Controller and contact information of the Data protection officer
Contact information of the Operator:
CRTA Association, Belgrade, Bulevar kralja Aleksandra 70, Belgrade, ID number: 17414054, Tax Identification Number: 102211181.
CRTA has appointed a Data Protection Officer who you can contact in connection with all questions related to the processing of personal data, as well as in connection with the exercise of your rights prescribed by the Law on the Protection of Personal Data, in one of the following ways:
- by sending an e-mail to the address: [email protected]
Types of personal data we process
Data we collect directly from you
For the purpose of informing citizens about our activities, we collect through Google form:
- Name and surname
- E-mail address
For the purpose of informing citizens about our work and activities through the Newsletter, we collect:
- e-mail address
For the purposes of direct communication with citizens, i.e., answers to your inquiries, please provide us with the following information:
- first and last name (optional)
- E-mail address
- organization (optional)
- contact phone (optional)
For the purposes of collecting funds through donations from citizens who want to support our work, we collect the following data:
- Name and surname
- payment card data: card number, CVV, CVC and card validity data
Note: CRTA does not have access to payment card data of natural persons. You can find more information about aspects of data protection for donation purposes at this link: CRTA Donations: Terms of donation payment
For the purposes of registering citizens’ applications for election observation, we collect the following data:
- Name and surname
- E-mail address
- Contact phone
- Birth Year
- Occupation (optional)
- Information on previous election observation experience
For the purposes of collecting support, implementing petitions and directly engaging citizens on issues of importance, we collect the following data:
- Name and surname
- E-mail address
Data we collect indirectly
- CRTA’s online platform uses cookies.
For more detailed information on the use of cookies by CRTA, visit the following link – https://crta.rs/en/crta-cookie-policy/
Purpose of data processing
We process your personal data for the following purposes:
- Informing citizens about our activities;
- CRTA’s communications with citizens;
- Fundraising for our work;
- Conducting of petitions;
- Organization and conducting of the election observation process;
- Improving the functioning of our platform and other communication channels;
- Other purposes prescribed by the Cookie Policy of the platform.
Legal basis of data processing
Below is the legal basis and processing purposes of CRTA’s personal data processing:
- The legal basis for data processing for the purposes of communication with CRTA, signing up to our list for receiving newsletters, donations and applications for election observation, or other situations where we ask for your consent, is your consent. Once given consent can be revoked at any time, in one of the following ways: by submitting such a request to CRTA per e-mail, with the indication “for the Personal Data Protection Officer”. Please note that if you withdraw your consent to the processing of personal data, we will not be able to provide you with the desired service, or to include you in some of our activities (such as election observation), and that the withdrawal of consent does not affect the permissibility of processing your data performed before the revocation;
- CRTA can also process your personal data when the processing is necessary in order to comply with the organization’s legal obligations. The consent of the person to whom the data refer is not required for data processing that is necessary for compliance with the law and the performance of prescribed legal obligations;
- In certain cases, the processing of personal data is necessary in order to achieve the legitimate interests of CRTA or a third party, taking into account that the interests of CRTA do not prevail over the interests or rights and freedoms of the person whose data it processes. Data processing based on legitimate interest does not require the consent of the data subject, but the subject has the right to use legal mechanisms at any time to exercise their rights in the manner described in the section Rights of the data subject.
CRTA processes personal data only for the purposes for which the data was collected.
Recipients of your personal data
CRTA has the right to disclose personal data to third parties, namely:
- To persons who provide various services to CRTA and have the capacity of data processors. CRTA has concluded a contract with them, which regulates obligations regarding data protection. For example, for the purposes of implementing citizen petitions and initiatives, and for the sake of better communication with citizens, CRTA uses the services of the Action Network platform. Also, for the purposes of collecting donations through the platform, PayPal services are used, whose privacy policy you can find here. In the case of donations collected directly through the CRTA website, the payment card number and CVV2 and CVC numbers are not processed directly by CRTA, but the processing of user payment card data is carried out by an external service provider, the company AllSecure, with which CRTA has concluded an agreement on provision of services.
- Authorities and persons to whom CRTA is legally required to provide appropriate data;
- For litigation and security purposes: we may also disclose your personal information if we are required to do so by law, or in good faith believe that such action is reasonably necessary to comply with legal requirements, to respond to a legal request, or to protect the security or rights of the organization, employees or the public.
CRTA will never share your personal data with any third party that intends to use it for direct marketing, unless we have previously informed you and received your explicit consent.
Transfer of personal data to another country or international organization
The transfer of personal data to service providers in the Republic of Serbia is carried out in accordance with applicable laws and relies on standard contractual clauses prescribed by the Commissioner. Such service providers are obliged to act only according to CRTA’s instructions, and are obliged to apply all technical measures to protect personal data.
In some cases, personal data may be transferred to other countries or territories. If this is the case, CRTA acts in accordance with the rules prescribed in Chapter V of the PDPA, i.e., in accordance with the Decision of the Government of Serbia on the List of States, parts of their territories or one or more sectors of certain activities in those states and international organizations in which it is considered an adequate level of protection of personal data is provided (“Official Gazette of RS” No. 55/2019).
For example, customer data is also processed in Germany and France, which are on the aforementioned List as countries that are considered to have an adequate level of personal data protection.
Personal data retention periods
CRTA keeps personal data for 3 years from collection.
If the law or some other regulation determines a different period of data storage, CRTA is obliged to apply the prescribed periods.
In case the data is processed based on your consent, you can withdraw your consent in any moment, after which the processing of your data stops.
CRTA will not store your personal data longer than necessary and legal. CRTA will process your data exclusively for the purposes for which the said data was collected.
Processing of personal data of persons under 18 years of age
All processing of personal data presented in this document refers exclusively to persons of at least 18 years of age. In the event that, despite our reasonable efforts to prevent it, data processing of minors occurs without the consent of their parents or guardians, we will stop it after noticing the fact that the users are younger than the specified age.
Security of personal data processing
CRTA hereby informs you that it continuously evaluates and improves the applied security measures, in order to ensure safe and protected processing of personal data.
CRTA undertakes all necessary technical, organizational and personnel measures in order to protect the confidentiality and security of your personal data collected for the purposes of implementing our activities. These efforts include, but are not necessarily limited to: (i) storing your personal information in secure operating environments that are not accessible to the public; ii) enabling access to your data only to authorized persons employed by CRTA, i.e. processors whose job description includes data processing; iii) application of data anonymization and pseudonymization techniques, when there are technical conditions for this; iv) selection of processors that meet legal requirements and personal data protection standards.
Automated decision making and profiling
For the purposes of adapting our content and offers to your interests and preferences, CRTA may perform automated processing of personal data, including profiling. This type of data processing is important in order to provide you with information that best suits your needs, that is, so that you do not receive content that is not important to you. Please note that automated data processing will not lead to automated decision-making, including those that produce any legal consequences for you or affect your position. In any case, if the automated processing of personal data is carried out, you have at your disposal the rights presented in the remainder of this Policy.
The rights of Data Subjects
Right of access
The right of access means that the data subject can obtain from CRTA information on whether his personal data is being processed and, if so, permission to access his personal data and obtain information about the processing. CRTA will provide a copy of the personal data it processes upon request. CRTA may charge a reasonable administrative fee for additional requests. If the request is submitted electronically, unless otherwise requested, CRTA will submit the information in electronic form.
The right to rectification and deletion of data
At the request of the data subject, CRTA will correct inaccurate personal data or complete incomplete data.
At the request of the person to whom the data refer, CRTA will delete their personal data if the conditions prescribed by the Law are met (e.g., if the purpose for which they were collected is fulfilled, if consent for processing is withdrawn, and there is no legal basis for processing). CRTA cannot delete personal data: if the obligation to process them is legally prescribed or processing is mandatory for reasons of protection of public interest (e.g., acting on the order of a state authority) or is necessary for the protection of CRTA’s interests such as initiation, submission or defense of a legal request (e.g., filing a lawsuit, etc.).
Right to restriction of processing
At the request of the person to whom the data refer, CRTA will limit the processing of his personal data in cases prescribed by the Law.
Right to data portability
At the request of the person to whom the data refer, CRTA will provide the personal data in a structured, commonly used and electronically readable form (e.g. on a computer) and enable him to transfer them to another operator without interference by CRTA if the following conditions are met: (a) the processing is based on consent or is necessary for the performance of the contract and (b) the processing is automated. This right also includes the possibility to request that CRTA directly transfer personal data to another controller if this is technically feasible.
Right to withdraw consent
You have the right to withdraw your consent to the processing of personal data at any time, however, please note that the withdrawal of consent does not affect the admissibility of processing based on consent prior to your withdrawal.
You can revoke your consent in several ways: by changing the choices on your profile on the website, by submitting a request for revocation of consent to the CRTA e-mail, with the indication “for the Data Protection Officer”.
If you withdraw your consent to the processing of personal data, we will not be able to provide you with the desired service.
The right to object
At any time, the person to whom the data refers can submit an objection to the CRTA to the processing of personal data based on a legitimate interest or which is necessary for the purpose of performing tasks in the public interest or exercising the powers prescribed by law. After submitting an objection, CRTA will suspend further processing of such data, unless there is a legitimate basis for processing that outweighs the interests or freedoms of the data subject or if the processing is carried out for the purpose of initiating, filing or defending against a legal claim (e.g. filing lawsuits, counterclaims, etc.).
The right to challenge a decision made in an automated decision-making process, including profiling
A decision made solely on the basis of automated processing, including profiling, will not apply to a person whose personal data is processed, if that decision significantly affects his position or produces legal consequences for the person. If he believes that his rights have been violated by a decision made in an automated decision-making process, the person to whom the data refers has the right to challenge such a decision, to express his position and to request that the decision be reviewed with the participation of an authorized employee of CRTA.
The right to file a complaint to the Commissioner for Information of Public Importance and Protection of Personal Data
The person to whom the data refers has the right to file a complaint with the Commissioner for Information of Public Importance and Protection of Personal Data, if he believes that the processing of his personal data is carried out contrary to the provisions of the Law or other valid regulations.
Exercising the aforementioned rights is possible at any time. To exercise these rights, you can send a written request, dated and signed in printed format, to the following address: CRTA, Bulevar kralja Aleksandra 70, 11000 Belgrade, or by email to our Personal Data Protection Officer at [email protected] .
Obligation to provide data
If you choose not to provide us with your personal information when requested, you may not be able to participate in certain activities, or digital media services may be limited. For example, if you refuse to share your email address with us, you will not be able to receive our newsletters or register on our digital channels.
Changes to these rules
CRTA may change and update this privacy policy from time to time, as appropriate. CRTA will notify you of any material or substantive changes to this privacy policy, and will ensure that notification is made in a manner that ensures that you confirm it, for example by using the email address you have provided to us, or by any other appropriate means that allows effective communication.
Contact
You can direct any question related to this document to the person responsible for personal data protection issues at CRTA, via the following contact [email protected] , with the note: for the Data Protection Officer .
Updated: May 2024.
[1]Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data, and on the free movement of such data and on the repeal of Directive 95/46/EC