Privacy Policy

Based on the Law on the Protection of Personal Data ("Official Gazette of the RS", number 87/2018) and Article 198, paragraph 4 of the Law on Business Companies ("Official Gazette of the RS", number 36/2011 ,99/2011,83/2014, - other laws, /2015 and 44/2018) Company: Balkan Roads d.o.o. Belgrade - New Belgrade, ul. Omladinskih brigada 98, 1st floor, THE ONE business complex, registration number: 21599662, Tax ID: 112060732, on 20.07.2020. issued the Rulebook on Personal Data Protection

PURPOSE AND OBJECTIVE OF THE RULES

Article 1.

The Rulebook on Personal Data Protection (hereinafter: the Rulebook) is a general act, i.e. the main document that was adopted for the purpose of more closely regulating the protection of personal data of individuals who are within organization of the Company, or in a specific connection with it (primarily, employees, associates, consultants and individuals engaged in other ways by the Company, as well as individuals with whom the Company has established a certain type of business cooperation, and whose data the Company processes, e.g. users and clients), and in accordance with the Law on Personal Data Protection of the Republic of Serbia ("Official Gazette of RS", No. 87/2018).

BALKAN ROADS DOO BELGRADE-NEW BELGRADE, Omladinskih brigada 98, 1st floor, THE ONE business complex, ID number: 21599662, PIB: 112060732 (hereinafter: Controller) undertakes to guarantee the confidentiality of personal data within the scope of providing services within the activities of travel agencies, organizing excursions and mediating and selling tourist trips, as well as other tourist services in accordance with the Personal Data Protection Act (hereinafter: the Act). Also, the Controller guarantees security and privacy on the internet platform it uses, which is located at the web address www.belgradewalkingtours.com

The aim of adopting the Rulebook is to ensure legal certainty and transparency regarding the processing of personal data of individuals referred to in paragraph 1 of this article, as well as to determine the legal basis, purpose of processing, types of the data being processed, the rights of individuals regarding the processing of personal data, data protection measures, etc. The Rulebook also establishes the obligations of employees regarding the protection of personal data of individuals, in accordance with the law.

The term "employee" includes, except for employees in the sense of the Labor Law, and individuals engaged on the basis of work contracts, copyright contracts, contracts on the provision of consulting services, and the like, and which contracts contain a clause obliging the person engaged by the Company to comply with the provisions of this Rulebook, the text of which is an attachment and an integral part of each individual contract.

II TERMS AND ABBREVIATIONS

Article 2.

• Law on Protection of Personal Data ("Official Gazette of RS", No. 87/2018, hereinafter: "ZZPL");
• Labour Law of the Republic of Serbia ("Official Gazette of the RS", 24/2005, 61/2005, 54/2009, 32/2013, 5/2014, 13/2017 - decision of the Constitutional Court and 113/2017) (hereinafter: "ZoR");
• Commissioner for Information of Public Importance and Personal Data Protection of the Republic of Serbia (hereinafter: "Commissioner");
• Personal data is any data relating to a individual whose identity is determined or determinable, directly or indirectly, especially on the basis of an identity marker, such as name and identification number, location data, identifier in electronic communication networks or one or more characteristics of his physical, physiological, genetic, mental, economic, cultural and social identity;
• Special types of personal data are data revealing racial or ethnic origin, political opinion, religious or philosophical belief or trade union membership, genetic data, biometric data, health data , sexual life or sexual orientation of a individual;
• Processing of personal data is any action or set of actions performed automatically or non-automated with personal data or their sets, such as collecting, recording, sorting, grouping, or structuring , storing, adapting or changing, revealing, inspecting, using, revealing by transmission, i.e. delivering, duplicating, disseminating or otherwise making available, comparing, limiting, deleting or destroying (hereinafter: processing);
• The controller is the Company as a legal entity that determines the purpose and method of personal data processing in the sense of ZZPL.
• A processor is a natural or legal person, which processes personal data on behalf of the controller.
• The recipient is a natural or legal person, i.e. the authority to which the personal data has been disclosed, regardless of whether it is a third party or not, unless it is an authority that in accordance with the law, they receive personal data as part of the investigation of a specific case and process this data in accordance with the rules on the protection of personal data related to the purpose of processing;
• A third party is a natural or legal person, i.e. a government authority, which is not the person to whom the data refer, the controller or the processor, as well as the person who is authorized to process personal data under by direct supervision of the controller or processor;
• The consent of the person to whom the data refer is any voluntary, specific, informed and unambiguous expression of the will of that person, by which that person, by a statement or a clear affirmative action, gives consent to the processing of data about individuals related to him;
• A personal data breach is a breach of personal data security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data transmitted, stored or otherwise way processed;
• A representative is a natural or legal person with a residence or headquarters in the territory of the Republic of Serbia who, in accordance with Article 44 of the ZZPL, is authorized to represent the controller or processor in connection with their obligations stipulated by this law.

III PERSONAL DATA PROCESSED BY THE HANDLER

Article 3

The company can process the following personal data of employees:

• Name and surname, address, date and place of birth, gender, marital status, social security number, identity card number, citizenship, health insurance number (LBO);
• Academic and professional qualifications: degree of education, titles, data on skills, knowledge of foreign languages, training, employment history, biography;
• Financial details: bank account number, details of earnings and added benefits;
• Data on the performance of work duties: position, evaluation of the supervisory authority (person), business e-mail address, IP address, access credentials (eg username and password);
• Communication data: e-mail, phone number, emergency contact of relatives, as well as other data necessary for the performance of the employer's obligations prescribed by law and the implementation of the employment contract, or other contractual relationship between the employee and the Company.
• The company can also process certain categories of special types of personal data, such as data on health or religious affiliation, and in accordance with Article 17 of the ZZPL, special types of personal data of employees for the purpose of fulfilling obligations or applying legally prescribed powers in the field of work, social insurance and social protection.

The company does not process a larger number or other type of personal data than is necessary to fulfill the stated purpose. If the processing of special types of data is carried out on the basis of the person's consent (for example, in order to adapt the training conditions to the health condition of the participants), that consent must be given in writing, which includes detailed information about the type of data being processed, the purpose of the processing and the method of processing data.

The Company may process the following user/customer personal data:

• Name and surname, date of birth, place of birth, address of residence, passport number, JMBG, contact e-mail address, contact phone number.

The Company may process the following personal data of job candidates:

• Name and surname, date and place of birth;
• Academic and professional qualifications contained in the work biography and motivation letter (level of education, titles, data on skills, knowledge of foreign languages, trainings, list of previous employers; communication data: e-mail , phone number).

When announcing a job vacancy, the Company does not determine the format of the work resume, but the candidate is left to determine it himself. In this sense, the Company can come into possession of a larger volume of data than presented, at the will of the job candidate. All collected data is stored for a period of up to 1 year for the purpose of subsequent assessment of the need to hire job candidates.

IV SOURCES OF PERSONAL DATA

Article 4

The company collects (electronically, in writing or verbally) personal data directly from the person to whom the data relates: an employee, user or client.

The Company may collect data on employees and job candidates from other sources, primarily former employers, provided that the data is relevant for employment. All data, which are not necessary for processing for the presented purposes, will be permanently deleted.

FOR THE PURPOSE OF DATA PROCESSING

Article 5

The company processes personal data for the purposes specified in the provisions of Articles 6-9 of this Rulebook.

No more data or a wider range of data is processed than is necessary to achieve the stated purposes.

VI RECRUITMENT AND HUMAN RESOURCE MANAGEMENT

Article 6

The Company processes personal data for the purposes of establishing and implementing an employment relationship, including other contractual relationships on the basis of which the Company hires associates and consultants, such as data for the purposes of determining adequacy and qualifications of candidates for certain jobs, for managing working hours and absences, for calculating wages, travel expenses and daily allowances, for determining benefits based on sick leave and other forms of absence from the workplace, for evaluating the progress of employees, for providing additional training and education and for disciplinary procedures.

VII BUSINESS ACTIVITIES

Article 7

The company is engaged in the activity of travel agencies, organization of excursions and mediation in the sale of tourist arrangements in the country and abroad.The company processes personal data for the purposes of organizing tourist arrangements, that is, for the needs accommodation, transportation and accompanying travel documentation. Data during registration is collected directly from the parties in our premises, via e-mail or through an intermediary. Also, if the parties are from another city or country, the data is received by e-mail.

When booking accommodation, the following information is used: name, surname and date of birth, passport or identity card number, phone number, email address, and in some cases a copy of the first page of the passport is also taken. In a situation where we act as an intermediary in the visa application process, we also take information about employment and marital status from the passenger.

Other data such as e-mail and mobile phone are used for the purposes of communication with customers and sending notifications about the time of departure for a trip, notifications about new offers, etc.

Data is stored in our database.

When making a travel insurance policy, we enter the data into the system of the insurance company, where all the mentioned data are entered and the policy is issued from their system.

In accordance with the Law on Tourism, we store all documentation on sold tourist trips, which include travel contracts with individuals and their data, in our reservation system for two years, after which we delete the data from the system .

The data is not used for other purposes, nor is it sent to third parties.

VIII COMMUNICATIONS, INFORMATION TECHNOLOGIES AND INFORMATION SECURITY

Article 8

The company processes personal data for the purpose of managing and maintaining the functioning of the communication and information network, and maintaining information security.

IX COMPLIANCE OF BUSINESS WITH RELEVANT REGULATIONS

Article 9

The company processes personal data for the purpose of fulfilling legal obligations and harmonizing operations with relevant legal regulations, primarily in the domain of labor and tax legislation.

X ACCESS AND TRANSFER OF PERSONAL DATA

Article 10

Only the Controller and employees of the Controller have access to personal data.

Personal data will be accessible to third parties outside the Controllers only in the following cases:

• The Company will transfer personal data to third parties only for the purposes listed below, taking all necessary measures to ensure that personal data is processed and secured in accordance with applicable regulations.
• The Company may hire third parties - service providers - to perform certain data processing operations for the account and on behalf of the Company, in which case the Company has the capacity of controller, and the service providers have the capacity of personal data processors . In this situation, the processor is given only the data necessary to achieve the purpose of the contracted processing, and the processors cannot use them for other purposes. In these cases, the conditions of data processing and the responsibility for data protection will be defined by the contract between the Company and the processor.
• Personal data will be transferred to public authorities only when it is prescribed by law, if the data needs to be forwarded for the implementation of the Agreement.

Processors of personal data do not have the right to process personal data submitted to them for other purposes, except for the performance of tasks assigned to them by the Controller, based on the Agreement. Processors are obliged to comply with all written instructions of the Controller. The Controller undertakes all necessary measures to ensure that the engaged processors strictly comply with the Personal Data Protection Act and the written instructions of the Controller, as well as that they have taken appropriate technical, organizational and personnel measures for protection personal data.

The controller also collects personal data from travelers, i.e. clients from other countries for the purpose of implementing the Travel Agreement. 

The controller transfers personal data to other countries and international organizations for the purpose of implementing the Travel Agreement.

The controller processes personal data in the Republic of Serbia.

XI DATA STORAGE PERIOD

Article 11.

Personal data will not be kept longer than it is necessary to achieve the purpose for which they were processed. If the period of storage of personal data is prescribed by law, the Company will keep the data within the given legal period. After the purpose has been fulfilled, i.e. the expiration of the legally prescribed period for data storage, the data will be permanently deleted.

In accordance with the Law on Tourism, we store all documentation on sold tourist trips, which include travel contracts with individuals and their data, in our reservation system for two years, after which we delete the data from the system .

The data is not used for other purposes, nor is it sent to third parties.

In certain cases, personal data may be stored for a longer period of time, for the purposes of fulfilling legal obligations or to establish, exercise or defend a legal claim, in accordance with applicable laws.

Personal data about employees as well as former employees are stored permanently in the Company's personnel records in accordance with the Law on records in the field of work.

XII THE RIGHTS OF PERSONS WITH REGARD TO THE PROTECTION OF PERSONAL DATA

Article 12

• Right to information
  Employees and other individuals to whom the data refer have the right to be informed about their rights, obligations and related issues to the processing of their personal data, in the sense of ZZPL even before the processing of that data begins.
• Right to access
  Employees and other individuals to whom the data refer have the right to request the Company to provide access to their personal data, i.e. the right to determine the subject, method, purpose and scope of the processing of that data, as well as to ask questions about the processing itself.
• Right to correction and addition
  After the inspection, the individuals to whom the data refer have the right to have the Company  require correction, addition, or updating of processed personal data.
• Right to erasure
  The person to whom the data refers can request from the Company the erasure of their personal data in accordance with the ZZPL, as well as the termination, i.e. temporary suspension of processing.
• Right to withdraw consent for processing
  In situations where the legal basis for processing personal data is the consent of the person to whom the data refer, that person has the right to withdraw the given consent at any time, in writing.
• Right to restriction of processing
  The person to whom the data refers, according to the ZZPL, has the right to request the controller to process his personal data limit.
• Right to data portability
  The person to whom the data refers can request the transfer of personal data to another controller, when it is technically feasible, i.e. when the personal data, which is the subject of the transfer request, is in a structured and machine-readable format.
• The right to object and automated individual decision-making
  If he considers that it is justified in relation to the particular situation he is in, the person to whom to which the data relates, has the right to submit an objection to the processing of his data at any time to the controller, as well as to not apply to that person a decision made solely on the basis of automated processing, including profiling, if that decision produces legal consequences for that person or that the decision significantly affects his position.

The data subject has the right to object to the processing of personal data for the purpose of direct marketing and to request the restriction of processing in some other cases.

In the event that the person to whom the data refers is not satisfied with the Company's response to the request for the fulfillment of rights regarding the protection of personal data, he has the right to file a complaint with the Commissioner for Information of Public Importance and Protection personal data (https://www.poverenik.rs/sr/).

XIII EMPLOYEE OBLIGATIONS

Article 13

Employees are obliged to provide their personal data, which are necessary for the Company to fulfill its legal obligations, as well as to carry out current business.

Employees are obliged to respect and protect the personal data they process during work, in accordance with personnel, technical and organizational measures prescribed by the Manager, i.e. the employer, with the aim of protecting the integrity of personal data and the rights of the individuals to whom the data refer.

Employees can process only those data to which they are allowed access, in accordance with the tasks they perform.

XIV MANUAL AND PERSONAL DATA PROTECTION PERSONALITY

Article 14

Controller:

Controller contact information:

Name of controller: BALKAN ROADS DOO BELGRADE-VRAČAR
Address: ul. Omladinskih brigada no. 98, 1st floor, THE ONE business complex, 11070 New Belgrade
Contact phone: 0112040331
Mail: office@belgradewalkingtours.com

Person designated for the protection of personal data

Interested individuals whose data is subject to processing by the Controller can exercise their rights regarding the protection of personal data as well as all questions and dilemmas regarding their rights to the protection of personal data in contact with the person for the protection of personal data.

The person designated for the protection of personal data for the Controller is:

Name and surname:  Miloš Janković, ul. Vidikovački venac 77
Contact phone 0658585851
Mail: office@belgradewalkingtours.com

According to Article 58 of the ZZPL, the obligations of person designated for the protection of personal data are:

• monitors the implementation of the provisions of the ZZPL, other laws and internal regulations of the controller or processor related to the protection of personal data, including issues of responsibility sharing, awareness raising and training of employees participating in the actions processing, as well as controls;
• gives an opinion, when requested, on the assessment of the impact of processing on the protection of personal data and follows up on that assessment, in accordance with Article 54 of the ZZPL;
• cooperates with the Commissioner, represents a contact point for cooperation with the Commissioner and consults with him in relation to issues related to processing, including notification and obtaining opinions from Article 55 of the ZZPL .

The controller informed the Commissioner about the person designated for the protection of personal data on the prescribed Form and to the required email address licezazastitu@poverenik.rs.

XV TRANSITIONAL AND FINAL PROVISIONS

Article 15.

This rulebook applies from 07/20/2020. i.e. from the date of commencement of the Law on the Protection of Personal Data.