Last Updated: March 11, 2022
TWO RIVERS DRUŠTVO SA OGRANIČENOM ODGOVORNOŠĆU BEOGRAD, with registered seat in Belgrade Serbia, 22 Topolska Street, registration number: 20186879, TIN: 104573671 (hereinafter: “Data Controller“) hereby informs visitors of the website www.tworivers.rs, whose data is processed (hereinafter: “Visitors“), in terms of the Law on Personal Data Protection (“Official Gazette of the Republic of Serbia”, No. 87/2018, hereinafter: “Law“), on all relevant aspects of regarding personal data processing that take place in accordance with applicable regulations.
The Data Controller reserves all copyrights for the use of photographs, texts and other published materials, in terms of positive legal regulations in the Republic of Serbia. Photos, texts and other material must not be published, sold, publicly or privately made available or otherwise used without our consent. Non-compliance with this conditions carries with it the responsibility and obligation to compensate the Data Controller for violations of positive rights.
1. Introduction
1.1 This Privacy Policy regulates the collection and processing of personal data within the Data Controller’s Web site: www.tworivers.rs.
1.2 The definitions and expressions in this Privacy Policy correspond to the definitions and expressions contained in the Law. The Data Controller is committed to respecting the legislation of the Republic of Serbia, which regulates the protection of personal data, as well as respect for the protection of basic human rights and freedoms, primarily the right to privacy of persons whose personal data the Company processes.
1.3 By clicking “Accept Cookies” button, or otherwise marked button with essentially the same function, in a pop-up window that is displayed to new users of the website www.tworivers.rs on their first visit to the website, will be considered an active, willing action to establish a lawful legal basis for the collection and processing of data in the manner and purposes described in this Privacy Policy, without any reservations. The Data Controller will be able to prove, through electronic record (log), or otherwise, that the person to whom the data relates has committed the aforementioned active, voluntary action confirming that he is aware and agrees with this Privacy Policy. The specified electronic record (log) shall be considered legally valid and sufficient proof of consent given, pursuant to Article 15 paragraph 1 of the Law.
1.4 This Privacy Policy may be modified at any time and change which is made will be displayed on the website www.tworivers.rs. In this case, data subject will be asked to give new consent for the processing of personal data, pursuant to changes made to this Privacy Policy.
1.5 Rules governing the collection of personal data through Cookies will be specified under the special Cookie Policy. All provision relating to consent to the Privacy Policy within the intended pop-up window, as well as the preservation of the proof form – electronic record (log), as well as how to modify and notify the persons to which the data relates to the changes made, will also be fully applied to the used cookies.
1.6 For any additional questions regarding the rules and terms of this Privacy Policy, you can contact the address: dpo@ifgrupa.com
2. Data processed by Data Controller
2.1 The Data Controller can collect different categories of personal data, which are used for different purposes and on different legal grounds. Typically, it is a data set that enables the identification of the person whose data is processed, communicating with the person whose data is processed or necessary to provide a specific service at the request of that person, i.e. to fulfill the legally prescribed obligations of the Data Controller, which include:
a) The name, surname, and e-mail address that the page visitor leaves under the Contact section in order to make a business contact with the Data Controller;
b) Data collected through cookies enabled by the user, i.e. whose use data subject agreed to, which are described in the separate Cookie Policy.
2.2 Personal data is collected only to the extent that it is necessary for specific purposes to be achieved.
2.3 On Data Controller’s website exist links which are leading to the Data Controller’s pages on social media (Facebok, Instagram, Linkedin). All data collected by the specified platforms during your visit, as well as any data you willfully leave on the specified social networks, is applied, in addition to this Privacy Policy, and the rules prescribed by the specified platforms (Terms of Service/Terms of Use, Privacy Policy, Cookie Policy). The Data Controller cannot be held responsible for any form of illegal use of personal data, committed by the companies in which they are owned or controlled by social networks. Privacy policies for these platforms can be found on the following links. Privacy policies for the specified platforms can be found on the following links:
a) https://www.facebook.com/policy.php
b) https://help.instagram.com/519522125107875/?maybe_redirect_pol=0
c) https://www.linkedin.com/legal/privacy-policy
3. Legal ground for data processing
3.1 The legal ground for processing personal data is the free and informed consent of the data subject, i.e. their consent for the purposes specified in this Privacy Policy, pursuant to Article 12 paragraph 1 of the Law.
4. Purpose of data processing
4.1 The Data Controller uses the data for different purposes that are always directly related to the legal basis of processing. The Data Controller offers different types of services to legal entities, entrepreneurs, individuals and to establish a business relationship, collect and process certain personal data. This is especially related to the data provided through the www.tworivers.rs page by the page’s visitor to make business contact with Data Controller and to receive a non-binding offer to provide services. Processing can be done for contact in order to negotiate the conclusion of the contract and to execute other possible obligations in the contractual relationship. If business cooperation occurs later, The Data Controller will provide the business partner with a special notification about the processing of personal data concerning the contractual relationship. For all additional purposes of processing for which the need arises, the person to whom the data relates will be notified of all necessary information, prior to the commencement of such processing actions, and the processing itself will be based on the appropriate legal basis, in accordance with the law. The purpose of cookie processing is defined under the separate Cookie Policy.
5. Personal Data Disclosing and Transfer
5.1 The data may be disclosed to other business partners, if necessary, to related persons of the Data Controller on the territory of the Republic of Serbia, employees of the Data Controller, companies that perform the security of space, property and persons, legal service providers, IT service providers, state bodies (State Audit Institution), persons who are in contractual relationship with the Manager (Data Processors) and who are entrusted with certain in accordance with the law prescribed conditions relating to information security, the obligation to maintain secrecy and contractual regulation of rights and obligations). All persons are obliged to act in accordance with all provisions of the Law regarding the security of personal data processing.
6. Data subject rights in connection with the processing of Personal Data
6.1 Data subject may request: 1) access to Personal Data, 2) update of personal data, and 3) deletion of Personal Data. In addition, the following rights may be exercised: 1) the right to limit the processing of Personal Data, 2) the right to transfer personal data and 3) the right to file a complaint with the Commissioner for Information of Public Importance and protection of personal data. In order to achieve the right, the request shall be submitted via email to: dpo@ifgrupa.com.
6.2 Certain rights (e.g. the right to be deleted), in certain situations may be subject to legally prescribed restrictions, and the use of them may have different legal consequences, in accordance with the law (e.g. inability to provide certain services, liability for damages, etc.).
7. Personal data protection
7.1 The Data Controller within his business organization strives to apply the highest possible standards in the area of personal data protection, and implements all necessary organizational, technical and personnel measures.
7.2 Accordingly, the Data Controller’s introduces policy which stipulates that within the technical measures of the Company, the production, processing, processing and access of data, documents and information is performed on the company’s management systems document (among others: Microsoft Sharepoint Portal, File Server, Archive Server, Microsoft NAV, Pantheon, etc.). The Data Controller ensures that employees are obliged to produce and process data, documents and information on company computers and associated storage devices, while keeping confidential data and documents is prohibited on the same. Additionally, the data is stored on document management and ERP solutions within the predefined site structures, sites, and document of libraries that have predefined access rights. All company computers and external storage devices are protected by “bitlocker” encryption. Users access all IT services based on a multi-tier authentication system (“MFA”) controlled by Microsoft Active Directory and Network Access Protection (NAP). In addition, Data Controller ensures that employees do not use arbitrarily determined systems, and internal procedures prohibit the use of private, public and cloud computer resources and storage systems for processes of creation, processing, storage and access to data, documents, and information. Finally, Data Controller periodically implements the education of employees regarding the safety of the use of system applications.
7.3 All processors and/or other recipients of personal data are also obliged to apply all prescribed safeguards, in accordance with the signed contract with the Data Controller and the law prescribed standards and obligations.
8. Personal Data Retention Period
8.1 The Data Controller store the data in the period necessary for a specific, concrete purpose of processing to be achieved, after which the data is deleted or made unrecognizable (annuity measures). The specific retention period, i.e. criteria on which it can be determined, depends on the purpose for which personal data is processed.
8.2 When Personal Data is processed by the Data Controller based on consent, data collected for the purposes of obtaining a business contact, the Data Controller then stores personal data in its databases until the consent revocation.
8.3 Data collected through internet browsers and cookies is stored within period provided by cookies accepted by the person to whom the data refers, as described in the Data Controller Cookie Policy.
8.4 Additional information about the retention periods and way of storing can be found in separate notifications.
9. Additional information
9.1 Personal data collected through the www.tworivers.rs website is not transferred from the Republic of Serbia, except for the possible use of third-party cookies, for which the Data Controller cannot be held responsible. The servers used to transfer data are located within EEA countries where an appropriate level of personal data protection is provided. If, in exceptional cases, data transfer is carried out through servers outside the EEA, such data transfer will be carried out with appropriate safeguards in accordance with the law.
9.2 In case of the need to take personal data to another state or outside the territory of the Republic of Serbia, the transfer will be made in accordance with all rules prescribed by the applicable Law, with the application of standard contractual clauses prescribed by the Commissioner for Information of Public Importance and protection of personal data.
9.3 Providing data by the data subject is not a legal or contractual obligation, when it comes to using of the website. Failure to provide the requested data may have as a result only inability to establish the contact, necessary for further communication, or the inability to use the services available on the www.tworivers.rs website.
9.4 When processing data collected through the Data Controller web site, the Data Controller does not use any automated decision-making or profiling of the persons to whom the data refers.
Belgrade, March 11, 2022