Pursuant to the Law on Protection of Personal Data (“RS Official Gazette”, No. 87/2018) and Article 198, paragraph 4 of the Companies Act (“RS Official Gazette”, No. 36/2011, 99/2011, 83/2014 , – ect. Law, 5/2015 and 44/2018) Company EOS TRAVEL & WEB DOO Paraćin , on 21.08.2019. brings:
RULE BOOK
ON PROTECTION OF PERSONAL DATA
PURPOSE AND OBJECTIVE OF THE REGULATIONS
Article 1.
The Rulebook on the protection of personal data (hereinafter: the Rulebook) is a general act, that is, the main document, which was adopted for the purpose of regulating more closely the protection of personal data of persons who are within the organization of the Company, or in connection with it (above all, employees, associates, consultants and persons otherwise engaged by the Company, as well as persons with whom the Company has a certain form of business cooperation, and whose data the Company processes, eg users and clients), in accordance with the Law on Personal Data Protection Of the Republic of Serbia (“Official Gazette of RS”, No. 87/2018).
EOS TRAVEL & WEB DOO Paraćin, Vojvode Mišića 31/3, MB: 20348771, PIB: 105299784 (hereinafter referred to as “the Operator”) undertakes to guarantee the confidentiality of personal data in the framework of the provision of tourist travel organizing services and other tourist services in accordance with the Law on Personal Data Protection (hereinafter referred to as the Law). The Operator also guarantees the security and privacy of the Internet platform he uses, located at www.eostravelweb.com.
The aim of passing the Rulebook is to provide legal certainty and transparency regarding to the processing of personal data of the persons referred to in paragraph 1 of this Article, as well as to establish the legal basis, purpose of processing, types of data processed, rights of persons with regard to the processing of personal data. personalities, data protection measures, etc.
The Rulebook also establishes obligations of employees regarding the protection of personal data of persons, in accordance with the law.
The term “employee” includes, in addition to employees within the meaning of the Labor Law, persons hired on the basis of employment contracts, copyright contracts, consultancy contracts, and which contracts contain a clause obliging the Company to be hired by complies with the provisions of this Rulebook, and the text from it is annexed and an integral part of each individual contract.
TERMS AND ABBREVIATIONS
Article 2
• Property Data Protection Law (“RS Official Gazette”, No. 87/2018, hereinafter: “Data Protection Act”, “DPA”);
• Labor Law of the Republic of Serbia (“RS Official Gazette”, 24/2005, 61/2005, 54/2009, 32/2013, 5/2014, 13/2017 – Constitutional Court decision and 113/2017);
• Commissioner for Information of Public Importance and Personal Data Protection of the Republic of Serbia (hereinafter referred to as “the Commissioner”);
• Personality information is any information relating to an individual whose identity is determined or identifiable, directly or indirectly, especially based on an identity tag, such as name and identification number, location data, identifiers in electronic communications networks or one, that is, more features of his physical, physiological, genetic, mental, economic, cultural and social identity;
• Specific types of personal data are data revealing racial or ethnic origin, political opinion, religious or philosophical beliefs or membership in a union, genetic data, biometric data, data on a person’s health, sexual life or sexual orientation;
• Processing personal data is any action or set of actions that is performed automated or non-automated with personal data or data sets, such as collecting, recording, sorting, grouping, or structuring, storing, rendering or modifying, disclosing, insight, use , detecting by transmitting, or delivering, duplicating, disseminating or otherwise making available, comparing, restricting, deleting or destroying (hereinafter: processing);
• The Operator is the Company as a legal entity, which in terms of Property Data Protection Law determines the purpose and manner of processing personal data.
• The Processor is a natural or legal person, who processes personal data on behalf of the Operator.
• “Recipient” means a natural or legal person, or authority, to whom personal data have been disclosed, whether it is a third party or not, unless it is a public authority that in accordance with the law receives personal data within investigate a particular case and process this data in accordance with personal data protection rules pertaining to the purpose of the processing;
• “third party” means a natural or legal person, or authority, other than the data subject, the Operator or the Processor, or the person authorized to process personal data under the direct control of the Operator or Processor;
• “consent” of the data subject is any voluntary, specific, informed and unambiguous expression of the will of that person, by which that person, by a statement or clear affirmative action, consents to the processing of personal data related to him / her;
• “personal data violation” means a violation of personal data security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data that has been transmitted, stored or otherwise processed;
• “Representative” means a natural or legal person residing or having a head office in the territory of the Republic of Serbia who, in accordance with Article 44 of this Law, is authorized to represent the Operator or Processor in connection with their obligations under this Law.
DATA ABOUT PERSONALITY PROCESSED BY THE OPERATOR
Article 3
The Company may process the following personal data of employees:
• First and last name, address, date and place of birth, gender, marital status, identification number, ID card, citizenship, health insurance number (LBO);
• Academic and professional qualifications: level of education, titles, data on skills, knowledge of foreign languages, training, employment history, curriculum vitae;
• Financial information: bank account number, earnings data and additional fees;
• Information on performance of work responsibilities: position, assessment of supervisory authority (persons), business e-mail address, IP address, access credentials (eg username and password);
• Communication data: e-mail, telephone number, contact of an emergency relative, as well as other data necessary for the fulfillment of legally prescribed obligations of the employer and the realization of employment contracts, namely another contractual relationship between the employee and the Company.
• The Company may also process certain categories of special types of personal data, such as health data or religious identity data, and in accordance with Article 17 of the LPPC, special types of personal data of employees for the purpose of fulfilling their obligations or exercising their statutory powers in the field of work, social security and social security.
• The Company does not process large number or any other type of personal informations than is necessary to fulfill the stated purpose. If the processing of specific types of data is done on the basis of a person’s consent (for example, in order to adapt the training conditions to the trainees’ health status), that consent must be given in writing, which contains detailed information on the type of data being processed, the purpose of the processing and how data is used.
The Company may process the following customer / client identity information:
• Name and surname, date of birth, place of birth, address of residence, passport number, JMBG (Unique Master Citizen Number), contact e-mail address, contact telephone.
The Company may process the following information on the candidate’s personal identity:
• First and last name, date and place of birth;
• Academic and professional qualifications contained in the CV and cover letter (education level, titles, skills, foreign language skills, training, list of previous employers; communication data: e-mail, telephone number).
When announcing an open competition for employment, the Company does not determine the form of the CV, but leaves it to the candidate to determine it himself. In this sense, the Company may come into possession of a larger volume of data than presented, by the will of the job candidate. All data collected is stored for up to 1 year for the purpose of ex-post evaluation of the need to hire job applicants.
SOURCES OF PERSONAL DATA
Article 4
The Company collects (electronically, in written or verbally) personal data directly from the data subject: employee, user or client.
The Company may collect information about employees and job applicants from other sources, former employers in particular, in case the provided informations are relevant for employment. All data that is not necessary will be permanently deleted.
PURPOSE OF DATA PROCESSING
Article 5
The Company processes personal data for the purposes specified in the provisions of Article 6-9 of this Ordinance.
No more data or a wider range of data is processed than it is necessary to achieve the stated purposes.
EMPLOYMENT AND MANAGEMENT OF HUMAN RESOURCES
Article 6
The Company processes personal data for the purposes of establishing and implementing employment, including other contractual relationships by which the Company engages associates and consultants, such as data for the purposes of determining the adequacy and qualifications of candidates for certain positions, for managing working hours and absences, to calculate wages, travel expenses and per diems, to determine sickness and other forms of benefits, to evaluate employee progress, to provide additional training and education and to disciplinary action.
BUSINESS ACTIVITIES
Article 7
The company deals with the organization and sale of tourist arrangements abroad (Greece, Cyprus and Bulgaria). The Company processes personal data for the purposes of organizing tourist arrangements, that is, for accommodation, transportation and accompanying travel documents. Informations are collected directly from the parties by looking at the documents (passport or ID card), by mail, orally by telephone or by the clients directly making the reservation through the Company’s online system.
When booking accommodation the following informations are used: name, surname, date of birth, address, telephone number and email. In addition to this informations, passport number information is also used for booking a transport.
Also, data such as e-mail and mobile phone are used for communication with clients and sending travel time announcements, notifications of new offers, etc.
The data is stored in our database, agency reservation system, File Maker, our vendor exchange system, Master Web, as well as in external files for sending SMS and Newsletter via Mail Chimp.
When creating a travel insurance policy, we enter informations into the insurance company system where all the above mentioned informations entered and the policy issues from their system are entered.
Informations are not used for other uses, or sent to third parties.
COMMUNICATIONS, INFORMATION TECHNOLOGIES AND INFORMATION SECURITY
Article 8
The Company processes personal data for the purpose of managing and maintaining the functioning of the communication and information network, as well as maintaining information security.
COORDINATION OF BUSINESS WITH RELEVANT RULES
Article 9
The Company processes personal data for the fulfillment of legal obligations and harmonization of operations with the relevant legal regulations, primarily in the field of labor and tax legislation.
ACCESS AND ACCESSION OF PERSONAL DATA
Article 10
Only the Operator and the Operators employee have access to personal data.
Personality information will only be available to third parties outside of the Operators in the following cases:
• The Company will only disclose personal information to third parties for the purposes set out below, taking all necessary steps to ensure that personal data are processed and provided in accordance with applicable regulations.
• The Company may engage third parties – service providers – to perform individual data processing operations for the account and on behalf of the Company in which case, the Company has the capacity of Operator and the service providers the capacity of personal data Processor. In this situation, only the data necessary for the accomplishment of the purpose of the contracted processing is given to the processor, and the processor cannot use it for other purposes. In these cases, the terms of the data processing and the responsibility for data protection will be defined by the contract between the Company and the processor.
• Personal data will only be made available to public authorities when required by law.
• If the information needs to be forwarded in order to implement the Contract.
Personal data processors have no right to process personal data provided to them for purposes other than performing the tasks assigned to them by the Operator, based on the Agreement. Processors are obliged to comply with all written instructions of the Operator. The Operator shall take all necessary measures to ensure that the hired operators strictly adhere to the Personal Data Protection Law and the written instructions of the Operator, as well as to take appropriate technical, organizational and personnel measures to protect the personal data.
The operator also collects personal data from travelers or clients from other countries for the purpose of implementing the Travel Agreement.
The operator transfers personal data to other countries and international organizations for the purpose of implementing the Travel Agreement.
The operator processes personal data in the Republic of Serbia.
DATA STORAGE RULES
Article 11
Personal data will not be retained for longer than is necessary for the purpose for which they were processed. If the term of keeping personal data is prescribed by law, the Company shall retain the data within the given legal period. Upon fulfillment of the purpose, meaning, expiry of the statutory time limit for keeping the data, the data will be permanently deleted.
In accordance with the Law on Tourism, we keep all documentation about sold tourist trips, which include the Travel Contract with individuals and their data, in our reservation system for two years, after which we delete the data from the system.
The data is not used for other uses, nor is it sent to third parties.
In certain cases, personal data may be stored for an extended period of time, for the purposes of fulfilling legal obligations or for establishing, exercising or defending a legal claim, in accordance with applicable laws.
Personal data on employees and former employees are permanently stored in the Company’s personnel records in accordance with the Law on Records in the Field of Work.
PERSONAL RIGHTS WITH REGARD TO THE PROTECTION OF PERSONAL DATA
Article 12
• Right to be informed
Employees and other data subjects have the right to be informed of their rights, obligations and issues related to the processing of their personal data, within the meaning of the Property Data Protection Law, even before the processing of such data begins.
• Right to access
Employees and other data subjects have the right to request from the Company to provide access to their personal data, in means to have the right to determine the subject, manner, purpose and extent of the processing of such data, as well as to ask questions about the processing itself.
• Right to rectification and amendment
Upon completion of the inspection, data subjects have the right to request from the Company to correct, supplement, or update the processed personal data.
• Right to delete
The data subject may require the Company to delete their personal data in accordance with the Property Data Protection Law, as well as to interrupt or temporarily suspend processing.
• Right to withdraw processing consent
In situations where the legal basis for the processing of personal data is the consent of the data subject, that person shall have the right to withdraw that consent at any time, in writing.
• The right to limit processing
The data subject, in accordance with the Property Data Protection Law, has the right to require the operator to restrict the processing of his personal data.
• Right to data portability
The data subject may require the transfer of personal data to another operator, when technically feasible, or when the personal data subject to the transfer request is in a structured and machine-readable format.
• Right to object and to make individual decisions automatically
If it considers it justified in relation to the particular situation it is in, the data subject shall have the right to object at any time to the operator for the processing of his or her data, and not to be subject to a decision taken solely on the basis of automated processing, including profiling, if that decision produces legal consequences for that person or that decision significantly affects his or her position.
The data subject has the right to oppose the processing of personal data for the purpose of direct marketing and to request a restriction of processing in other cases.
In case the data subject is not satisfied with the Company’s response to the request for fulfillment of the rights regarding the protection of personal data, it has the right to file a complaint with the Commissioner for information of public importance and protection of personal data (https://www.poverenik.rs/sr/).
OBLIGATIONS OF EMPLOYEES
Article 13
Employees are obliged to submit their personal data, which are necessary for the Company to fulfill its legal obligations, as well as to carry on its current business.
Employees are obliged to respect and protect the personal data they process during work, in accordance with the personnel, technical and organizational measures prescribed by the Operator or employer, in order to protect the integrity of the personal data and the rights of the data subject.
Employees can only process data that they are allowed to access, in accordance with the tasks they perform.
OPERATOR AND PERSONAL PROTECTION PERSON
Article 14
Operator:
Contact information about the Operator:
Name of Operator: EOS TRAVEL & WEB DOO Paraćin
Address: st. Vojvode Mišića 31/3, Paraćin
Contact phone: 00381 35 700404, 00381616612372
Mail: eostravel@gmail.com
Personal Data Protection Officer:
Interested persons whose data are subject of Operators processing may realize their rights on protection of personal data as well as any questions and dilemmas regarding their rights to protection of personal data by making contact with a person for protection of personal data.
The personal data protection officer of the Operator is:
Name: Jelena Jovčić
Contact phone: 061/6612372
Mail: eostravel@gmail.com
Pursuant to Article 58 of the Law, the obligations of persons for protection of personal data are:
informs and gives opinion to the operator or processor, as well as to employees who perform processing operations on their legal obligations regarding the protection of personal data;
monitor the implementation of the provisions of this Law, other laws and internal regulations of operators or processors related to the protection of personal data, including issues of responsibility sharing, awareness raising and training of employees involved in processing operations, as well as controls;
give an opinion, when requested, on the assessment of the impact of processing on the protection of personal data and monitor the conduct of that assessment, in accordance with Article 54 of this Law;
cooperates with the Commissioner, represents the contact point for cooperation with the Commissioner and advises him on issues related to processing, including notification and obtaining the opinion referred to in Article 55 of this Law.
The manager informed the Commissioner about the person for protection of personal data on the prescribed Form and at the required mail address licezazastitu@poverenik.rs.
TRANSITIONAL AND FINAL PROVISIONS
Article 15
This Regulation shall apply from 21.08.2019. year, meaning, from the date of application of the Law on Personal Data Protection.
Director
_______________________________