Pursuant to the Law on Personal Data Protection (“Official Gazette of the Republic of Serbia”, No. 87/2018) and Article 198, paragraph 4 of the Companies Act (“Official Gazette of the Republic of Serbia”, Nos. 36/2011, 99/2011, 83/2014 – other law, 5/2015 and 44/2018), Čiča Gliša d.o.o. Bajina Bašta – branch office Taratours Travel Agency, on 21 August 2019, hereby adopts the following:

PERSONAL DATA PROTECTION POLICY

PURPOSE AND OBJECTIVE OF THE POLICY

Article 1

This Personal Data Protection Policy (the “Policy”) is a general internal act, that is, the principal document adopted for the purpose of regulating in more detail the protection of personal data of persons within the Company’s organisation, or otherwise related to it, primarily employees, associates, consultants, and persons engaged by the Company on any other basis, as well as persons with whom the Company maintains a certain form of business cooperation, and whose data the Company processes, such as users and clients, in accordance with the Law on Personal Data Protection of the Republic of Serbia (“Official Gazette of the Republic of Serbia”, No. 87/2018).

Čiča Gliša d.o.o. Bajina Bašta – branch office Taratours Travel Agency, Svetosavska 80, Bajina Bašta, company registration number 06848796, tax identification number 100999540 (the “Controller”), undertakes to guarantee the confidentiality of personal data within the scope of providing travel arrangement services and other tourism-related services in accordance with the Law on Personal Data Protection (the “Law”). The Controller also guarantees security and privacy on the internet platform it uses, located at www.taratours.rs.

The purpose of adopting this Policy is to ensure legal certainty and transparency regarding the processing of personal data of the persons referred to above, as well as to determine the legal basis, purpose of processing, categories of data processed, the rights of natural persons in relation to personal data processing, data protection measures, and related matters.

This Policy also establishes the obligations of employees regarding the protection of personal data of natural persons, in accordance with the law.

The term “employee” includes not only employees within the meaning of the Labour Law, but also persons engaged under service contracts, copyright agreements, consultancy agreements, and similar arrangements, provided that such agreements contain a clause obliging the engaged person to comply with the provisions of this Policy, the text of which forms an annex and integral part of each such individual agreement.

DEFINITIONS AND ABBREVIATIONS

Article 2

• Law on Personal Data Protection (“Official Gazette of the Republic of Serbia”, No. 87/2018; hereinafter: the “Data Protection Law” or “LPDP”);
• Labour Law of the Republic of Serbia (“Official Gazette of the Republic of Serbia”, Nos. 24/2005, 61/2005, 54/2009, 32/2013, 5/2014, 13/2017 – Constitutional Court decision and 113/2017) (the “Labour Law”);
• Commissioner for Information of Public Importance and Personal Data Protection of the Republic of Serbia (the “Commissioner”);
• Personal data means any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an identifier in electronic communications networks, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person;
• Special categories of personal data means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data, health data, data concerning a person’s sex life or sexual orientation;
• Processing of personal data means any operation or set of operations performed on personal data or on sets of personal data, whether by automated or non-automated means, such as collection, recording, classification, grouping or structuring, storage, adaptation or alteration, disclosure, consultation, use, disclosure by transmission or making available, duplication, dissemination or otherwise making available, comparison, restriction, erasure, or destruction (hereinafter: “processing”);
• Controller means the Company as a legal entity which, within the meaning of the LPDP, determines the purposes and means of the processing of personal data;
• Processor means a natural or legal person that processes personal data on behalf of the Controller;
• Recipient means a natural or legal person, or public authority, to whom personal data is disclosed, whether a third party or not, except where public authorities receive personal data in accordance with the law for the purposes of investigating a particular case and process such data in accordance with the applicable personal data protection rules relating to the purpose of the processing;
• Third party means a natural or legal person, or public authority, other than the data subject, the Controller, the Processor, or a person authorised to process personal data under the direct authority of the Controller or Processor;
• Consent of the data subject means any freely given, specific, informed, and unambiguous indication of the wishes of the data subject, by which he or she, by a statement or a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
• Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed;
• Representative means a natural or legal person with residence or registered office in the territory of the Republic of Serbia, who is authorised, in accordance with Article 44 of the Law, to represent the Controller or Processor in relation to their obligations under the Law.

PERSONAL DATA PROCESSED BY THE CONTROLLER

Article 3

The Controller may process the following personal data of employees:

• first name and last name, address, date and place of birth, gender, marital status, personal identification number, identity card number, nationality, and health insurance number;
• academic and professional qualifications: level of education, titles, information on skills, foreign language proficiency, training, employment history, and CV;
• financial data: bank account number, salary information, and additional compensation data;
• work performance data: position, supervisor evaluations, business email address, IP address, and access credentials such as username and password;
• communication data: email address, telephone number, next-of-kin emergency contact details, and other data necessary for compliance with the employer’s legal obligations and for the performance of the employment contract or any other contractual relationship between the employee and the Controller.

The Controller may also process certain special categories of personal data, such as health data or data on religious affiliation, in accordance with Article 17 of the LPDP, where necessary for the performance of obligations or the exercise of statutory powers in the fields of employment, social insurance, and social protection.

The Controller does not process a greater volume or different categories of personal data than are necessary to achieve the stated purpose. Where special categories of personal data are processed on the basis of the data subject’s consent, for example to adapt training conditions to the participant’s health condition, such consent must be given in writing and must contain detailed information on the type of data processed, the purpose of processing, and the manner in which the data will be used.

The Controller may process the following personal data of users/clients:

• first name and last name, date of birth, place of birth, residential address, passport number, personal identification number, contact email address, and contact telephone number.

The Controller may process the following personal data of job applicants:

• first name and last name, date and place of birth;
• academic and professional qualifications contained in the CV and cover letter, including level of education, titles, information on skills, foreign language proficiency, training, and list of previous employers;
• communication data: email address and telephone number.

When publishing job vacancies, the Controller does not prescribe the format of the CV, but leaves it to the applicant to determine it. Accordingly, the Controller may come into possession of a broader range of data than stated above, solely through the applicant’s own choice. All collected data shall be retained for up to one year for the purpose of subsequent assessment of the need to engage a particular applicant.

SOURCES OF PERSONAL DATA

Article 4

The Controller collects personal data, by electronic, written, or oral means, directly from the data subject, namely from employees, users, or clients.

The Controller may also collect data relating to employees and job applicants from other sources, primarily former employers, provided that such data is relevant to employment.

Any data that is not necessary for processing for the stated purposes shall be permanently deleted.

PURPOSES OF PROCESSING

Article 5

The Controller processes personal data for the purposes specified in Articles 6 to 9 of this Policy. No greater quantity or broader range of personal data than necessary to achieve such purposes shall be processed.

EMPLOYMENT AND HUMAN RESOURCES MANAGEMENT

Article 6

The Controller processes personal data for the purpose of establishing and managing employment relationships, including other contractual relationships under which the Company engages associates and consultants. This includes data necessary for determining the suitability and qualifications of candidates for certain positions, managing working hours and absences, calculating salaries, travel expenses and daily allowances, determining compensation in the event of sick leave and other absences from work, evaluating employee advancement, providing additional training and education, and conducting disciplinary procedures.

BUSINESS ACTIVITIES

Article 7

The Controller engages in the organisation and sale of travel arrangements and excursions within Serbia and abroad, with Bosnia and Herzegovina as the primary destination, as well as in organising travel for foreign visitors throughout Serbia and the territory of the former Yugoslavia.

The Controller processes personal data for the purpose of organising tourist arrangements, including accommodation, transport, related travel documentation, and other tourism services. Data is collected directly from clients through inspection of documents such as passports or identity cards, as well as via email, SMS, Viber, or telephone.

When making accommodation reservations, the following data is used:

• first name and last name;
• address;
• date of birth;
• personal identification number where necessary;
• contact telephone number;
• email address.

In addition to the above, passport number data is used for transport reservations. Other data, such as email address and mobile phone number, is used for communication with clients and for sending notifications regarding departure times, new offers, and similar matters.

The data is stored in the Controller’s database.

When issuing travel insurance policies, the data is entered into the insurance company’s system, where all the above-mentioned data is recorded and the policy is issued through that system. The data is not used for any other purposes and is not disclosed to third parties.

COMMUNICATIONS, INFORMATION TECHNOLOGY, AND INFORMATION SECURITY

Article 8

The Controller processes personal data for the purposes of managing and maintaining the functioning of communication and information networks, as well as maintaining information security.

COMPLIANCE WITH APPLICABLE REGULATIONS

Article 9

The Controller processes personal data for the purpose of fulfilling legal obligations and ensuring compliance with applicable laws and regulations, primarily in the fields of labour and tax law.

ACCESS TO AND DISCLOSURE OF PERSONAL DATA

Article 10

Access to personal data is granted only to the Controller and the Controller’s employees.

Personal data may be made available to third parties outside the Controller only in the following cases:

• The Controller shall disclose personal data to third parties only for the purposes listed below and shall take all necessary measures to ensure that personal data is processed and protected in accordance with applicable laws.
• The Controller may engage third-party service providers to perform certain data processing operations on behalf of and for the account of the Controller. In such a case, the Controller acts as the data controller, while the service providers act as data processors. Only the data necessary for achieving the purpose of the contracted processing shall be disclosed to the processor, and the processor may not use such data for any other purpose. The terms of processing and responsibility for data protection shall be defined in a contract between the Controller and the Processor.
• Personal data shall be disclosed to public authorities only where required by law.
• Personal data may also be disclosed where necessary for the performance of a contract.

Processors of personal data are not entitled to process the personal data provided to them for any purposes other than carrying out the tasks assigned to them by the Controller under the contract. Processors are obliged to comply with all written instructions of the Controller.

The Controller shall take all necessary measures to ensure that engaged processors strictly comply with the Data Protection Law and the Controller’s written instructions, and that they have implemented appropriate technical, organisational, and personnel measures for the protection of personal data.

The Controller also collects personal data from passengers and clients from other countries for the purpose of performing travel contracts.

The Controller transfers personal data to other countries and international organisations for the purpose of performing travel contracts.

The Controller processes personal data in the Republic of Serbia.

DATA RETENTION PERIODS

Article 11

Personal data shall not be retained for longer than necessary to achieve the purpose for which it was processed. Where the retention period is prescribed by law, the Controller shall retain the data for the legally prescribed period. Once the purpose has been fulfilled, or upon expiry of the legally prescribed retention period, the data shall be permanently deleted.

In accordance with the Tourism Law, all documentation relating to sold travel arrangements, including the travel contract concluded with natural persons and their personal data, shall be stored in the Controller’s databases for a period of two years, after which the data shall be deleted.

The data shall not be used for other purposes or disclosed to third parties.

In certain cases, personal data may be retained for a longer period for the purpose of complying with legal obligations or for the establishment, exercise, or defence of legal claims, in accordance with applicable laws.

Personal data relating to employees and former employees shall be permanently stored in the Controller’s HR records, in accordance with the Law on Records in the Field of Labour.

RIGHTS OF DATA SUBJECTS IN RELATION TO PERSONAL DATA PROTECTION

Article 12

Right to be informed — Employees and other data subjects have the right to be informed about their rights, obligations, and all matters relating to the processing of their personal data within the meaning of the LPDP, even before such processing begins.

Right of access — Employees and other data subjects have the right to request from the Controller access to their personal data, including the right to determine the subject matter, manner, purpose, and scope of the processing, as well as to ask questions about the processing itself.

Right to rectification and completion — After gaining access, data subjects have the right to request that the Controller rectify, supplement, or update the personal data being processed.

Right to erasure — The data subject may request that the Controller erase his or her personal data in accordance with the LPDP, as well as request cessation or temporary suspension of processing.

Right to withdraw consent — In situations where the legal basis for processing is the consent of the data subject, that person has the right to withdraw the consent given at any time, in writing.

Right to restriction of processing — In accordance with the LPDP, the data subject has the right to request that the Controller restrict the processing of his or her personal data.

Right to data portability — The data subject may request the transfer of personal data to another controller, where technically feasible, and where the personal data subject to the transfer request is stored in a structured and machine-readable format.

Right to object and automated individual decision-making — If justified in relation to his or her particular situation, the data subject has the right at any time to object to the processing of his or her personal data, as well as the right not to be subject to a decision based solely on automated processing, including profiling, where such decision produces legal effects concerning that person or significantly affects his or her position.

The data subject also has the right to object to the processing of personal data for the purposes of direct marketing and to request restriction of processing in certain other cases.

If the data subject is not satisfied with the Controller’s response to a request relating to the exercise of personal data protection rights, he or she has the right to lodge a complaint with the Commissioner for Information of Public Importance and Personal Data Protection.

EMPLOYEES’ OBLIGATIONS

Article 13

Employees are required to provide their personal data where necessary for the Controller to fulfil its legal obligations and conduct its ongoing business operations.

Employees are also required to respect and protect the personal data they process during the course of their work, in accordance with the personnel, technical, and organisational measures prescribed by the Controller, that is, the employer, for the purpose of protecting the integrity of personal data and the rights of the data subjects.

Employees may process only the data to which they have been granted access, in accordance with the tasks they perform.

CONTROLLER AND DATA PROTECTION OFFICER

Article 14

Controller:

• Controller name: Čiča Gliša d.o.o. Bajina Bašta – Taratours Travel Agency
• Address: Svetosavska 80, Bajina Bašta
• Telephone: 031/861-501; 031/861-467
• Email: office@taratours.rs

Data Protection Officer:

Interested individuals whose personal data is processed by the Controller may exercise their personal data protection rights, and address any questions or concerns relating to those rights, by contacting the Data Protection Officer.

• Name: Goran Glišić
• Telephone: 064/6259194
• Email: goran@taratours.rs

In accordance with Article 58 of the Law, the duties of the Data Protection Officer are to:

• inform and advise the Controller or Processor, as well as employees who carry out processing operations, of their legal obligations in relation to personal data protection;
• monitor compliance with the provisions of the Law, other applicable laws, and the internal regulations of the Controller or Processor relating to personal data protection, including the allocation of responsibilities, awareness-raising and training of employees involved in processing operations, and relevant audits;
• provide advice, where requested, with regard to data protection impact assessments and monitor their implementation, in accordance with Article 54 of the Law;
• cooperate with the Commissioner, act as the contact point for cooperation with the Commissioner, and consult with the Commissioner on matters relating to processing, including notifications and requests for opinions under Article 55 of the Law.

The Controller has informed the Commissioner of the appointment of the Data Protection Officer using the prescribed form and the designated email address: licezazastitu@poverenik.rs.

TRANSITIONAL AND FINAL PROVISIONS

Article 15

This Policy shall apply from 21 August 2019, that is, from the date of commencement of application of the Law on Personal Data Protection.

Director of the Controller

Goran Glišić