In Serbia, the Law on the Protection of Personal Data ("Official Gazette of RS", No. 87/2018 - hereinafter the Law) is in force, the content of which can be found at link.
JN&AN NIKOLIĆ CONSULTING DOO from Paraćin is the owner of the application at app.kadrovska.app, which allows employers to process their employees' data.
JN&AN NIKOLIĆ CONSULTING DOO from Paraćin concludes the Agreement on the use of the application (use agreement) with legal entities/entrepreneurs (client) and provides them with access to the application. In terms of the provisions of the Law, JN&AN NIKOLIC CONSULTING DOO has a role Processor.
JN&AN NIKOLIĆ CONSULTING DOO concludes the Data Processing Agreement (agreement) in accordance with the Decision on establishing standard contractual clauses ("Official Gazette of RS", No. 5/2020), the content of which can be found at link.
The client in terms of the provisions of the Act has a role Handler. The client independently decides who among his employees will have the status of User of the application. The user of the application accesses the application with the help of a password and username and performs data processing in the application.
JN&AN NIKOLIĆ CONSULTING DOO concluded an Agreement with Telekom Srbija ad Beograd on the use of the telecommunications service Virtual Servers by which it leased space on their servers for storing data that the Client places in the application. In terms of the provisions of the Law, Telekom Srbija ad Belgrade has a role Subprocessor.
Contact Information Processor
JN&AN NIKOLIC CONSULTING DOO
Paraćin, St. Sava 2
35250 Paracin, Serbia
Phone: +381 (0)63 570 9457
Obligations of the Client
The client is obliged to process personal data in accordance with the Law, as well as to apply all data protection measures and ensure the exercise of the rights and freedoms of the persons to whom the data refer.
The client undertakes that JN&AN NIKOLIĆ CONSULTING DOO will issue instructions regarding the processing of personal data in written form, as well as that the same will be clear, precise and in accordance with applicable regulations.
Obligations of JN&AN NIKOLIC CONSULTING DOO
JN&AN NIKOLIC CONSULTING DOO is obliged to process personal data only on the basis of the written instructions of the Client, including instructions regarding the transfer of personal data to other countries or international organizations, unless JN&AN NIKOLIC CONSULTING DOO is obliged by law to process data. In that case, JN&AN NIKOLIC CONSULTING DOO is obliged to inform the Client about this legal obligation before starting the processing, unless the law prohibits the provision of such information due to the need to protect an important public interest.
JN&AN NIKOLIĆ CONSULTING DOO is obliged to warn the Client without delay if it believes that the written instruction received from him is not in accordance with the Law and/or other valid regulation, and in case of doubt regarding its actions, it is obliged to ask the Client's opinion.
JN&AN NIKOLIĆ CONSULTING DOO undertakes, on the basis of entrusted processing operations, in the part of technical measures for which it is responsible, to comply with the following personnel, organizational and technical measures:
- keeps records of all types of processing actions performed on behalf of the Client.
- applies all necessary measures to ensure the confidentiality, integrity and availability of the personal data it processes
- implements all necessary measures to protect personal data using pseudonymization and crypto-protection
- implements all necessary measures to prevent unauthorized physical access to JN&AN NIKOLIĆ CONSULTING DOO resources on which data is processed.
- the application was developed in accordance with the principles of "privacy by design" (built-in privacy - during development, care is taken to ensure that the system has functionalities that protect the privacy of the person whose data is processed) and "privacy by default" (default privacy - the default functionality settings have values that enable the user's privacy to be the greatest possible).
- event diaries (logs) about the user's activities are recorded on the systems that process personal data, which are used for its analysis in the event of an incident. The logs contain information about who initiated the event, the date and time of the event, what type of event it is (view, edit...), whether it was successful or unsuccessful, information about the source (e.g. the IP address of the event initiator), information about object (resource) over which the event occurred.
- implements measures to protect against malicious software (antivirus software, IPS/IDS systems, improving employee awareness...).
- Resources used to process personal data are regularly checked for vulnerabilities. All identified high severity vulnerabilities are fixed as soon as possible.
- has implemented a process for responding and recovering from incidents in order to enable the detection of personal data breaches and inform the Client about it.
- implements measures that ensure that the system/service withstands major business continuity disruptions and re-establishes processing within a short (or agreed upon) period (These are measures such as backups, establishing a DR location, redundant systems, recovery procedures...).
- Technical and organizational measures are improved whenever it proves necessary.
- employees of JN&AN NIKOLIĆ CONSULTING DOO undertake in writing to keep data secret (confidentiality of information), e.g. through contractual clauses, by signing a confidentiality statement. The awareness of JN&AN NIKOLIĆ CONSULTING DOO employees who participate in processing activities is constantly improved and employees are trained for the processing activities in which they participate.
- The personal data entrusted by the Client to JN&AN NIKOLIC CONSULTING DOO are deleted in a secure manner from the resources of JN&AN NIKOLIC CONSULTING DOO when the processing period expires or when those resources cease to be used for processing personal data (their purpose changes, they are discharged, they are scrapped are...).
- Access rights to the systems of JN&AN NIKOLIĆ CONSULTING DOO on which personal data are processed are granted in accordance with the principles of need to know and least privilege (a minimum of privileges necessary to perform the work is granted). The granted rights are reviewed when the employee changes the workplace, or the rights are completely canceled and the employee is assigned new ones needed to work at the new workplace.
- Access to JN&AN NIKOLIĆ CONSULTING DOO systems on which personal data is processed is protected by means of authentication (user account and password, certificate, PIN...). Each user of JN&AN NIKOLIĆ CONSULTING DOO has a personalized user account (one or more if they are system administrators who also use accounts with high levels of privileges) to access systems on which personal data is processed. Each user account is used by only one person.
JN&AN NIKOLIC CONSULTING DOO is obliged to ensure that only persons who need access to personal data in order to fulfill JN&AN NIKOLIC CONSULTING DOO's obligations to the Client have access to that data.
JN&AN NIKOLIĆ CONSULTING DOO is obliged to ensure that the natural person who is authorized to perform personal data processing activities at JN&AN NIKOLIĆ CONSULTING DOO undertakes to keep data confidential or that person is subject to the legal obligation to keep data confidential.
The need for persons to have access to personal data will be reviewed from time to time, and if it is established that the need for a certain person to have access to that data has ceased, the same will be denied access.
JN&AN NIKOLIĆ CONSULTING DOO is obliged to assist the Client in fulfilling the obligations prescribed by the Law.
JN&AN NIKOLIĆ CONSULTING DOO will immediately notify the Client if it receives a request from a person to whom the data refer according to the Personal Data Law.
Security of processing
The client and JN&AN NIKOLIĆ CONSULTING DOO are obliged to implement appropriate protection measures in order to achieve the appropriate level of security in relation to the risk, in accordance with the level of technological achievements and the costs of their application, the nature, scope, circumstances and purpose of the processing, as well as the probability of the occurrence of the risk and the level of risk for the rights and freedoms of natural persons.
When assessing the appropriate level of security, special consideration is given to the risks of processing, and in particular the risks of accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to personal data that have been transferred, stored or otherwise processed.
The Client and JN&AN NIKOLIĆ CONSULTING DOO are obliged to separately assess the probability of occurrence of the risk and the level of risk for the rights and freedoms of natural persons, as well as to determine appropriate protection measures in order to reduce the estimated risk, with the Client being obliged to JN&AN NIKOLIĆ CONSULTING DOO provide all information so that JN&AN NIKOLIC CONSULTING DOO could fulfill this obligation.
If necessary, protective measures include in particular:
- pseudonymization and cryptoprotection of personal data;
- ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- ensuring the establishment of re-availability and access to personal data in case of physical or technical incidents in the shortest possible time;
- implementation of regular testing, assessment and evaluation of the effectiveness of technical, organizational and personnel security measures.
The Client and JN&AN NIKOLIC CONSULTING DOO are obliged to take measures to ensure that any natural person who is authorized to access personal data by the Client or JN&AN NIKOLIC CONSULTING DOO processes such data only on the order of the Client or if required to do so by law.
Regardless of the previous provisions, JN&AN NIKOLIC CONSULTING DOO has the right to disclose any personal data at the request of a court or other state authority in the exercise of their powers prescribed by applicable regulations, with the obligation to immediately notify the Client, as well as to consult with the Client, to the extent possible, about the scope and form of data disclosure.
Personal data breach notification
JN&AN NIKOLIĆ CONSULTING DOO is obliged to inform the Client without undue delay about the violation of personal data that may cause a risk to the rights and freedoms of natural persons, as well as to assist the Client in fulfilling its obligations stipulated by the Law.
Notification of personal data breach must contain at least the following information:
- a description of the nature of the personal data breach, including the types of data and the approximate number of persons to whom that type of data relates, as well as the approximate number of personal data whose security has been violated;
- description of the possible consequences of the injury;
- description of the measures that JN&AN NIKOLIĆ CONSULTING DOO undertook or proposed to be undertaken in connection with the violation, including the measures undertaken in order to reduce the harmful consequences.
JN&AN NIKOLIĆ CONSULTING DOO is obliged to provide all information, required documentation and necessary assistance in the situation, at the request of the Client, in order to eliminate or reduce the possible consequences of the violation of personal data.
If there is a violation of personal data, the Client can temporarily suspend the transfer of data to JN&AN NIKOLIĆ CONSULTING DOO.
Impact assessment on personal data protection
Taking into account the nature of the processing and the information available to it, JN&AN NIKOLIC CONSULTING DOO is obliged to assist the Client in fulfilling its obligation regarding the assessment of the impact of the intended processing actions on the protection of personal data and the obligation to request the opinion of the Commissioner for Information of Public Importance and protection of personal data before starting the processing operation.
JN&AN NIKOLIĆ CONSULTING DOO can entrust the processing to a subprocessor only if the Client authorizes it to do so on the basis of a general or special written authorization. If processing is entrusted on the basis of a general authorization, JN&AN NIKOLIĆ CONSULTING DOO is obliged to inform the Client about the intended choice of a sub-processor, i.e. the replacement of a sub-processor, so that the Client has the opportunity to declare such a change.
The term in which the Client has the right to express his opinion on the selection or replacement of sub-processors, as well as the list of sub-processors approved by the Client, regardless of whether JN&AN NIKOLIĆ CONSULTING DOO is authorized to entrust processing to them on the basis of a general or special written authorization from the Client, is 7 working days.
If JN&AN NIKOLIĆ CONSULTING DOO appoints a sub-processor to perform special processing actions on behalf of the Client, it is obliged to ensure that the same personal data protection obligations established apply to the sub-processor, based on a separate contract or other legally binding act, which has been concluded or adopted in written form, which also includes electronic form, which establishes sufficient guarantees in the relationship between JN&AN NIKOLIĆ CONSULTING DOO and subprocessors for the application of appropriate protection measures that ensure that processing is carried out in accordance with the Law and applicable regulations.
JN&AN NIKOLIĆ CONSULTING DOO is obliged to include a provision in the contract or other legally binding act concluded with the subprocessor, which enables the Client to, in the event of the termination of the existence of JN&AN NIKOLIĆ CONSULTING DOO, for any reason, have the right to require the subprocessor to destroy or return personal data that is the subject of that contract or other legally binding act.
If it entrusts processing to a subprocessor, JN&AN NIKOLIC CONSULTING DOO must be able to demonstrate that the subprocessor is engaged in everything in accordance with the contract between JN&AN NIKOLIC CONSULTING DOO and the Client.
JN&AN NIKOLIĆ CONSULTING DOO is obliged to provide the Client with a copy of the contract or other legally binding act concluded with the subprocessor immediately after the conclusion of the contract or the adoption of another legally binding act. JN&AN NIKOLIĆ CONSULTING DOO has the right not to provide the Client with data from the contract or other legally binding act that does not concern the processing of personal data.
If the subprocessor does not fulfill its obligations regarding the protection of personal data, JN&AN NIKOLIĆ CONSULTING DOO is responsible for fulfilling the subprocessor's obligations to the Client.
Data transfer to other countries or international organizations
The transfer of personal data to another country, to a part of its territory, or to one or more sectors of certain activities in that country, or to an international organization can be carried out in accordance with the provisions of applicable regulations, while ensuring an adequate level of protection of personal data , the realization of all rights and effective legal protection of the persons to whom the data refer.
JN&AN NIKOLIĆ CONSULTING DOO can transfer personal data to another country, to a part of its territory, or to one or more sectors of certain activities in that country or to an international organization only based on the written instructions of the Client.
JN&AN NIKOLIĆ CONSULTING DOO will store all data entered by the Client in the application on the servers of Telekom Srbija ad Beograd.
Work control of JN&AN NIKOLIĆ CONSULTING DOO
JN&AN NIKOLIĆ CONSULTING DOO is obliged to make available to the Client all the information necessary to demonstrate the fulfillment of the obligations of JN&AN NIKOLIĆ CONSULTING DOO prescribed by the applicable regulations, as well as information that enables and contributes to the control of the work of JN&AN NIKOLIĆ CONSULTING DOO, which is carried out by the Client or another person whom the Client it authorizes.
The Client is obliged to inform JN&AN NIKOLIĆ CONSULTING DOO in writing, which includes e-mail, about the found omissions, as well as to give JN&AN NIKOLIĆ CONSULTING DOO an appropriate deadline for their elimination.
Until JN&AN NIKOLIĆ CONSULTING DOO corrects the errors found, the Client can suspend data transfer to JN&AN NIKOLIĆ CONSULTING DOO.
Duration of processing
JN&AN NIKOLIĆ CONSULTING DOO performs processing only for the duration of the Usage Agreement and the Agreement.
Obligations of JN&AN NIKOLIC CONSULTING DOO after the end of the contracted processing operations
After the end of the contracted processing operations, JN&AN NIKOLIĆ CONSULTING DOO is obliged, based on the Client's decision, to delete or return to the Client all personal data and to delete all copies of this data, unless the obligation to store data is prescribed by law.
Subject of processing
The subject of processing through the application is data on employees and related insured persons and other persons employed by the Client whose data the Users enter in the application.
Nature and all processing
The application enables the Client to perform automated storage, sorting, grouping, or structuring of the data that the User enters into the application.
The processing is carried out for the purpose of enabling the Client to use the application.
Method of processing
JN&AN NIKOLIĆ CONSULTING DOO allows the Client automated data processing through the application:
- by storing - after entering data in the field provided for it by the User, the application automatically stores the data on the server.
- sorting - at the request of the User, the application sorts the data.
- grouping - at the request of the User, the application groups data.
- structuring - at the request of the User, the application performs data structuring.
The user does not need to take any actions from JN&AN NIKOLIĆ CONSULTING DOO to work with the application.
Types of persons to whom the data refer
In the application, the user can enter data about employees and their related insured persons and other persons employed by the Client.
Types of Personal Data Entered into the Application
The user can enter the data of employees in the application (name, surname, JMBG, gender, address, email address, current account number, data on insured persons) and other data for the processing of which there is a legal obligation of the Client.
The rights of persons to whom the data refer
Taking into account the nature of the processing, JN&AN NIKOLIC CONSULTING DOO is obliged to assist the Client, as much as possible, in fulfilling the Client's obligations in relation to the requirements for the realization of the rights of the persons to whom the data refer, provided by the Law.
If the person to whom the data refers submits a request for the realization of a right prescribed by the applicable regulations to JN&AN NIKOLIC CONSULTING DOO, for which the Client is responsible, JN&AN NIKOLIC CONSULTING DOO is not authorized to act on such a person's request, but is obliged to immediately inform about it The Client to forward such a request to him, as well as to inform the person who submitted the request that it has been forwarded to the Client.
In the event of the termination of the Client's existence, JN&AN NIKOLIĆ CONSULTING DOO is obliged to act according to the requests of the person to whom the data refer, unless there is a legal successor of the Client, who takes over the rights and obligations of the Client.
Contact details of the Commissioner:
Bulevar Kralja Aleksandra 22
11000 Belgrade, Serbia
Phone: +381 (0)11 340 89 00
Complaint forms: poverinak.rs/sr-yu/zaštita-podataka/formulari-zastita-podataka.html
How you can contact us
If you wish, you can also contact us via regular mail at the address below:
JN&AN NIKOLIC CONSULTING DOO
St. Sava no. 2
35250 Paracin, Serbia