LENJIVAC BEG with headquarters at: MIHAJLA PUPINA 25, BELA CRKVA, registration number: 67118707; PIB: 113834073, el. address: info@lenjivac.com (hereinafter: Society), enacted on 01.08.2023. years, this Privacy Policy.

1. Introductory provisions

On behalf of the company, we are committed to protecting the privacy of all our customers. We collect only the necessary, basic information about customers/ users and data necessary for business and informing users in accordance with good business practices and in order to provide quality service. We give customers a choice including the ability to decide whether or not they want to be deleted from the mailing lists used for marketing campaigns. All user/customer data is strictly stored and is only available to employees who need this data to perform their work. All employees of Lazivac BEG (and business partners) are responsible for respecting the privacy principles.

1.1. The purpose of this Privacy Policy is to regulate the company's internal privacy policy, rules and procedures in accordance with the EU General Data Protection Regulation (GDPR). General Data Protection Regulation, hereinafter referred to as: “GDPR") and the personal data protection act ("Sl. glasnik RS", br. 87/2018) - hereinafter: "Law“.
1.2. The definitions and expressions in this Privacy Policy correspond to the definitions and expressions contained in the law.
1.3. The company is committed to respecting the legislation of the Republic of Serbia regulating the protection of personal data and the GDPR, as well as respecting the protection of basic human rights and freedoms, and above all the right to privacy of persons whose personal data are processed by the company.
1.4. The company collects and processes data, which are defined in detail in point 2.1. this Privacy Policy.
1.5. The relevant legislation of the Republic of Serbia, the GDPR and this Privacy Policy apply to all data processing activities by the company. By persons means the customers and clients of the company, the persons who negotiate with the company, and later give up business cooperation with the company and third parties interested (hereinafter: "persons").
1.6. Employees of the company who are engaged are obliged to respect and apply this Privacy Policy in their work. In case of violation of this Privacy Policy, GDPR or the law, the relevant laws will apply, as well as the internal procedures prescribed by this Privacy Policy (provided in Section 6 of this Privacy Policy).
1.7. Third parties who cooperate in any way with the company and who may have access to data processed by the company in the framework of such cooperation are expected to have read this Privacy Policy and comply with it. No third party shall have the right to access the data processed by the company before signing an appropriate confidentiality agreement with the company, i.e. a contract on joint data processing or a contract between the controller and the processor on data processing.

2. Data processed by the company

2.1. The company processes the following data from persons:
( a) the name and surname;
b) address of residence;
c) e-mail address;
d) contact phone.
Hereinafter referred to together as:"Data”.
2.2. The data is collected in order for the company to comply with all legal and bylaws related to the performance of its activities, including the law on trade, the law on obligations, the law on consumer protection as well as other laws and bylaws.
2.3. The company is legally obliged to collect the data referred to in point 2.1 in relation to persons who are domestic citizens. this Privacy Policy. In relation to persons who are foreign citizens, the company is obliged by law to collect the following personal data: 1) name and surname, 2) address of residence, 3) e-mail address and 4) contact phone.
2.4. The company may enter into a joint handling agreement with another company to determine the type and purpose of data collection.

3. The company as a handler

Data processed by the company as a controller

3.1. The company as the controller processes the data of the following persons:
(a) the company's customers and customers;
(B) persons who negotiate with the company and later withdraw from the business cooperation with the company.
3.2. In the event that the company is required to process data of categories of persons other than those mentioned in paragraph 3.1 in the future, the company will do so in accordance with the law and the GDPR without having to make any amendments to this Privacy Policy. However, if such data processing becomes systematic and / or involved in the day-to-day activities of the company, this Privacy Policy will be amended accordingly.
3.3. A detailed description of the categories of data subjects and other relevant information regarding the data being processed can be found in the data processing records that the company regularly updates.

Purpose of data processing

3.4. The data is collected in order for the company to comply with all legal obligations, relating to its business, for statistical purposes, marketing purposes and in general for the purposes of selling goods.
3.5. In the event that the company at any time comes into a situation where it is necessary to process the data of the person referred to in point 3.1. for any other purpose, the company will do so in accordance with the requirements of the relevant legislation of the Republic of Serbia and the GDPR without having to make any amendments to this Privacy Policy. However, if such data processing becomes systematic and / or involved in the day-to-day activities of the company, this Privacy Policy will be amended accordingly.
3.6. The company has set deadlines for data retention that are fully in line with the specific purpose of processing, so such deadlines are found on the records of data processing kept by the company. The company will periodically review the retention periods and change them if it deems it necessary.
3.7. The processing activities of the company do not include profiling or any form of Automatic Data Processing aimed at evaluating certain personal aspects of the data subject, such as aspects related to the economic, health situation and personal preferences of the person, as well as other personal aspects.
3.8. Additional details on data processing and retention periods can be found in the company's data processing records.

Legal basis for data processing

3.9. The company identifies the legal basis for the processing of data before commencing the processing activities by clearly identifying, defining, and, where applicable, documenting the specific purpose of the processing and the appropriate legal basis.
3.10. At the time of adoption of this Privacy Policy, the company processes data on the basis of the consent of the person and on the basis of the law.
3.11. In the event that data processing is carried out on the basis of the consent of the person, the form and content of such consent will be in accordance with the provisions of the law and the GDPR. an example of the consent form for data processing is provided in Annex 1 of this Privacy Policy, but the Company reserves the right to change it, in case of changes to the relevant legal regulations. If consent is required in the case of certain data processing, the consent form for data processing may be provided as part of other documentation or as part of a contract concluded by the company with a third party, but always in a clear and transparent manner. For the avoidance of doubt, in the event that a person gives consent to the processing company, such consent shall be able to be revoked by the person at any time.
3.12. In the event that the company decides to process data on the basis of legitimate interest, the Company shall, in accordance with the specific case, carry out appropriate tests to determine whether the specific legitimate interest is contrary to the interests and fundamental rights of the data subject, and if it turns out that it is, the company will not process such data.
3.13. The specific legal basis for each processing activity is established in the data processing records kept and regularly updated by the company.

Data processing contracts

3.14. The contracts concluded by the company with its processors will contain all relevant provisions prescribed by law and the GDPR.

Data Transfer

Data processing records

3.15. In order to comply with relevant regulations and establish good practice, the company keeps up-to-date records of the data processing it performs as a controller. The company reserves the right to change the data processing records, in case of changes to the relevant legal regulations.

4. Technical measures

4.1. The company is committed to taking appropriate technical measures aimed at ensuring optimal data protection, in relation to all categories of data processed by the company.

Data anonymization and pseudonymization.

4.2. All data processed by the company is anonymized (encrypted).
4.3. The data collected for statistical purposes are collected in such a way that a technical measure of pseudonymisation is applied.

Work-related face-to-face practice

4.4. The company applies the established procedure to prevent access to the system to persons who are no longer employed by the company.

Testing and evaluation of technical measures

4.5. The company regularly tests, evaluates and evaluates technical measures to determine whether they enable effective protection of the data processed by the company. If the company determines that the existing technical measures are not sufficient to protect the integrity of the data, the company will begin to apply other technical measures that are appropriate and will, accordingly, amend this Privacy Policy.

5. The organization's more

Confidentiality

5.1. The company has developed the practice of signing confidentiality agreements, i.e. incorporating appropriate confidentiality clauses into contracts with persons who are engaged in the company or associates who have access to data processed by the company.

Restrictions on access to data

5.2. Access to company systems and data is limited only to certain persons who perform work in certain sectors of society, for the purpose of performing specific work tasks. Annex 2 of this Privacy Policy contains a list of persons who have the right to access data.

The appointment of a Data Protection Officer

5.3. Although the company has no legal obligation to appoint a data protection officer, in order to implement the best practices of data protection processed by the company, the company will appoint a data protection officer.

Internal training and training

5.4. The company will organize internal trainings, i.e. training of persons who come into contact with the data, and who have access to the data.

6. Procedure in case of violation.

Breach notice

6.1. Informing the Commissioner of the breach of personal data
6.1.1. The company is obliged to notify the commissioner without undue delay of a breach of personal data that may result in a risk to the rights and freedoms of natural persons, or, if possible, within 72 hours of learning of the breach (hereinafter referred to as "notification to the Commissioner").
6.1.2. If the company does not act within 72 hours of becoming aware of the infringement in the manner defined in paragraph 6.1.1. in this Privacy Policy, the company is obliged to explain the reasons why it did not act in this manner and within that period.
6.1.3 the notification to the Commissioner must contain at least the following information:
a description of the nature of the data breach, including the type of data and the approximate number of data subjects concerned, as well as the approximate number of personal data whose security has been breached;
B. the name and contact details of the data protection officer or information on other ways in which infringement data may be obtained;
a description of the possible consequences of the injury;
d. a description of the measures taken or proposed by the company in connection with the infringement, including measures taken to mitigate the adverse consequences.
6.1.4. The notification to the commissioner is delivered to the Commissioner in writing, directly or by mail, and a scanned copy of the notification can be delivered to the e-mail address: povredapodataka@poverenik.rs.
6.2. Informing the person about the violation of personal data
6.2.1. If a personal data breach may result in a high risk to the rights and freedoms of natural persons, the Company shall notify the data subject without undue delay of the breach (hereinafter referred to as “notification to the person”).
6.2.2. In the notification to the person, the company is obliged to describe in a clear and understandable way the nature of the data breach, i.e. state the following::
a. the name and contact details of the data protection officer or information on other ways in which infringement data may be obtained;
a description of the possible consequences of the injury;
(c) a description of the measures taken or proposed by the company in connection with the infringement, including measures taken to minimise the adverse consequences.

7. The right of persons to whom personal data relates

7.1. From point 3.1. this Privacy Policy, to which personal data relates, has the following rights::
7.1.1. to ask the company for information on whether the company is processing its personal data;
7.1.2. to ask the company for access to this data;
7.1.3. to ask the company to rectify the data;
7.1.4. to ask the company to complete the data;
7.1.5. to ask the company to delete the data:
7.1.6. to require the company to restrict the processing of data;
7.1.7. to file a complaint.
7.2. Procedure for exercising the rights referred to in Section 7.1 of this Privacy Policy
7.2.1. Application for the application 7.1. this Privacy Policy can be submitted in any form, in writing, to an authorized person for the protection of personal data.
7.2.2. All requirements from point 3.1. these privacy policies that are not directly addressed to the data protection officer will be forwarded to this person.
7.2.3. The authorized person for personal data protection checks and confirms the identity of the person in accordance with the data from the request and the data held by the company. If necessary, the data protection officer may request additional information from the person.

7.2.4. The data protection officer shall record the date of the verification of the identification and the specification of the requested data.
7.2.5. The data protection officer shall provide the requested information within 30 days from the date of receipt of the request. This period may be extended by another 60 days if necessary, taking into account the complexity and number of requests. On the extension of the deadline and the reasons for that extension, the authorized person for personal data protection is obliged to inform the data subject within 30 days from the date of receipt of the request.
7.2.6. The authorized person for the protection of personal data is obliged to respond to the request without charging a fee from the person. If the request of the data subject is manifestly unfounded or excessive, and in particular if the same request is repeated frequently, the DPO may:
1) collect the necessary administrative costs of providing information, i.e. acting upon request;
2) refuses to act on the request.
The burden of proving that the request is manifestly unfounded or excessive lies with the data protection officer.

8. Final provisions

8.1. This Privacy Policy is adopted by the director of the company, who has the right to make changes and amendments to the Privacy Policy when there is a need to do so. The privacy policy is binding on the company from the date of its adoption.