Fondacija Jedro

6. Disclosure of data

Donor data will be publicly published in the list of payments on the Internet portal of the Foundation in order to make the entire process transparent. After the payment has been made to the dinar and foreign currency account, the data is read directly from the bank statements. The donor has the right to choose the option by which his payment will remain anonymous, that is, to submit a request to delete his personal data at any time by sending a request to delete payment data via email. Donors who pay via Internet Payments and  PayPal before filling out the application are informed of the Privacy Policy and have the option to make the payment anonymous.

In certain circumstances, the Law allows the disclosure of personal data to law enforcement agencies and government bodies, without the consent of the data owner. In such circumstances, the Foundation will disclose the requested information. However, the responsible person of the Foundation will, before disclosing data, ensure that the request is legitimate, seeking the help of legal advisors or supervisory bodies in the field of personal data protection.

The Foundation must ensure that personal information is not disclosed to unauthorized third parties which include family members, friends, government bodies and, in certain circumstances, the police. All employees must be familiar with the procedure if they are asked to disclose personal data to a third party.

All requests for the delivery of personal data must be accompanied by appropriate documentation, and any publication must be specifically approved by the Responsible Person for the Protection of Personal Data.

7. Storage and disposal of data

Foundations may not retain personal data that can identify an individual for longer than is necessary to fulfill the purpose for which the data was collected.

The Foundation may store data for a longer period than the period provided for by law or accepted policy, exceptionally, if the data is processed for the purpose of public interest, scientific research or statistical purposes. In that case, it is necessary to implement appropriate technical and organizational measures to protect the rights and freedom of the person to whom the personal data refer.

7.1. Keeping records of personal data processing

The foundation on personal data processing activities establishes and maintains records that contain:

1. the name of the record of personal data;
2. the types of persons to whom the data refer and the types of personal data in the personal data records;
3. names and contact details of the handlers, joint handlers, representatives of the handlers and persons for the protection of personal data;
4. data on the purpose of processing;
5. data on the type of recipients to whom personal data has been disclosed or will be disclosed, including recipients in other countries;
6. transfer of personal data to other countries as well as documents on the implementation of measures if personal data are transferred in accordance with the Law;
7. data on the deadline, after the expiration of which certain types of personal data are deleted if such a deadline has been set. At the level of the Foundation, a person or persons are appointed who manage the collection of personal data if they are kept in several organizational parts in which personal data processing operations are carried out and who are obliged to take care of the accuracy and up-to-dateness of the content of the records. Records of personal data processing are kept in written and electronic form. The Foundation is obliged to make them available to the Commissioner for Information of Public Importance at his request;

7.2. Video surveillance

Provisions of head 7.2. are applied in case the Foundation establishes video surveillance in front of and in its premises.

In the Foundation, video surveillance is used for the purpose of protecting people and property. Use for other purposes is not permitted.

Areas where video surveillance is carried out must be marked appropriately (sticker with a warning and a telephone number where information regarding video surveillance can be obtained).

Employees, who are subject to video surveillance during their work, must be notified beforehand in written or electronic form.

Anyone who wants to see the video, in which he is, must submit a written request to the Foundation, which must allow him to see it. He must also sign an information protection statement committing himself to keep all data safe.

If an employee, user of services or a visitor on the video surveillance system wants to view the recording, on which it is located, the manager of IT protection is also present during the review of those recordings.

Video surveillance is prohibited in changing rooms and sanitary facilities.

Any viewing of videos must be logged.

7.3. Deleting data

After the expiration of the storage period, personal data is deleted, destroyed, blocked or anonymized, unless the aforementioned law or other act stipulates otherwise.

The deadlines, after which personal data are deleted from the data collection, can be seen from the records of personal data processing activity.

8. Legal remedies

The person to whom the data refers has the right to file a complaint with the Commissioner if he believes that the processing of his personal data has been carried out contrary to the provisions of the Personal Data Protection Act. In the complaint procedure, the provisions of the law regulating inspection supervision in the part related to handling complaints shall be applied accordingly. Filing a complaint to the Commissioner does not affect the right of this person to initiate other administrative or judicial protection procedures.

The commissioner is obliged to inform the complainant about the course of the procedure he is conducting, the results of the procedure, as well as the right of the person to initiate court proceedings in accordance with the Law.

The person to whom the data refers has the right to judicial protection if he believes that, contrary to the Law, his right prescribed by the Law has been violated by the handler or processor by the action of processing his personal data. Filing a lawsuit in court does not affect the right of this person to initiate other administrative or judicial protection procedures.

A person who has suffered material or non-material damage due to a violation of the provisions of the Law has the right to monetary compensation for this damage from the operator, that is, the processor who caused the damage.

9. Final provisions

This Rulebook enters into force on the eighth day from the day of its publication on the Foundation’s notice board.

 

seal of the Foundation:                                        President of the Board of Directors:

 

                                                                                 ________________________________________

                                                                                 Željko Bubnjević

 

That this Rulebook was displayed on the notice board of the Foundation on May 4, 2024, asserts and certifies:

Manager:

Goran Vasović

On the basis of Article 6, paragraph 3, indent 4 of the Statute of the JEDRO Foundation with headquarters in the Republic of Serbia, 21220 Bečej, Nestora Džilitova 24, mb: 28834934, PIB: 114257395 (hereinafter: the Foundation), the Board of Directors of the Foundation, by means of a telephone vote, passed on 04. May 2024 as follows:

                                                                         Rule book

                                                                                                     on personal data protection

 

1. General provisions

The Rulebook on the Protection of Personal Data of the Foundation regulates organizational, technical and logical-technical procedures and measures for the protection of personal data in the Foundation with the intention of preventing accidental or intentional unauthorized destruction of data, its alteration or loss, as well as unauthorized access, processing, use or submission of personal data. The provisions of the currently valid regulations governing the protection of personal data, namely the Law on the Protection of Personal Data (Official Gazette of the RS No. 87/2018 hereinafter: the Law), are directly applicable to issues that are not regulated by this Rulebook.

1.1. Application of the Rules

The provisions of this Rulebook apply to the processing of personal data of the following categories of natural persons:

1. employees and candidates for employment,
2. family members of employees,
3. service users – minors,
4. service users – adults,
5. parents and representatives of service users,
6. donors,
7. business partners.

An employed person is any person employed by the operator (employment, non-employment, volunteering, performing a function in management or supervisory bodies).

Family members are persons who are insured as members of the insured’s family, in accordance with the regulations governing the field of health insurance, that is, persons who are considered family members in accordance with the Labor Law.

Service users – minors – are recipients of services (children and minors), who, according to the attached medical documentation, exercise the right to collect donations for the payment of treatment costs in accordance with the Foundation’s Regulations.

Service users – adults – are recipients of services (adult citizens), who, according to the attached medical documentation, exercise the right to collect donations for the payment of treatment costs in accordance with the Foundation’s Regulations.

Parents and representatives of service users – a category of persons whose participation in the contractual relationship is necessary, especially for minors in order to exercise rights from the contractual relationship, collection of donations for payment of treatment costs.

Donors – independent, anonymous or publicly known financiers of the treatment of service users within the Foundation.

Business partners – users and service providers, buyers, suppliers, contractors and subcontractors, consortium partners, bidders and all other business partners of operators from the country and abroad, and only natural persons (entrepreneurs, legal representatives, proxies and other representatives of legal entities, physical persons who are responsible for the implementation of the contract, natural persons who represent or represent state bodies and organizations in the broadest sense, other natural persons).

Job candidates – persons who apply for open job positions published on appropriate internet portals, in public media or on the website of the Foundation; – persons who submit their CV, i.e. application for employment independently of the open competition, via electronic or regular mail.

2. Basic terms

1. Law – Law on Protection of Personal Data (Official Gazette of RS No. 87/2018).
2. Personal data is any data relating to a natural person whose identity is determined or determinable, directly or indirectly, especially on the basis of an identity marker, such as name and identification number, data on the location of an identifier in electronic communication networks or one or more features of his physiological, genetic, mental, economic, cultural and social identity (hereinafter: data).
3. The person to whom the data refers is the natural person whose personal data is processed.
4. Personal data processing is any action or set of actions that are performed automatically or non-automated with personal data or their sets, such as: collection, recording, sorting, grouping, i.e. structuring, storing, matching or changing, revealing, viewing, using, disclosure by transmission or delivery, duplication, dissemination or otherwise making available, comparison, limitation, deletion or destruction (hereinafter: processing).
5. Limitation of processing is the marking of stored personal data in order to limit their processing in the future.
6. Profiling is any form of automated processing that is used to assess a specific personality characteristic specifically for the purpose of analyzing or predicting a natural person’s work performance, economic position, state of health, personal preferences, interests, reliability, behavior, location or movements
7. Pseudonymization is processing in a way that makes it impossible to attribute personal data to a specific person without the use of additional data, provided that these additional data are stored separately and that technical, organizational and personnel measures are taken to ensure that the personal data cannot be attributed to a specific or determinable person. face.
8. The controller is a natural or legal person, that is, a government body that independently or together with others determines the purpose and method of processing.
9. A processor is a natural or legal person, that is, a government authority that processes personal data on behalf of the controller.
10. The authorized person for personal data processing is the person in charge of personal data processing in the Foundation. The processing of personal data is the responsibility of that person, that is, the nature of the work of the organizational part of the Foundation in which the processing is carried out, including the managers of that organizational part as well as the persons in charge of work in the Foundation.
11. The consent of the data subject is any voluntary, definite, informed and unequivocal expression of the will of that person, by which that person, by a statement or a clear affirmative action, gives consent to the processing of personal data relating to him.
12. A personal data breach is a breach of personal data security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data transmitted or stored or otherwise processed.
13. Special types of personal data are those types of personal data that reveal racial or ethnic origin, political opinion, religious or philosophical belief or trade union membership, genetic data, biometric data for the purposes of unique identification of individuals, health-related data or data related to with an individual’s sex life or sexual orientation.
14. Health data are data on the physical or mental health of a natural person, including those on the provision of health services, which reveal information about his state of health.
15. Data carriers are all types of media on which data is recorded or recorded (documents, files, materials, records, computer equipment including magnetic, optical or other computer media, photocopies, sound, graphic or video material, microfilms, data transmission devices, etc. ),
16. The third party is a natural or legal person, i.e. a government authority, which is not the person to whom the data refer, the handler or the processor, as well as the person who is authorized to process personal data under the direct supervision of the handler or processor.
17. The Commissioner for Information of Public Importance and Protection of Personal Data (hereinafter: the Commissioner) is an independent and independent authority established on the basis of the Law, which is responsible for supervising the implementation of the Law and performing other tasks prescribed by the Law.

The competent authorities are:

  1. authorities responsible for the investigation, detection and prevention of criminal acts, as well as the prosecution of perpetrators of criminal acts or the execution of criminal sanctions, including the protection and prevention of threats to public and national security,
    2. legal entity authorized by the Law.

3. Principles of personal data processing

The basic principles of personal data processing at the Foundation are:

1. Legality, fairness and transparency
2. Restriction in relation to the purpose of processing
3. Data minimization
4. Accuracy
5. Storage Limitations
6. Integrity and Confidentiality

The Foundation adheres to the following principles during the processing procedure:

1. Lawfulness, honesty and transparency – personal data must be processed legally, honestly and transparently in relation to the person to whom the data refer;
2. Restrictions in relation to the purpose of processing – personal data can be collected for purposes that are specifically determined, explicit, justified and legal and still cannot be processed in a way that is not in accordance with those purposes;
3. Data minimization – personal data must be appropriate, essential and limited to what is necessary in relation to the purpose of processing;
4. Accuracy – personal data must be accurate and, if necessary, updated. Taking into account the purpose of the processing, the controller will take all reasonable measures to ensure that inaccurate data is deleted or corrected without delay;
5. Storage limitations – personal data must be stored in a form that allows the identification of the person only for the period necessary to achieve the purpose of the processing;
6. Integrity and confidentiality – personal data must be processed in a way that ensures adequate protection of personal data, including protection against unauthorized or illegal processing, as well as against accidental loss, destruction or damage by applying appropriate technical, organizational and personnel measures.

The operator is responsible for the implementation of the provisions from paragraph 1 of this article and must be able to demonstrate their implementation.

The foundation must meet the minimum of the following conditions, which explain in more detail when the processing is lawful, the consent of the person, the processing of special personal data and the purpose of the processing.

 

Processing is lawful according to Article 12 of the Law only if one of the following conditions is met:

1. the person to whom the personal data refers has consented to the processing of his personal data for one or more specifically specified purposes;
2. processing is necessary for the execution of a contract concluded with the person to whom the data refer or for undertaking actions, at the request of the person to whom the data refer, before the conclusion of the contract;
3. processing is necessary in order to comply with the operator’s legal obligations;
4. processing is necessary in order to protect vital interests of the person to whom the data refer or another natural person;
5. the processing is necessary for the purpose of performing tasks in the public interest or exercising the legally prescribed powers of the operator;
6. processing is necessary in order to achieve the legitimate interests of the controller or a third party, unless these interests are overridden by the interests or fundamental rights and freedoms of the person to whom the data refer that require the protection of personal data, and especially if the person to whom the data refer is a minor

Data processing can only be done if there is Consent of the person.

If the processing is based on consent, the controller must be able to demonstrate that the person has consented to the processing of their personal data. The data subject has the right to withdraw consent at any time. Revocation of consent does not affect the admissibility of processing that was carried out on the basis of consent before the revocation. Before giving consent, the person to whom the data refer must be informed about the right to revocation, as well as the effect of revocation. Withdrawing consent must be as simple as giving consent.

Processing of special types of personal data

Processing that reveals racial or ethnic origin, political opinion, religious or philosophical belief or membership in a trade union is prohibited, as well as processing genetic data, biometric data for the purpose of unique identification of a person or data about a natural person’s sexual life or sexual orientation.

Exceptionally, the processing mentioned in the previous paragraph is allowed in the event that the person to whom the data refer has given express consent for processing for one or more processing purposes, unless it is prescribed by law that processing is not carried out on the basis of consent, as well as in other cases determined by Article 17, paragraph 2 of the Law.

Purpose of processing:

Pursuant to the Law, personal data is collected for purposes that are specifically determined, explicit, justified and legal and still cannot be processed in a way that is not in accordance with those purposes. Personal data that is collected is appropriate, essential and limited to what is necessary in relation to the purpose of processing.

For each category of natural persons listed in section 1.1. of this Rulebook, the controller determines the purpose and legal basis of personal data processing, through special notices that form an integral part of this Rulebook.

4. Rights of persons to whom the data refer

In accordance with the review and comprehensive analysis of the provisions related to the rights of individuals, the Law prescribes that the person to whom the data refer shall achieve:

1. the right to be informed about processing, in accordance with Articles 23 and 24 of the Law;
2. the right to access data, including the right to a copy of the data processed by the operator – the Foundation, according to Article 26 of the Law;
3. the right to request from the Foundation the correction, addition or deletion of personal data in accordance with Article 29 and Article 30 of the Law;
4. the right to demand from the controller a restriction of processing in accordance with Article 31 of the Law;
5. the right to be notified of all recipients to whom personal data has been disclosed (when it comes to any correction, deletion or restriction of processing), in accordance with Article 33 of the Law, except in cases specified by the Law;
6. the right to data portability in accordance with Article 36 of the Law;
7. the right to donor anonymity;
8. the right to object in accordance with Article 37 of the Law;
9. automated processing, including profiling, if that decision produces legal consequences for that person or that decision significantly affects his position, in accordance with Article 38 of the Law;
10. the right to be informed about the violation of personal data, in the event that the violation of personal data may cause a high risk to the rights and freedoms of natural persons, in accordance with Article 53 of the Law;
11. the right to submit a complaint to the Commissioner for Information of Public Importance and Personal Data Protection, in accordance with Article 82 of the Law.

The Foundation is obliged to provide assistance to the person in exercising his rights, except when it comes to exercising the right to complain to the Commissioner.

5. Obligations of the Foundation as an operator

The operator is obliged to take appropriate technical, organizational and personnel measures to ensure that the processing is carried out in accordance with the Law.

1. Technical measures ensure that the responsible person in the Foundation implements and maintains all necessary computer programs that serve to process personal data. This person is responsible for taking all technical measures necessary to prevent the destruction, loss and alteration of personal data, i.e. unauthorized disclosure or access to personal data. Individual technical measures include, but are not limited to physical-technical measures (locking of offices and business buildings), the use of access codes for computers, and the use of appropriate computer software for the protection, identification and removal of computer viruses and other harmful programs.
2. Organizational measures refer to access to the server-computer and computers where personal data can be processed, and only authorized persons have access to it. Documentation in paper form containing personal data is kept in locked rooms.
3. Personnel measures are implemented first by appointing a person for the protection of personal data. Also, access to personal data is only available to persons employed by the operator who, as part of their work duties, must process such data. Personal data is considered a business secret, in accordance with the general acts of the operator, while disclosure of a business secret is a violation of work discipline.

If the processor processes personal data on behalf of the controller, the duties of the processor will be defined by the contract or other legally binding act, in accordance with the Law. Only the person or authority that fully guarantees the application of appropriate technical, organizational and personnel measures for the legal processing of personal data can be designated as a processor.

If the data is collected from the person to whom it relates, the Foundation is obliged to provide the following information to that person at the time of collecting personal data:

1. about the identity and contact information of the Foundation and its representative (the head of the organizational part in which personal data is collected),
2. contact details of persons for the protection of personal data,
3. purpose of intended processing and legal basis for processing,
4. the existence of a legitimate interest of the Foundation or a third

5. party for processing (if data is collected on that basis),to the recipient, i.e. the group of recipients of personal data (if any)

6. Disclosure of data

Donor data will be publicly published in the list of payments on the Internet portal of the Foundation in order to make the entire process transparent. After the payment has been made to the dinar and foreign currency account, the data is read directly from the bank statements. The donor has the right to choose the option by which his payment will remain anonymous, that is, to submit a request to delete his personal data at any time by sending a request to delete payment data via email. Donors who pay via Internet Payments and  PayPal before filling out the application are informed of the Privacy Policy and have the option to make the payment anonymous.

In certain circumstances, the Law allows the disclosure of personal data to law enforcement agencies and government bodies, without the consent of the data owner. In such circumstances, the Foundation will disclose the requested information. However, the responsible person of the Foundation will, before disclosing data, ensure that the request is legitimate, seeking the help of legal advisors or supervisory bodies in the field of personal data protection.

The Foundation must ensure that personal information is not disclosed to unauthorized third parties which include family members, friends, government bodies and, in certain circumstances, the police. All employees must be familiar with the procedure if they are asked to disclose personal data to a third party.

All requests for the delivery of personal data must be accompanied by appropriate documentation, and any publication must be specifically approved by the Responsible Person for the Protection of Personal Data.

7. Storage and disposal of data

Foundations may not retain personal data that can identify an individual for longer than is necessary to fulfill the purpose for which the data was collected.

The Foundation may store data for a longer period than the period provided for by law or accepted policy, exceptionally, if the data is processed for the purpose of public interest, scientific research or statistical purposes. In that case, it is necessary to implement appropriate technical and organizational measures to protect the rights and freedom of the person to whom the personal data refer.

7.1. Keeping records of personal data processing

The foundation on personal data processing activities establishes and maintains records that contain:

1. the name of the record of personal data;
2. the types of persons to whom the data refer and the types of personal data in the personal data records;
3. names and contact details of the handlers, joint handlers, representatives of the handlers and persons for the protection of personal data;
4. data on the purpose of processing;
5. data on the type of recipients to whom personal data has been disclosed or will be disclosed, including recipients in other countries;
6. transfer of personal data to other countries as well as documents on the implementation of measures if personal data are transferred in accordance with the Law;
7. data on the deadline, after the expiration of which certain types of personal data are deleted if such a deadline has been set. At the level of the Foundation, a person or persons are appointed who manage the collection of personal data if they are kept in several organizational parts in which personal data processing operations are carried out and who are obliged to take care of the accuracy and up-to-dateness of the content of the records. Records of personal data processing are kept in written and electronic form. The Foundation is obliged to make them available to the Commissioner for Information of Public Importance at his request;

7.2. Video surveillance

Provisions of head 7.2. are applied in case the Foundation establishes video surveillance in front of and in its premises.

In the Foundation, video surveillance is used for the purpose of protecting people and property. Use for other purposes is not permitted.

Areas where video surveillance is carried out must be marked appropriately (sticker with a warning and a telephone number where information regarding video surveillance can be obtained).

Employees, who are subject to video surveillance during their work, must be notified beforehand in written or electronic form.

Anyone who wants to see the video, in which he is, must submit a written request to the Foundation, which must allow him to see it. He must also sign an information protection statement committing himself to keep all data safe.

If an employee, user of services or a visitor on the video surveillance system wants to view the recording, on which it is located, the manager of IT protection is also present during the review of those recordings.

Video surveillance is prohibited in changing rooms and sanitary facilities.

Any viewing of videos must be logged.

7.3. Deleting data

After the expiration of the storage period, personal data is deleted, destroyed, blocked or anonymized, unless the aforementioned law or other act stipulates otherwise.

The deadlines, after which personal data are deleted from the data collection, can be seen from the records of personal data processing activity.

8. Legal remedies

The person to whom the data refers has the right to file a complaint with the Commissioner if he believes that the processing of his personal data has been carried out contrary to the provisions of the Personal Data Protection Act. In the complaint procedure, the provisions of the law regulating inspection supervision in the part related to handling complaints shall be applied accordingly. Filing a complaint to the Commissioner does not affect the right of this person to initiate other administrative or judicial protection procedures.

The commissioner is obliged to inform the complainant about the course of the procedure he is conducting, the results of the procedure, as well as the right of the person to initiate court proceedings in accordance with the Law.

The person to whom the data refers has the right to judicial protection if he believes that, contrary to the Law, his right prescribed by the Law has been violated by the handler or processor by the action of processing his personal data. Filing a lawsuit in court does not affect the right of this person to initiate other administrative or judicial protection procedures.

A person who has suffered material or non-material damage due to a violation of the provisions of the Law has the right to monetary compensation for this damage from the operator, that is, the processor who caused the damage.

9. Final provisions

This Rulebook enters into force on the eighth day from the day of its publication on the Foundation’s notice board.

 

seal of the Foundation:                                        President of the Board of Directors:

 

                                                                                 ________________________________________

                                                                                 Željko Bubnjević

 

That this Rulebook was displayed on the notice board of the Foundation on May 4, 2024, asserts and certifies:

Manager:

Goran Vasović

On the basis of Article 6, paragraph 3, indent 4 of the Statute of the JEDRO Foundation with headquarters in the Republic of Serbia, 21220 Bečej, Nestora Džilitova 24, mb: 28834934, PIB: 114257395 (hereinafter: the Foundation), the Board of Directors of the Foundation, by means of a telephone vote, passed on 04. May 2024 as follows:

                                                                         Rule book

                                                                                                     on personal data protection

 

1. General provisions

The Rulebook on the Protection of Personal Data of the Foundation regulates organizational, technical and logical-technical procedures and measures for the protection of personal data in the Foundation with the intention of preventing accidental or intentional unauthorized destruction of data, its alteration or loss, as well as unauthorized access, processing, use or submission of personal data. The provisions of the currently valid regulations governing the protection of personal data, namely the Law on the Protection of Personal Data (Official Gazette of the RS No. 87/2018 hereinafter: the Law), are directly applicable to issues that are not regulated by this Rulebook.

1.1. Application of the Rules

The provisions of this Rulebook apply to the processing of personal data of the following categories of natural persons:

1. employees and candidates for employment,
2. family members of employees,
3. service users – minors,
4. service users – adults,
5. parents and representatives of service users,
6. donors,
7. business partners.

An employed person is any person employed by the operator (employment, non-employment, volunteering, performing a function in management or supervisory bodies).

Family members are persons who are insured as members of the insured’s family, in accordance with the regulations governing the field of health insurance, that is, persons who are considered family members in accordance with the Labor Law.

Service users – minors – are recipients of services (children and minors), who, according to the attached medical documentation, exercise the right to collect donations for the payment of treatment costs in accordance with the Foundation’s Regulations.

Service users – adults – are recipients of services (adult citizens), who, according to the attached medical documentation, exercise the right to collect donations for the payment of treatment costs in accordance with the Foundation’s Regulations.

Parents and representatives of service users – a category of persons whose participation in the contractual relationship is necessary, especially for minors in order to exercise rights from the contractual relationship, collection of donations for payment of treatment costs.

Donors – independent, anonymous or publicly known financiers of the treatment of service users within the Foundation.

Business partners – users and service providers, buyers, suppliers, contractors and subcontractors, consortium partners, bidders and all other business partners of operators from the country and abroad, and only natural persons (entrepreneurs, legal representatives, proxies and other representatives of legal entities, physical persons who are responsible for the implementation of the contract, natural persons who represent or represent state bodies and organizations in the broadest sense, other natural persons).

Job candidates – persons who apply for open job positions published on appropriate internet portals, in public media or on the website of the Foundation; – persons who submit their CV, i.e. application for employment independently of the open competition, via electronic or regular mail.

2. Basic terms

1. Law – Law on Protection of Personal Data (Official Gazette of RS No. 87/2018).
2. Personal data is any data relating to a natural person whose identity is determined or determinable, directly or indirectly, especially on the basis of an identity marker, such as name and identification number, data on the location of an identifier in electronic communication networks or one or more features of his physiological, genetic, mental, economic, cultural and social identity (hereinafter: data).
3. The person to whom the data refers is the natural person whose personal data is processed.
4. Personal data processing is any action or set of actions that are performed automatically or non-automated with personal data or their sets, such as: collection, recording, sorting, grouping, i.e. structuring, storing, matching or changing, revealing, viewing, using, disclosure by transmission or delivery, duplication, dissemination or otherwise making available, comparison, limitation, deletion or destruction (hereinafter: processing).
5. Limitation of processing is the marking of stored personal data in order to limit their processing in the future.
6. Profiling is any form of automated processing that is used to assess a specific personality characteristic specifically for the purpose of analyzing or predicting a natural person’s work performance, economic position, state of health, personal preferences, interests, reliability, behavior, location or movements
7. Pseudonymization is processing in a way that makes it impossible to attribute personal data to a specific person without the use of additional data, provided that these additional data are stored separately and that technical, organizational and personnel measures are taken to ensure that the personal data cannot be attributed to a specific or determinable person. face.
8. The controller is a natural or legal person, that is, a government body that independently or together with others determines the purpose and method of processing.
9. A processor is a natural or legal person, that is, a government authority that processes personal data on behalf of the controller.
10. The authorized person for personal data processing is the person in charge of personal data processing in the Foundation. The processing of personal data is the responsibility of that person, that is, the nature of the work of the organizational part of the Foundation in which the processing is carried out, including the managers of that organizational part as well as the persons in charge of work in the Foundation.
11. The consent of the data subject is any voluntary, definite, informed and unequivocal expression of the will of that person, by which that person, by a statement or a clear affirmative action, gives consent to the processing of personal data relating to him.
12. A personal data breach is a breach of personal data security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data transmitted or stored or otherwise processed.
13. Special types of personal data are those types of personal data that reveal racial or ethnic origin, political opinion, religious or philosophical belief or trade union membership, genetic data, biometric data for the purposes of unique identification of individuals, health-related data or data related to with an individual’s sex life or sexual orientation.
14. Health data are data on the physical or mental health of a natural person, including those on the provision of health services, which reveal information about his state of health.
15. Data carriers are all types of media on which data is recorded or recorded (documents, files, materials, records, computer equipment including magnetic, optical or other computer media, photocopies, sound, graphic or video material, microfilms, data transmission devices, etc. ),
16. The third party is a natural or legal person, i.e. a government authority, which is not the person to whom the data refer, the handler or the processor, as well as the person who is authorized to process personal data under the direct supervision of the handler or processor.
17. The Commissioner for Information of Public Importance and Protection of Personal Data (hereinafter: the Commissioner) is an independent and independent authority established on the basis of the Law, which is responsible for supervising the implementation of the Law and performing other tasks prescribed by the Law.

The competent authorities are:

  1. authorities responsible for the investigation, detection and prevention of criminal acts, as well as the prosecution of perpetrators of criminal acts or the execution of criminal sanctions, including the protection and prevention of threats to public and national security,
    2. legal entity authorized by the Law.

3. Principles of personal data processing

The basic principles of personal data processing at the Foundation are:

1. Legality, fairness and transparency
2. Restriction in relation to the purpose of processing
3. Data minimization
4. Accuracy
5. Storage Limitations
6. Integrity and Confidentiality

The Foundation adheres to the following principles during the processing procedure:

1. Lawfulness, honesty and transparency – personal data must be processed legally, honestly and transparently in relation to the person to whom the data refer;
2. Restrictions in relation to the purpose of processing – personal data can be collected for purposes that are specifically determined, explicit, justified and legal and still cannot be processed in a way that is not in accordance with those purposes;
3. Data minimization – personal data must be appropriate, essential and limited to what is necessary in relation to the purpose of processing;
4. Accuracy – personal data must be accurate and, if necessary, updated. Taking into account the purpose of the processing, the controller will take all reasonable measures to ensure that inaccurate data is deleted or corrected without delay;
5. Storage limitations – personal data must be stored in a form that allows the identification of the person only for the period necessary to achieve the purpose of the processing;
6. Integrity and confidentiality – personal data must be processed in a way that ensures adequate protection of personal data, including protection against unauthorized or illegal processing, as well as against accidental loss, destruction or damage by applying appropriate technical, organizational and personnel measures.

The operator is responsible for the implementation of the provisions from paragraph 1 of this article and must be able to demonstrate their implementation.

The foundation must meet the minimum of the following conditions, which explain in more detail when the processing is lawful, the consent of the person, the processing of special personal data and the purpose of the processing.

 

Processing is lawful according to Article 12 of the Law only if one of the following conditions is met:

1. the person to whom the personal data refers has consented to the processing of his personal data for one or more specifically specified purposes;
2. processing is necessary for the execution of a contract concluded with the person to whom the data refer or for undertaking actions, at the request of the person to whom the data refer, before the conclusion of the contract;
3. processing is necessary in order to comply with the operator’s legal obligations;
4. processing is necessary in order to protect vital interests of the person to whom the data refer or another natural person;
5. the processing is necessary for the purpose of performing tasks in the public interest or exercising the legally prescribed powers of the operator;
6. processing is necessary in order to achieve the legitimate interests of the controller or a third party, unless these interests are overridden by the interests or fundamental rights and freedoms of the person to whom the data refer that require the protection of personal data, and especially if the person to whom the data refer is a minor

Data processing can only be done if there is Consent of the person.

If the processing is based on consent, the controller must be able to demonstrate that the person has consented to the processing of their personal data. The data subject has the right to withdraw consent at any time. Revocation of consent does not affect the admissibility of processing that was carried out on the basis of consent before the revocation. Before giving consent, the person to whom the data refer must be informed about the right to revocation, as well as the effect of revocation. Withdrawing consent must be as simple as giving consent.

Processing of special types of personal data

Processing that reveals racial or ethnic origin, political opinion, religious or philosophical belief or membership in a trade union is prohibited, as well as processing genetic data, biometric data for the purpose of unique identification of a person or data about a natural person’s sexual life or sexual orientation.

Exceptionally, the processing mentioned in the previous paragraph is allowed in the event that the person to whom the data refer has given express consent for processing for one or more processing purposes, unless it is prescribed by law that processing is not carried out on the basis of consent, as well as in other cases determined by Article 17, paragraph 2 of the Law.

Purpose of processing:

Pursuant to the Law, personal data is collected for purposes that are specifically determined, explicit, justified and legal and still cannot be processed in a way that is not in accordance with those purposes. Personal data that is collected is appropriate, essential and limited to what is necessary in relation to the purpose of processing.

For each category of natural persons listed in section 1.1. of this Rulebook, the controller determines the purpose and legal basis of personal data processing, through special notices that form an integral part of this Rulebook.

4. Rights of persons to whom the data refer

In accordance with the review and comprehensive analysis of the provisions related to the rights of individuals, the Law prescribes that the person to whom the data refer shall achieve:

1. the right to be informed about processing, in accordance with Articles 23 and 24 of the Law;
2. the right to access data, including the right to a copy of the data processed by the operator – the Foundation, according to Article 26 of the Law;
3. the right to request from the Foundation the correction, addition or deletion of personal data in accordance with Article 29 and Article 30 of the Law;
4. the right to demand from the controller a restriction of processing in accordance with Article 31 of the Law;
5. the right to be notified of all recipients to whom personal data has been disclosed (when it comes to any correction, deletion or restriction of processing), in accordance with Article 33 of the Law, except in cases specified by the Law;
6. the right to data portability in accordance with Article 36 of the Law;
7. the right to donor anonymity;
8. the right to object in accordance with Article 37 of the Law;
9. automated processing, including profiling, if that decision produces legal consequences for that person or that decision significantly affects his position, in accordance with Article 38 of the Law;
10. the right to be informed about the violation of personal data, in the event that the violation of personal data may cause a high risk to the rights and freedoms of natural persons, in accordance with Article 53 of the Law;
11. the right to submit a complaint to the Commissioner for Information of Public Importance and Personal Data Protection, in accordance with Article 82 of the Law.

The Foundation is obliged to provide assistance to the person in exercising his rights, except when it comes to exercising the right to complain to the Commissioner.

5. Obligations of the Foundation as an operator

The operator is obliged to take appropriate technical, organizational and personnel measures to ensure that the processing is carried out in accordance with the Law.

1. Technical measures ensure that the responsible person in the Foundation implements and maintains all necessary computer programs that serve to process personal data. This person is responsible for taking all technical measures necessary to prevent the destruction, loss and alteration of personal data, i.e. unauthorized disclosure or access to personal data. Individual technical measures include, but are not limited to physical-technical measures (locking of offices and business buildings), the use of access codes for computers, and the use of appropriate computer software for the protection, identification and removal of computer viruses and other harmful programs.
2. Organizational measures refer to access to the server-computer and computers where personal data can be processed, and only authorized persons have access to it. Documentation in paper form containing personal data is kept in locked rooms.
3. Personnel measures are implemented first by appointing a person for the protection of personal data. Also, access to personal data is only available to persons employed by the operator who, as part of their work duties, must process such data. Personal data is considered a business secret, in accordance with the general acts of the operator, while disclosure of a business secret is a violation of work discipline.

If the processor processes personal data on behalf of the controller, the duties of the processor will be defined by the contract or other legally binding act, in accordance with the Law. Only the person or authority that fully guarantees the application of appropriate technical, organizational and personnel measures for the legal processing of personal data can be designated as a processor.

If the data is collected from the person to whom it relates, the Foundation is obliged to provide the following information to that person at the time of collecting personal data:

1. about the identity and contact information of the Foundation and its representative (the head of the organizational part in which personal data is collected),
2. contact details of persons for the protection of personal data,
3. purpose of intended processing and legal basis for processing,
4. the existence of a legitimate interest of the Foundation or a third

5. party for processing (if data is collected on that basis),to the recipient, i.e. the group of recipients of personal data (if any)

6. Disclosure of data

Donor data will be publicly published in the list of payments on the Internet portal of the Foundation in order to make the entire process transparent. After the payment has been made to the dinar and foreign currency account, the data is read directly from the bank statements. The donor has the right to choose the option by which his payment will remain anonymous, that is, to submit a request to delete his personal data at any time by sending a request to delete payment data via email. Donors who pay via Internet Payments and  PayPal before filling out the application are informed of the Privacy Policy and have the option to make the payment anonymous.

In certain circumstances, the Law allows the disclosure of personal data to law enforcement agencies and government bodies, without the consent of the data owner. In such circumstances, the Foundation will disclose the requested information. However, the responsible person of the Foundation will, before disclosing data, ensure that the request is legitimate, seeking the help of legal advisors or supervisory bodies in the field of personal data protection.

The Foundation must ensure that personal information is not disclosed to unauthorized third parties which include family members, friends, government bodies and, in certain circumstances, the police. All employees must be familiar with the procedure if they are asked to disclose personal data to a third party.

All requests for the delivery of personal data must be accompanied by appropriate documentation, and any publication must be specifically approved by the Responsible Person for the Protection of Personal Data.

7. Storage and disposal of data

Foundations may not retain personal data that can identify an individual for longer than is necessary to fulfill the purpose for which the data was collected.

The Foundation may store data for a longer period than the period provided for by law or accepted policy, exceptionally, if the data is processed for the purpose of public interest, scientific research or statistical purposes. In that case, it is necessary to implement appropriate technical and organizational measures to protect the rights and freedom of the person to whom the personal data refer.

7.1. Keeping records of personal data processing

The foundation on personal data processing activities establishes and maintains records that contain:

1. the name of the record of personal data;
2. the types of persons to whom the data refer and the types of personal data in the personal data records;
3. names and contact details of the handlers, joint handlers, representatives of the handlers and persons for the protection of personal data;
4. data on the purpose of processing;
5. data on the type of recipients to whom personal data has been disclosed or will be disclosed, including recipients in other countries;
6. transfer of personal data to other countries as well as documents on the implementation of measures if personal data are transferred in accordance with the Law;
7. data on the deadline, after the expiration of which certain types of personal data are deleted if such a deadline has been set. At the level of the Foundation, a person or persons are appointed who manage the collection of personal data if they are kept in several organizational parts in which personal data processing operations are carried out and who are obliged to take care of the accuracy and up-to-dateness of the content of the records. Records of personal data processing are kept in written and electronic form. The Foundation is obliged to make them available to the Commissioner for Information of Public Importance at his request;

7.2. Video surveillance

Provisions of head 7.2. are applied in case the Foundation establishes video surveillance in front of and in its premises.

In the Foundation, video surveillance is used for the purpose of protecting people and property. Use for other purposes is not permitted.

Areas where video surveillance is carried out must be marked appropriately (sticker with a warning and a telephone number where information regarding video surveillance can be obtained).

Employees, who are subject to video surveillance during their work, must be notified beforehand in written or electronic form.

Anyone who wants to see the video, in which he is, must submit a written request to the Foundation, which must allow him to see it. He must also sign an information protection statement committing himself to keep all data safe.

If an employee, user of services or a visitor on the video surveillance system wants to view the recording, on which it is located, the manager of IT protection is also present during the review of those recordings.

Video surveillance is prohibited in changing rooms and sanitary facilities.

Any viewing of videos must be logged.

7.3. Deleting data

After the expiration of the storage period, personal data is deleted, destroyed, blocked or anonymized, unless the aforementioned law or other act stipulates otherwise.

The deadlines, after which personal data are deleted from the data collection, can be seen from the records of personal data processing activity.

8. Legal remedies

The person to whom the data refers has the right to file a complaint with the Commissioner if he believes that the processing of his personal data has been carried out contrary to the provisions of the Personal Data Protection Act. In the complaint procedure, the provisions of the law regulating inspection supervision in the part related to handling complaints shall be applied accordingly. Filing a complaint to the Commissioner does not affect the right of this person to initiate other administrative or judicial protection procedures.

The commissioner is obliged to inform the complainant about the course of the procedure he is conducting, the results of the procedure, as well as the right of the person to initiate court proceedings in accordance with the Law.

The person to whom the data refers has the right to judicial protection if he believes that, contrary to the Law, his right prescribed by the Law has been violated by the handler or processor by the action of processing his personal data. Filing a lawsuit in court does not affect the right of this person to initiate other administrative or judicial protection procedures.

A person who has suffered material or non-material damage due to a violation of the provisions of the Law has the right to monetary compensation for this damage from the operator, that is, the processor who caused the damage.

9. Final provisions

This Rulebook enters into force on the eighth day from the day of its publication on the Foundation’s notice board.

 

seal of the Foundation:                                        President of the Board of Directors:

 

                                                                                 ________________________________________

                                                                                 Željko Bubnjević

 

That this Rulebook was displayed on the notice board of the Foundation on May 4, 2024, asserts and certifies:

Manager:

Goran Vasović