INTRODUCTORY PROVISIONS
The purpose of this document is to inform Website Users and Notification Subscribers concerning the personal data that is collected via the websites of the Controller “Fondacija Registar nacionalnog internet domena Srbije” (the Serbian National Internet Domain Registry Foundation), with registered place of business at Žorža Klemansoa no. 18a, Belgrade-Stari Grad, corporate ID: 17680544 (hereinafter: RNIDS), located at the domains rnids.rs, domen.rs, dids.rs and rsnog.rs, the purpose for and basis on which it is processed, the rights of Website Users and Notification Subscribers, procedures in the event of an incident, consent, and other relevant facts concerning the processing of the personal data of Website Users and Notification Subscribers.
The Privacy Policy shall inform Registrants of Internet domain names (hereinafter: Registrants) as well as Administrative and Technical Contacts for registrations in regard to which personal data is being collected by RNIDS when they register a domain name, as well as the time period for which data is kept, information on the rights of Registrants, procedures in the event of incident, as well as consent of the Registrant for RNIDS to collect, process and store their personal data, as set out below. It is also intended to inform Event Participants for the purposes of exchange of information and of the purpose for and basis on which they are processed.
The website shall use Website User/Notification Subscriber data in accordance with this Privacy Policy and undertake to safeguard the privacy of all Website Users/Notification Subscribers, to only collect essential, basic data on Website Users/Notification Subscribers, that is, data essential for the running of the website, meeting contractual obligations and informing the Website User/Notification Subscriber, in accordance with good business practice and with the objective of providing a quality service, in all respects in compliance with the Privacy Policy.
For all matters not addressed in this Privacy Policy, the Rules on Protection of Personal Data of Registrants/Website Users/Notification Subscribers (hereinafter: the Rules), other general enactments of RNIDS and the Personal Data Protection Law of the Republic of Serbia shall be applicable. At the request of the Data Subject, RNIDS shall facilitate inspection of the Rules in accordance with the Law.
MEANING OF TERMS
Terms used in the Privacy Policy shall have the meanings defined in the Rules.
Registrant, Administrative and Technical Contacts, Website User, Event Participant and Notification Subscriber shall collectively be referred to by the term Data Subjects.
DATA COLLECTED AND PROCESSED
RNIDS shall collect and process some of the following data, and specifically the following data of Registrants and Administrative and Technical Contacts, in all respects pursuant to Article 8 of the General Terms:
- name and surname;
- address of residence;
- email address;
- telephone number.
RNIDS shall collect and process some of the following data, and specifically the following data of Website Users and Notification Subscribers:
- IP address;
- email address.
RNIDS shall collect and process some of the following data, and specifically the following data of Event Participants:
- name and surname;
- email address;
- video recordings and photographs of participants;
- other necessary data which does not fall under the category of special personal data.
Depending on whether the subject is a Registrant, Administrative or Technical Contact, Website User, Notification Subscriber or Event Participant, RNIDS shall process individual data for each of the categories as laid down in Article 4 of the Rules.
In order to improve services on its websites and to improve the Website User experience when viewing pages, RNIDS shall collect data from the web browser of the Website User, specifically cookies. More details on the cookie collection policy may be found on this page: https://arhiva.dids.rs/cookie-policy/ (Cookie Policy).
RNIDS does not intentionally collect the personal data of persons younger than 18 years of age. Should RNIDS determine that it holds the personal data of such persons, it will seek parental permission without delay.
BASIS FOR AND PURPOSE OF PROCESSING
A detailed description of the purpose of and legal basis for the processing of each of the individual categories of personal data can be found in Article 5 of the Rules.
In addition to meeting contractual obligations, meeting legal obligations and legitimate interests, RNIDS shall also process personal data on the basis of consent.
Consent given by the Data Subject may be given on a separate form with the clear and emphasised title “Consent”, the content of which is described in the aforementioned Article in an informed, transparent, understandable and accessible manner, using clear and simple language in the manner prescribed by the Law.
The Data Subject shall have the right to withdraw their consent at any time. Withdrawal of consent does not affect the lawfulness of the processing of personal data carried out before the withdrawal. Before giving consent, the person to which the data relates must be informed of their right to withdrawal and of the effect of withdrawal. Withdrawal of consent must be as simple as giving consent.
RIGHTS UNDER PERSONAL DATA PROTECTION
The Data Subject has the following rights under applicable regulations:
The right to be informed
Every Data Subject who has supplied personal data to RNIDS shall have the right to information on and access to the data kept on him/her and processed by RNIDS.
Right to rectification of personal data
Every Data Subject who has supplied personal data to RNIDS shall have the right to make corrections to incorrect data kept on him/her and processed by RNIDS.
Right to erasure of personal data
Every Data Subject who has supplied personal data to RNIDS shall have the right to request the erasure of personal data kept on him/her and processed by RNIDS, where the legal requirements have been met for this.
Right to restriction of processing
Every Data Subject who has supplied personal data to RNIDS shall have the right to request the restriction of processing of all personal data kept on him/her and processed by RNIDS, where legal requirements have been met for this.
The right to information relating to rectification or erasure of personal data or restriction of processing
RNIDS must inform the Data Subject of measures undertaken relating to his/her request for rectification, erasure or restriction of processing of personal data.
Right to personal data portability
Every Data Subject who has supplied personal data to RNIDS shall have the right to request that RNIDS facilitate the transfer of data to another controller in an electronic, easily portable format.
Right to lodge a complaint
Every Data Subject who has supplied personal data to RNIDS shall have the right to lodge a complaint in the event that his or her data has been used in a manner contrary to this Privacy Policy and applicable regulations.
STORAGE OF PERSONAL DATA
Data of Registrants and Administrative and Technical contacts as defined in Article 4.2 of the Rules shall be stored in electronic form by RNIDS in the manner defined by the Rules.
Website User, Notification Subscriber and Event Participant data shall be kept in electronic form by RNIDS and secured according to appropriate security standards.
PROCESSORS, JOINT CONTROLLERS AND THIRD PARTIES
RNIDS, for the purposes of meeting obligations under the Terms of Use, meeting legal obligations, maintaining and improving its services shall be authorised to use the services of accountancy agencies, programmers, IT consultants and other external and internal associates, for whose work and performance it shall assume responsibility under the Law.
RNIDS warrants that the Processor shall use all techniques and organisational and staffing measures necessary to ensure that processing is conducted in accordance with the Law and that adequate protection is ensured for the personal data of the Controller’s Service Users/Website Visitors/Notification Subscribers.
RNIDS shall collect and process the data of Registrants/Administrative and Technical Contacts jointly with the Accredited Registrar solely for the purposes of registering national Internet domain names.
Should the need arise for RNIDS to share personal data with a third party with which it has a contractual relationship, RNIDS shall contractually oblige that contractual party to enforce applicable regulations and the RNIDS privacy policy. In the event of a legal obligation to do so, RNIDS shall share personal data with a third party if it should receive a request meeting the legal requirements.
DATA SECURITY
When determining the required level of personal data security, RNIDS shall take into account and monitor current advances in technology, the costs of their implementation and the nature, scope, circumstances and purpose of the data processing and shall on the basis of those parameters evaluate the probability of a risk arising, that is the level of risk to the rights and liberties of the Data Subject.
RNIDS shall have appropriate rules and procedures in place to safeguard personal data from unauthorised access, loss, misuse, alteration or destruction. Nevertheless, security from all potential threats cannot be completely guaranteed. According to RNIDS’ rules, personal data may only be accessed by those persons who need to know this data for the purposes of performing their work and must keep this data confidential.
In the event of an incident, RNIDS shall have a reaction and reporting policy and an incident team which shall immediately take appropriate steps and undertake the procedure prescribed for the event of an incident.
In the event of a threat to personal data, RNIDS shall undertake all necessary notification and protection measures laid down in the Law, including notification of the competent Supervisory Authority, as well as Data Subjects where the requirements of the Privacy Policy and Law have been met, as defined in more detail in the Rules.
DATA RETENTION PERIOD AND ERASURE
The data of the Registrant/Administrative and Technical Contact shall be kept for ten years after the day of expiry of the registration. Personal data collected in other cases shall be kept for as long as there is a need for it to be processed, and there is consent from the Data Subject.
Data retention periods for other categories of personal data shall be defined in the Rules.
CHANGES TO THE PRIVACY POLICY
RNIDS reserves the right to make changes to this Privacy Policy. RNIDS shall publish all changes to this Privacy Policy on its website located at rnids.rs.
CONTACT DETAILS OF CONTROLLER
In the event of a need for clarification of provisions of the Privacy Policy, for exercise of the rights of the Data Subject under Article 4 of the Rules and for other matters laid down in the Law, Data Subjects may contact RNIDS at the following email address: privacy@rnids.rs.