Personal data protection policy

1. PURPOSE AND OBJECTIVE OF POLICY

The Personal Data Protection Policy (hereinafter: the Policy) is an umbrella document that regulates the protection of the personal data of users, agents, employees, associates, consultants and other persons having a positive relationship with Eki Pay, as well as other persons data processed by Eki Pay, in accordance with the Law on Personal Data Protection of the Republic of Serbia and other relevant regulations in the field of personal data protection.

This Policy applies to all Eki Pay operational organizational units - departments and sections within them.

The aim is to provide legal certainty and transparency regarding the processing of personal data of employees and other persons whose data is processed, as well as to establish the legal basis, purpose of processing, types of data processed, rights of individuals with regard to processing of personal data , data protection measures, etc.

2. TERMS AND ABBREVIATIONS

• Personal data - refers to any information relating to individually identified or identifiable individuals

• Specific types of personal data - are data revealing racial or ethnic origin, political opinion, religious or philosophical beliefs or membership in a union, genetic data, biometric data, data on a person's health, sexual life or sexual orientation;

• Processing personal data - means any action taken on personal data, such as collecting, storing, changing, accessing, using, disclosing or otherwise making available to third parties, combining, blocking, deleting or destroying

• Consent - the data subject is any voluntary, specific, informed and unambiguous expression of that person's will by which that person, by a statement or clear affirmative action, consents to the processing of personal data relating to him / her;

• Personal data breach - is a breach of personal data security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data that has been transferred, stored or otherwise processed

• Data Controller - is a natural or legal person, that is, an authority that independently determines the purpose and method of processing, independently or together with others. The law defining the purpose and method of processing may specify the operator or prescribe the conditions for its determination;
• Data Processor - a natural or legal person or authority that processes personal data on behalf of a controller.
• Employee - includes, in addition to employees under employment contracts, agents and their employees and persons hired on the basis of employment contracts, copyright contracts, consultancy contracts and the like.

• Commissioner - Commissioner for Information of Public Importance and Personal Data Protection of the Republic of Serbia

• ZZPL – Law on Personal Data Protection (Official Gazette RS, No. 87/2018)
• ZOR - Labor Law of the Republic of Serbia (“Official Gazette of RS”, 24 / 2005,61 / 2005, 54/2009, 32/2013, 75/2014, 13/2017 - Constitutional Court decision i113 / 2017)

3. DATA PROTECTION OFFICER (DPO)

The data protection officer shall at least be obliged to:

• inform and give opinion to the Data Controler / Data processor, as well as to employees who perform processing operations on their legal obligations regarding the protection of personal data;

• monitor the implementation of the legal provisions and internal regulations of operators / processors relating to the protection of personal data, including the issues of sharing responsibilities, raising awareness and training of employees involved in processing activities, as well as controls;

• give opinion, when requested, on the assessment of the impact of processing on the protection of personal data and monitor the assessment process, in accordance with the Law;
• cooperates with the Commissioner, represents the contact person for cooperation with the Commissioner, and consults with him / her on issues related to processing, including notifying and obtaining the necessary opinions.

4. Principles of data protection

Eki Pay, based on the premise that the existence of appropriate guidelines for the use of personal data to achieve business goals, is a prerequisite for the use of such data, determined the following principles for how Eki Pay, its organizational units and its network of agents, all employees and external associates, manage personal data of employees, users, associates, business partners and service providers.

• Eki Pay is committed to protecting the personal data of users, employees, associates, business partners and service providers.
• Eki Pay processes and maintains personal information solely for legitimate business purposes and is transparent in terms of when and how it collect, uses or shares personal data.
• Eki Pay informs users reasonably of the protection of their personal information and control over their data.
• In achieving its business goals, Eki Pay strives to use customer data for the benefit of users.
• Eki Pay is committed to comply with legal and regulatory obligations in all areas of its operations.

4.1 Collection and Processing

Eki Pay obtains personally identifiable information in a lawful and ethical manner, as needed, with the consent of the data subject. Personal data is processed in accordance with applicable legal requirements. The collection of personally identifiable information is limited to what is necessary for the purposes specified by Eki Pay in the notice addressed to the persons whose data are being processed or in communication with them, as described below.
4.2 Notification

Eki Pay, when required by applicable law, or when it deems it appropriate, will provide to persons whose data the relevant information regarding the processing of their personal data is processed. This information includes, inter alia, contact with the Data Protection Officer, purpose and legal basis for collecting the personal data. When this is based on a legitimate business interest, that interest will be justified. This notice will be made clear and will be simply formulated at the time or before the personal data is collected. For the sake of transparency, Eki Pay will provide this information to users in a notice available to the public on the Website and / or will form an integral part of the general terms of service provided by Eki Pay as a payment institution to users and through other channels, as appropriate. The employee announcement will be available on the Eki Pay notice board and / or other internal channels.

4.3 Choice and Consent

In accordance with the law, Eki Pay will, whenever required, ensure the consent of data subjects before the collection or processing of personal data, and will offer, where applicable, data subjects the ability to choose (exclude) whether their personal data may be disclosed to a third party or used for any purpose other than the purpose for which they were originally collected or subsequently authorized by the data subject.

4.4 Usage and storage

Eki Pay will process and disclose personally-identifying information for business purposes only, with the aim of protecting the privacy of the individuals whose data are processed and protecting personal information, as well as in accordance with applicable law. Eki Pay will use personal data solely for certain purposes, personal data will not be stored for longer than is necessary to fulfill the stated purpose, and will be held in a way that prevents loss, theft, misuse or unauthorized access.

4.5 Personal data protection measures

Eki Pay will establish measures for the reasonable and adequate protection of personal data against unauthorized use, disclosure, destruction, and changes consistent with the risks involved in processing the data.

4.6 Processing of sensitive data

Eki Pay does not collect sensitive information by nature of its business, but if it does, it will adopt additional measures for certain types of personal data (eg sensitive information) or those data that may otherwise require additional protection. In addition, Eki Pay can adopt additional measures to meet local customs or social expectations when it comes to processing sensitive information.

4.7 Data Integrity

Eki Pay will take reasonable steps to ensure that the personal data it holds and processes are accurate and complete when it comes to the purpose (s) for which the personal data (s) are used. Eki Pay will only use personally identifiable information that is considered relevant and relevant to the purpose for which it is used.

4.8 Access

At the request or where necessary or otherwise appropriate, Eki Pay will endeavor to allow reasonably possible access to the data subjects who hold the personal data they hold about them. However, such an approach may be denied by Eki Pay, e.g. when such an approach could potentially violate the rights and freedoms of others, or potentially disclose information concerning any ongoing investigation. In addition, Eki Pay will endeavor to take reasonable steps to allow the persons whose data are processed to correct, change or delete inaccurate or incomplete information about them.

4.9 Disclosure to Third Parties

Eki Pay will disclose personally identifiable information to third parties only for legal and business purposes, and only when Eki Pay receives assurances that personal data will be adequately processed and protected and comply with applicable laws and regulations.

4.10 Transferring Personality Data Internationally

Eki Pay will transfer personal data or provide access to entities in other countries solely for legal and business purposes. Eki Pay will routinely review local laws, regulations and policies to process and protect personal information in order to ensure that its obligations and obligations of recipients in other countries are fulfilled in terms of processing and protecting personal data.

4.11 Monitoring and enforcement

Eki Pay will ensure that associates who process or have access to personal data are aware of and act on the content of this Policy and will adequately inform and train their staff when it comes to this Policy. Failure to comply with this Policy may result in disciplinary action, including termination of employment.

5. Data protection management

An important element of personal data protection is the security of such data at all stages of processing, both when idle or transmitted through Eki Pay' own network or when transmitted to third parties. Information security principles are governed by Eki Pay' internal security act. Information security and data protection have complementary goals that overlap specifically with issues such as responding to a security incident, controlling to mitigate data protection risks, and creating an adequate level of awareness regarding data protection.

6. Governance and responsibility

a. The management (Assembly and CEO) of Eki Pay are responsible for the following:

▪ Availability of adequate resources and budgets to support data protection
▪ To support the implementation of this Policy within all processes where personal data are collected and processed.

b. Process owners

Process owners are responsible business functions (organizational units) where personal data are collected and processed.

The process owner is responsible for the following:

▪ Comply with the relevant processes set out in the data protection procedures.
▪ Maintaining quality, accuracy, availability (and ensuring the rights of the data subject) of data and monitoring of procedures in breach of data protection.

▪ Ensure adequate implementation of management processes, systems and tools to support the Data Protection Policy within their functional areas (eg, record keeping and risk assessment)

▪ Ensuring that personal data processing is carried out in accordance with internal and external rules and applicable data protection regulations.
▪ Ensuring an adequate level of data protection awareness, at all stages and activities in the business processing of personal data.
▪ Ensuring that relevant individuals in the functional areas are adequately informed and trained in the risks involved in processing the data.
▪ Exercise risk management oversight when processing data within their functional areas.

The process owner interacts with the Data Protection Officer (DPO) as follows:

▪ Consultation with the DPO in the case of a new product or service, change in the ongoing process, or outsourcing of personal data processing.
▪ Obtaining support from the DPO for executing data protection procedures as needed.
▪ Consulting the DPO regarding available training and tools to raise awareness about data protection.
▪ Urgent notification of the DPO in the event of any known or suspected data security incident or data breach.

6.3 The Data Protection Officer (DPO) in the data protection support activity does the following:

▪ Assisting process owners with the implementation of a Personal Data Protection Policy (eg record-keeping and risk assessment), including the provision of data protection training, awareness tools and best practices.
▪ Regularly advise process owners concerned on data processing risks and issues to ensure compliance.
▪ Coordination of data protection requirements and responding to complaints of data subjects.
▪ Participation in official official investigations or inquiries regarding the processing of personal data by public authorities.
▪ Participate in the response and resolution of any known or suspected information security incident or breach of data protection or privacy breach.
▪ Reporting to management and process owners regarding possible data protection risks and open issues related thereto.

7. Other information

For additional information regarding data protection at Eki Pay, you can contact:

zastitapodataka@ekipay.rs

This Policy will be available on the Eki Pay’ notice board and will be available to a reasonable extent both internally and externally.

The Data Protection Officer (DPO) will review the Policy at least annually and propose any necessary revisions.