Company for exploration, production, refining, distribution and sales of oil and petroleum products and exploration and production of natural gas Naftna industrija Srbije a.d. Novi Sad, Narodnog fronta 12, 21000 Novi Sad (hereinafter: “NIS”), is the data controller of personal data of individuals which it processes in accordance with the Law on Personal Data Protection, (Official Gazette of RS, No. 87/2018, hereinafter referred to as: “Law”) and business needs.
1. Purpose of the document and basic concepts
This Policy aims to provide clear, comprehensible and easily availably information on the type of personal data NIS collects, for what purpose, on what legal basis and how the data subjects can exercise the rights relating to their personal data processing. In order for the data subjects to be aware of the rights guaranteed to them and how to exercise them, they need to know that certain terms used in this document have the meaning given to them here below:
- The personal data processing means any action performed automatically or non-automatically involving personal data or their sets such as collection, use, recording, classification, grouping, or structuring, storage, adaptation, modification, detection, transmission, delivery, insight into, copying or reproduction, comparison, restriction, deletion or destruction which NIS performs directly or through related parties.
- personal data is any data relating to directly or indirectly identified or identifiable individual (hereinafter: “data” or “personal data”).
- the data subject is any individual whose personal data is processed by NIS.
- a special type of personal data comprises personal data revealing racial or ethnic origin, political opinion, religious or philosophical beliefs or trade union membership, as well as genetic data and biometric data for unambiguous identification, health data or data on sexual life or sexual orientation of an individual
The policy applies to all personal data of service users, employees, hired personnel and other persons whose data are processed by NIS i.e. for whom it defines the purpose and method of processing.
The policy applies to all NIS products, services, processes and activities that include personal data processing.
The policy is primarily intended for individuals who fill out forms and/or applications and/or use NIS services and products (hereinafter: “Users“) and/or are interested in using the services and products (hereinafter: “Stakeholders”), employees or hired personnel in NIS, but other individuals whose data NIS obtains in the course of its business operations, in accordance with applicable law regulations.
The policy shall not apply to anonymised data, i.e. to data based on which the person is not directly or indirectly identifiable. Anonymised data is data that has been altered in such a way that an individual cannot be identified or is identifiable, and therefore, in accordance with the applicable regulations, is not considered personal data.
NIS processes personal data for various specific, explicit, justified and lawful purposes, and the method of collection, legal basis for processing, use, disclosure and retention periods differ depending on the purpose.
3. Principles of personal data processing
The processing of personal data in NIS is performed in accordance with the principles of personal data processing which ensures the protection of the rights and freedoms of users, stakeholders, employees, hired personnel and other persons whose personal data are processed.
The principles of personal data processing by which NIS ensures the rights and freedoms of data subjects in accordance with the Law are as follows:
a) Legality, fairness and transparency
NIS ensures legal, fair and transparent processing of personal data through the following measures:
- a clear and transparent manner of forwarding information to the data subject about the purpose, method and type of processing of personal data as early as at the stage of personal data collection;
- processing is necessary to perform the contract concluded with the data subject or to take action at the request of the data subject, before concluding the contract
- processing is based on the prior consent of the data subject;
- processing is necessary for NIS to comply with obligations it has as a personal data controller (e.g. forwarding personal data of employees to state authorities based on concluded employment contracts) or to exercise the authorities granted to NIS as a data controller under the law;
- processing is necessary for NIS to pursue its legitimate interests.
b) Limitation of purpose
NIS processes personal data for purposes that are specifically defined, explicit, justified and lawful and such data cannot be processed further in any way that is not in accordance with such purposes.
Before processing personal data for purposes for which NIS has not previously processed personal data or to process already personal data processed for other purposes, NIS assesses the integrated and implied protection of personal data and, if necessary, prepares a data protection impact assessment, if necessary, and obtains the consent of the data subjects.
When assessing the integrated and implicit protection of personal data, NIS assesses whether personal data processing for each product, service, procedure and activity is necessary for a certain purpose.
c) Minimum data volume
When obtaining personal data on the data subject, NIS processes only personal data that are appropriate, relevant and restricted in order to fulfil the purpose for which the data are processed.
NIS ensures the accuracy of personal data, by taking reasonable measures to ensure that inaccurate personal data are deleted or corrected without delay.
e) Restricted retention periods
Data retention periods are determined by NIS internal acts, in such a way that they are retained within the legally determined retention periods and within the deadlines necessary to achieve the purpose of their processing.
In the case of processing personal data after the expiry of the retention period e.g. the preparation of statistical analyses, NIS (permanently) anonymises personal data in a way that prevents identifying the data subject.
f) Integrity and confidentiality
NIS respects the principle of integrity and confidentiality of personal data. NIS has implemented technical and organizational measures to protect personal data while complying with the provisions of the law, good business practices and internationally recognised standards.
The processing of personal data at the data processor’s location is performed under the contract which regulates, among other things, the data processor’s duties to take organisational and technical measures to protect personal data and to report security events that could affect confidentiality and/or integrity of personal data.
4. What category of personal data do we process?
NIS collects and processes the following categories of personal data:
- Information contained in the application forms and forms filled in by the Users and in the form of the request of the Stakeholders.
- Personal data contained in the application forms and requests, which are necessary for the provision of the services, the performance of contractual obligations or the conclusion of the contract. This includes the processing of the following data: name and surname, contact information, address information, gender, date of birth, user card number (e.g. for the Sa nama na putu with Us product).
- Information provided by Users and/or Stakeholders by filling in the relevant forms on our website.
- This includes data obtained by filling out various forms for the purpose of creating accounts for accessing NIS websites, portals and applications, when making inquiries, when filing complaints or objections, sending requests and similar e-activities. Personal data processed for these purposes may include, but are not limited to: name, surname, unique identification number, identification document number, address, telephone number, and e-mail address.
- Information contained in the records on communications and correspondence when establishing contact by the User, Stakeholders and other individuals – records on written and electronic communication.
- Personal data of employees and hired personnel in NIS, in accordance with the needs in relation to employment and exercise of contractual rights and obligations – defined more closely in relevant provisions of the laws, internal policies and other acts of NIS.
- Personal data collected for the purpose of controlling access to NIS facilities.
- Information collected to meet obligations under the law.
- This includes personal data that NIS is obliged to collect, store and process in accordance with the applicable laws of the Republic of Serbia and submit to the competent state authorities (courts, investigation committees, etc.).
- Other information that is collected for certain legitimate interests of NIS.
- When personal data are processed based on a legitimate interest, NIS pays special attention to the impact which data processing may have on the rights and freedoms of the data subjects. The legitimate interests of NIS shall not outweigh the interests of the data subjects. In the event that the legitimate interest of NIS outweighs the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, and especially if the data subject is a minor, NIS shall not process such data without the express consent of the data subject, i.e.the consent of the parent exercising parental rights or another legal representative of the minor in accordance with the relevant regulations.
NIS does not process special types of personal data. Exceptionally, NIS may process these types of data only if the data subject has given his or her explicit consent in accordance with the Law, if such processing is necessary for the performance of NIS’ legal obligations, if it serves to protect the vital interests of the data subject if the data are obviously publicly available if the processing is performed under the legal request, for the public interest as defined by law. Or the processing is necessary for the purposes of archiving in the public interest, for scientific or historical research and for statistical purposes in accordance with the conditions provided by law.
5. How do we collect personal data?
NIS collects personal data in the following manner:
- directly from the Users, Stakeholders – by direct delivery by the User and/or Stakeholder (such as when submitting a request for service at the points of sale)
- directly from employees – when concluding a contract and during the employment
- from publicly available sources – such as, for example, publicly available data
- in exchange with NIS related parties – such as NIS Petrol SRL and NIS Petrol EOOD
from other data controllers under the relevant contract – in situations when another data controller entrusts a certain part of data processing to NIS, and under previously concluded contract, NIS as a data processor may process all personal data entrusted to NIS by another data controller.
A precondition for any collection of personal data is adequate legal grounds in accordance with the Law.
6. Deadlines for keeping personal data
Personal data shall be kept only for as long as is necessary for the purpose of processing unless the applicable regulations provide for a longer or shorter retention period for a particular purpose or in other cases expressly prescribed by law. After that, the data are permanently deleted or anonymised. In the case of processing personal data after the expiration of the retention period (for example, the formation of a database with historical data for statistical analysis), NIS (permanently) anonymises personal data in a way that prevents the identification of the individual such data relates to.
7. On what legal basis do we process personal data?
NIS processes the personal data of the data subject only when such processing is lawful. Processing is lawful in the following cases:
- processing is necessary for the performance of a contract concluded with the data subject or to take action at the request of the data subject prior to the conclusion of the contract.
- processing is necessary in order to comply with the obligations of NIS under the laws (applicable law regulations NIS is required to comply with)
- processing is necessary for NIS or a third party to pursue their legitimate interests, except when such interests are outweighed by the interests or fundamental rights and freedoms of data subjects that request protection of personal data, especially if the data subject is a minor
- the data subject has given his/her consent to the processing of his or her personal data for one or more specific purposes, this consent being provable and voluntary (freely given), written in easy-to-understand language and the data subject is entitled to withdraw such consent at any time
- processing is necessary for the vital interests of the data subject or another individual
- processing is necessary for the purpose of performing activities in the public interest or the authorizations of NIS as specified by the law
8. Measures implemented by NIS during processing
In order to respect the basic principles of personal data processing, NIS implements appropriate protection measures, in accordance with the Law. Below are some of the protection measures implemented by NIS:
- organising training courses on handling personal data in organisational units of NIS;
- separating personal data processed non-automatically from automatically processed personal data;
- separate storage of personal data whose processing is performed for different purposes and when it comes to different categories of personal data;
- restricting the transfer of personal data through open communication channels, computer networks not controlled by NIS and online (with the exception of publicly available and/or anonymised data) without encryption;
- adequate, technical, organisational and personnel measures, such as pseudonymisation, which achieve the goal of ensuring effective protection of personal data;
- takes legal, organisational and technical measures to protect personal data from unauthorised or accidental access, destruction, modification, prevention of access, copying, transfer, publication, as well as other illegal actions related to personal data, all in accordance with the specific assessment risks for each processing individually;
- conducting an assessment of the integrated and implicit protection of personal data during each introduction of a new product, service, activity, process and procedure.
9. Automated decision making
In the course of the regular business cycle, NIS may make decisions that produce legal consequences for the data subject or have a significant impact on the position of the data subject due to automated data processing, including profiling, and such processing is carried out in accordance with:
- applicable laws;
- by fulfilling contractual obligations;
- with the express consent of the data subject;
- legitimate interests of NIS.
The data subject has the right to be exempted from a decision made solely based on automated processing, including profiling, if that decision produces legal consequences for that person or that decision significantly affects his position, unless that decision is:
- necessary for the conclusion or performance of a contract between the data subject and the data controller;
- based on the law, if that law prescribes appropriate measures for the protection of the rights, freedoms and legitimate interests of data subjects;
- based on the express consent of the data subject.
10. Who has access to personal data and to whom are they sent?
Only employees and hired personnel of NIS has access to personal data in accordance with the tasks they perform, under the relevant authorisations determined by NIS and on the need-to-know basis, with the obligation to act in accordance with NIS standards regulating the area of personal data protection.
Personal data are available to third parties outside NIS only in the following cases:
- if there is a legal obligation or an express authorisation
- under the law (e.g. court order);
- if a third party i.e. data processor is hired to perform certain tasks, whereby such data processor acts exclusively in accordance with NIS’ orders, and NIS implements all data protection measures as if it were performing these tasks independently;
- to affiliated companies of NIS, provided that there is a legal basis for such transfer or access
if the data need to be forwarded for the purpose of the performance of contracts between NIS and other legal entities;
- to other persons outside NIS for who the data subject has given express consent.
Personal data are sent to NIS related parties domiciled in other countries, but only if such countries are signatories to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing or otherwise guarantee adequate protection prescribed by law in case of transfer of data abroad.
11. What are data subjects’ rights?
Users, Stakeholders, employees and engaged persons and other persons to whom personal data refer, may exercise the following rights:
a) The right to access personal data
The applicant wishing to exercise this right can obtain information on the processing of personal data relating to him/her, the purpose of processing, the type of personal data being processed, recipients or categories of recipients to whom personal data are or will be disclosed, and in particular recipients in other countries and international organisations, on the envisaged retention periods, or if this is not possible, on the criteria for determining the retention period, on the right to rectification or deletion of personal data, or the right to restrict processing and rights to the objection to processing, the right to file a complaint to the Commissioner, available information on the source of personal data, if personal data are not collected from the persons concerned, on the automated decision-making, including profiling, and, at least in those cases, relevant information on the logic used, as well as the significance and expected impact of such processing on the data subject.
If personal data are transferred to another state or international organisation, the data subject has the right to be informed of the adequate protection measures related to such transfer in accordance with the Law.
NIS is obliged to provide the data subject with a copy of the data it processes when so requested.
If the request for a copy is submitted electronically, the information shall be provided in the commonly used electronic form, unless the data subject has requested otherwise.
The exercise of the rights and freedoms of other persons must not be prejudiced by the exercise of the right to submit a copy.
b) The right to correct and amend personal data
NIS is obliged to enable the data subject to exercise the right to rectification and NIS will take actions to correct inaccurate data of the data subject without undue delay. Taking into account the purpose of the processing, the data subject also has the option to fill in his/her incomplete personal data, which includes giving an additional statement.
c) The right to the restriction of processing
NIS is obliged to enable the data subject to exercise the right to the restriction of processing of his/her personal data by NIS in one of the following cases:
- the data subject disputes the accuracy of personal data, within the time limit that allows NIS to verify the accuracy of personal data;
- processing is unlawful, and the data subject opposes the deletion of personal data and instead of deletion, demands the restriction of the use of data;
- NIS no longer needs personal data to achieve the purpose of processing, but the data subject relates requested them in order to submit, exercise or defend a legal claim;
- the data subject has filed an objection to the processing, and an assessment is underway as to whether the legal basis for the processing by NIS outweighs the interests of that person.
If the processing is restricted in accordance with the request of the data subject, such data may be further processed only with the consent of the data subject, except if it concerns the storage of such data or submitting, exercising or defending a legal claim, for the protection of the rights of other natural or legal persons or for the significant public interest.
NIS is obliged to inform the data subject about the cessation of the restriction before such restriction expires.
d) The right to object
The data subject has the right to object at any time to the lawfulness of the NIS processing of his/her personal data based on adequate legal bases for processing (processing is necessary for the completion of affairs in the public interest or for NIS to perform its authorities under the law; processing is necessary in order for the data controller or third party to pursue their legitimate interests).
Upon receipt of the complaint, NIS will limit the processing of data from item c) above, and after the assessment of the merits of the complaint, stop processing the data on the person who filed the complaint, unless he/she presents the legal reasons for the processing which outweigh the interests, rights or freedoms of the data subjects related to the submission, exercise or defence of a legal claim.
The data subject has the right to object at any time to the processing of his /her personal data for direct advertising, including profiling, to the extent that it is related to direct advertising.
If the data subject objects to the processing for direct advertising purposes, the personal data may not be further processed for such purposes.
e) Right to erasure (“right to be forgotten”)
The data subject has the right to have his/her personal data deleted by NIS. NIS is obliged to delete personal data without undue delay in the following cases:
- personal data are no longer necessary for the purpose for which they were collected or otherwise processed;
- the data subject has withdrawn the consent based on which data were processed, and there is no other legal basis for processing;
- the data subject has objected to the processing in accordance with the Law, and there is no other legal basis for the processing that outweighs the legitimate interests, rights or freedoms of the data subject
- personal data were processed unlawfully
- personal data must be deleted in order for NIS to fulfil its legal obligations
- data were collected on the minor in relation to services obtained from the information company
f) The right of persons to data portability
NIS is obliged to enable the data subject to receive his/her personal data previously submitted to NIS in a structured, commonly used and electronically legible form and has the right to transfer these data to another data controller without interference by NIS to whom this information was provided, if the following conditions are met cumulatively:
- processing is based on the consent of the data subject to the processing of his (special) personal data for one or more specific purposes or under the contract; and
- processing is automatic.
The right of the data subject includes the right to have his/her personal data transferred directly to another data controller by NIS to whom this data was previously provided, if technically feasible.
By acting upon the request of the data subject to exercise his/her right to data portability, NIS shall not adversely affect the exercise of the rights and freedoms of other persons.
12. The manner of exercising the rights of the data subject
Persons to whom personal data refer can exercise their rights by filling out the application at the following link.
The data subject may submit a request in writing or electronically, to the official postal address of NIS or to the official e-mail address of the organisational part of NIS responsible for the data protection management, Information Protection Sector, firstname.lastname@example.org
Employees of NIS shall determine the identity of the applicant by inspecting the personal document. NIS is obliged to act on the request no later than 30 calendar days from the day of receipt of the complete request. The deadline can be extended for another 60 days, only if the application is complex or there is a large number of requests. NIS is obliged to inform the stakeholder about the extension of the deadline and the reasons for that extension within 30 days from the day of receipt of the request.
If NIS fails to act on the applicant’s request, it must inform the applicant of the reasons for not taking any actions, without delay, and no later than within 30 calendar days from the request receipt date. In addition to such notice, NIS must inform the applicant of the right to file a complaint to the Commissioner, i.e. a lawsuit to the court in order to exercise his/her rights.
13. Filing a complaint to the Commissioner for Information of Public Importance and Personal Data Protection
The body supervising personal data protection in the Republic of Serbia is the Commissioner for Information of Public Importance and Personal Data Protection, Bulevar kralja Aleksandra 15, Belgrade (hereinafter: the “Commissioner”).
The data subject has the right to file a complaint to the Commissioner if he/she believes that the processing of his/her personal data was contrary to the provisions of this law.
Filing a complaint with the Commissioner shall not affect the right of this person to initiate other administrative or judicial proceedings to protect his/her data.
14. Management of personal data protection in NIS
The Information Protection Sector has been established in NIS with the role to inform and give opinions on the legal obligations of NIS and legal entities that act as data processors on behalf of NIS in relation to the protection of personal data, to monitor the application of the provisions of the Law and internal regulations of NIS, to give opinions on the assessment of the impact on personal data protection and to monitor the activities based on such assessment, to be a contact point for cooperation with the Commissioner and to consult with the Commissioner on issues related to personal data processing.
You can send all additional questions related to the processing of your personal data, as well as questions related to the exercise of your rights to the Information Protection Sector at the e-mail address: email@example.com.