Privacy Policy

The Privacy Policy (hereinafter: the Policy) governs the general rules of personal data processing related to visitors of RATEL’s website The Cookie Policy, governing the use of cookies and how they collect and process personal data, is also an integral part of this Policy.

General provisions

In this Privacy Policy, the Regulatory Agency for Electronic Communications and Postal Services, Palmotićeva 2, 11000 Belgrade, identification number: 17606590, (hereinafter: the Agency), in its capacity as Data Controller, pursuant to the Law on Personal Data Protection („Official Gazette of RS“, No. 87/18, hereinafter: the LPDP), defines the type of personal data it collects and processes during the browsing of the website, how it handles the data, and informs the public accordingly.
The Agency shall process the user’s personal data in a lawful, fair and transparent manner in relation to the data subject and shall protect these data by implementing appropriate technical, organizational and personnel measures. The Agency shall collect data for specified, explicit, legitimate and lawful purposes. The data collected by the Agency shall be adequate and limited to what is necessary in relation to the purposes for which they are processed. The Agency shall also undertake all reasonable measures to provide that the data be accurate and up-to-date.

What kind of personal data does the Agency collect?

While performing the entrusted tasks based on public authorization, the Agency collects the following type of data: first and last name, address of residence, unique master citizen number, date of birth, sex, IP address, email address, telephone number.

On what legal grounds does the Agency collect and process personal data?

The legal grounds for collection and processing of personal data performd by the Agency, as defined in the LPDP, can be the folowing: consent of the data subject (Article 12, paragraph 1), performance of contractual obligations or taking steps prior to entering into a contract (Article 12, paragraph 2), compliance with legal obligations to which the Controller is subject (Article 12, paragraph 3) and performance of tasks carried out in the public interest or in the exercise of official authority vested in the Controller (Article 12, paragraph 5).

For what purposes does the Agency collect personal data?

Personal data are collected exclusively for the purposes of smooth operation of the Agency within its vested competence and in the aim of ensuring rights and obligations of the data subject and implementing administrative and other procedures pursuant to the law. Personal data are used solely for personal identification and establishment of the facts necessary for the use of relevant procedures.
 The Agency collects users’ personal data for specified, explicit and legitimate purposes and does not process them in a manner that is incompatible with those purposes. Data collected for one specific purpose shall not be used for any other purpose or in any other manner that might be incompatible with the consented purpose, i.e. the purpose for which that data was collected.
 Personal data are used and processed exclusively by authorized persons employed at the Agency, as part of their regular professional tasks and activities within the Agency’s competence. The person from whom personal data are collected, i.e. the data subject, discloses the data willingly, in line with the provisions set forth in the Law on Electronic Communications, Law on Postal Services, General Administrative Procedure Act, Law on Personal Data Protection and other applicable laws and regulations.

How does the Agency collect your data?

During the visit to our website, the browser you are using on your device will automatically send the following data to our website server: chosen language and font size, IP address of the device the request was sent from, date and time of the access, name and URL of the downloaded database, web page from which the access was made (referrer URL), the browser you are using and, if necessary, the operating system installed on your device, along with the name of your Internet access provider. These data will be stored temporarily (for approximately one month) in a log database, for the following purposes: establishment of a smooth connection, easy and comfortable use of our website and assessment of system security and stability.

 While performing public authorizations entrusted to it pursuant to the laws applicable to its activities, the Agency decides on complaints and requests, and during this process it handles personal data of the submitters. In performing the tasks within its competence, the Agency will only collect personal data it needs to act accordingly and resolve the submitter’s complaint or request, during which a separate record is kept for each single file. In the process, the Agency shall collect the following personal data: first and last name, address, e-mail address, city, IP address from which the complaint/request was sent.

The Agency uses e-counter (e-permits, e-complaints etc.) as a tool for interested parties to submit requests electronically. In order to use e-counter, an electronic certificate is needed to log in on RATEL’s website. While providing these services, the Agency uses the following user personal data contained in the qualified certificates: first and last name, unique master citizen number, date of birth.
In addition, the Agency makes it possible for the users to communicate electronically through e-mail address In that case, the Agency collects the following data: first and last name and e-mail address. These personal data will only be used for the purpose of communication with the user, i.e. to provide an answer to the sent question, and shall not be processed in any other way, nor shall be passed on to third parties.
Pursuant to applicable regulations, the Agency is obliged to publish the decisions it adopts. It shall also publish reports involving statistical data on the number of requests, without the possibility to identify the user. In addition, the Agency shall publish specific records, i.e. databases (such as database on the use of numbering, database on the use of RF spectrum, record of operators of public communication networks and services, registry of issued permits to postal operators and other), in line with its legal obligations, however such databases shall not contain publicly available personal data.

Definition of terms:

  • “personal data” means any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • „data subject“ means any natural person whose personal data are being processed
  • „controller“ means the natural or legal person, or public authority which, alone or jointly with others, determines the purposes and means of the processing of personal data;
  • „processor“ means a natural or legal person, or public authority which processes personal data on behalf of the controller;
  • „processing of personal data“ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (hereinafter: processing);
  • „privacy policy“ is a statement or a legal document explaining how and why personal data are collected and processed, along with collector’s responsibilities and citizens’ rights;
  • „cookies“ are text files stored locally in the user’s browser, exchanged between the website and user’s device as a short-term memory of user’s activity on the website.

How does the Agency protect personal data?

In order to ensure personal data protection, the Agency uses advanced technologies combined with an efficient security control management. For maximum data protection in line with the international standards, the Agency plans to implement standards ISO 27001 and COBIT, and has designated an officer for personal data protection, with a designated authorized person for cyber and communication security already in place.
 In addition, the Agency is committed to applying the highest possible data protection standards, subsequently implementing all necessary organizational, technical and personnel measures, including but not limited to:
  • technical protection measures,
  • physical access control to the system where personal data are stored,
  • data access control,
  • data entry control,
  • data availability control,
  • other cyber security measures,
  • all other necessary measures of personal data protection.
All personal data processors and/or recipients are equally bound to implement the prescribed protection measures pursuant to the signed contract with the Data Controller, and the legally prescribed standards and requirements.

For how long does the Agency store its users’ personal data?

The Agency, as a legal person entrusted with public authorizations, is obligated to store documents and data contained in it, within the set time limits defined in the applicable laws and bylaws.

Personal data recipients and processors

Personal data recipients can include:

  1. State authorities – administrative bodies and judicial organs, independent authorities (Commissioner, Ombudsman), organizations entrusted with public authorizations, regulatory bodies and operators when submitting data pertaining to complaints or requests before the competent court or to the administrative body, independent authority, organization entrusted with public authorizations, regulatory body, operator of electronic communications or postal service provider, during the complaint handling by the Agency; 
  2. Other legally authorized entities (such as public enforcement officers, administrative receivers etc.);
  3. Data Processors – based on special agreements or other legally binding acts made in compliance with Article 45 of the LPDP, the Agency is entitled to hire data processors that will process personal data at the request and on behalf of the Agency (such as independent auditors, IT companies, accounting agencies and similar).

The Agency shall not transmit users’ personal data to other countries or international organizations.

What are the rights of persons whose personal data are processed by the Agency?

Right of access

The data subject shall have the right to obtain from the Agency confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed; the envisaged period for which the personal data will be stored or the criteria used to determine that period; the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority (the Commissioner); where the personal data are not collected from the data subject, any available information as to their source; and the existence of automated decision-making. (Article 26 of the LPDP)

Right of rectification and completion

The data subject shall have the right to obtain without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. (Article 29 of the LPDP)

Right to erasure of personal data

The data subject shall have the right to obtain the erasure of personal data concerning him or her, if the requirements from Article 30 of the LPDP are fulfilled.

Right to restriction of processing

The data subject shall have the right to obtain restriction of processing, if one of the requirements under Article 31, paragraph 1 of the LPDP has been fulfilled.

Right to object

If deemed legitimate, the data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, to the Agency (Palmotićeva 2, 11000 Belgrade).

Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Agency, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Agency, if the requirements from Article 36 of the LPDP have been cumulatively fulfilled.
The Agency shall provide information regarding the exercise of rights under Articles 26, from 29 to 31 and 36 of the LPDP, free of charge. Where the data subject’s requests are manifestly unfounded or excessive, in particular because of their repetitive character, the Agency may:
  • charge a reasonable fee based on administrative costs, i.e. acting on the request;
  • refuse to act on the request.

Automated decision-making and profiling

Automated decision-making is the process of making a decision by automated means without any human involvement. “Profiling” means any form of automated processing of personal data relating to a natural person, in particular to analyse that person’s habits, interests or online behaviour.

The Agency does not employ automated decision-making nor does it perform any kind of profiling on this site.


The Agency’s website uses cookies, which enable site functionality and provide a better user experience.

During the visit to the above website of the Agency, a notification will appear asking permission to use cookies. You are free to decide whether the browser on your computer or mobile device will automatically accept and store all cookie categories described in the following text.

Cookie categories used on this site

Necessary cookies – help you use the Internet page, allowing your navigation through the website and the use of its functions. The web location cannot work properly without these cookies.
Statistics cookies – help the owner of the website (the Agency) understand how the visitors use the website. To that purpose, in order to analyze the frequency of website visits and track the browsing of specific sections and improve the service, we use Google Analytic, a web analytics tool provided by Google Inc.

How to delete cookies?

„Cookies“ can be deleted or disabled from your Internet browser. Here are the links containing detailed instructions as to how to delete cookies from some of the most used browsers:

If you are using another browser, please follow the instructions of the relevant provider.

Other sites’ privacy policy

From the website it is possible for you to connect to other Internet pages, the Agency’s sub-domains, by using the following links:, ,,,, . This Privacy Policy does not apply to these websites.

On the Agency’s website there are links to social networks Facebook, Youtube, Linkedin, possibly including other platforms as well. All data collected by these platforms during your website visit, as well as the data you willingly disclose on these social networks, are subject to both this Policy and the provisions prescribed by the above platforms in their Terms of Service/Terms of Use, Privacy Policy, Cookie Policy. As for the legal definition referring to the collection and processing of personal data gathered in this manner from the data subjects, both the Agency and relevant social networks shall be considered as joint controllers.

Privacy policy of the above platforms can be found at the following links:

Entering into force and updating of the Act on RATEL’s privacy policy

This Privacy Policy shall enter into force on the day of its publishing on the Agency’s website

The Agency’s Privacy Policy can be changed or amended due to changes in the applicable legislation, following an initiative by the Agency, the users or the competent body (the Commissioner for Information of Public Importance and Personal Data Protection).

All subsequent changes will be timely published on the Agency’s official website

How to contact us?

You can send your questions and requests regarding personal data processing to the authorized person for personal data protection, via the following emails: or

Headquarters address: Regulatory Agency for Electronic Communications and Postal Services, Palmotićeva 2, 11000 Belgrade.

Supervisory authority

The monitoring of the LPDP application is carried out by the Commissioner for Information of Public Importance and Personal Data Protection.

If you feel your right to personal data protection has been violated by the Agency, you are entitled, pursuant to Article 82, paragraph 1 of the LPDP, to lodge a complaint with the Commissioner at:, or to: the Commissioner for Information of Public Importance and Personal Data Protection, Bulevar Kralja Aleksandra 15, 11000 Belgrade.

The complaint form is available on the website of the Commissioner, in the section data protection/forms.