The Privacy Policy governs the general rules of personal data processing related to visitors of the website of the Regulatory Authority for Electronic Communications and Postal Services www.ratel.rs. The Cookie Policy, governing the use of cookies and how they collect and process personal data, is an integral part of this Policy.

General provisions

In this Privacy Policy, the Regulatory Authority for Electronic Communications and Postal Services, Palmotićeva 2, 11000 Belgrade, identification number: 17606590, (hereinafter: the Regulator), in its capacity as Data Controller, pursuant to the Law on Personal Data Protection („Official Gazette of RS“, No. 87/18, hereinafter: the LPDP), defines in a clear and transparent manner the type of personal data it collects and processes during the browsing of the website www.ratel.rs, and notifies the public about the handling thereof.

The Regulator shall process the user’s personal data in a lawful, fair and transparent manner in relation to the data subject and shall protect these data by implementing appropriate technical, organizational and personnel measures. The Regulator shall collect data for specified, explicit, legitimate and lawful purposes. The data collected by the Regulator shall be adequate and limited to what is necessary in relation to the purposes for which they are processed. The Regulator shall also undertake all reasonable measures to provide that the data be accurate and up-to-date.

What kind of personal data does the Regulator collect?

While performing the entrusted tasks based on public authorization, the Regulator collects the following type of data: first and last name, address of residence, unique master citizen number, date of birth, sex, e-mail address, telephone number.

On what legal grounds does the Regulator collect and process personal data?

The legal grounds for collection and processing of personal data performd by the Regulator, under Article 12 of the LPDP, can be the folowing: consent of the data subject (Article 12, paragraph 1), compliance with legal obligations to which the Controller is subject (Article 12, paragraph 3) and performance of tasks carried out in the public interest or in the exercise of official authority vested in the Controller (Article 12, paragraph 5).

For what purposes does the Regulator collect personal data?

Personal data are collected exclusively for the purposes of smooth operation of the Regulator within its vested competence, in the aim of ensuring rights and obligations of the data subject and implementing administrative and other procedures pursuant to the law.

The Regulator shall collect users’ personal data for specified, explicit and legitimate purposes and process them in a manner that is compatible with the purposes for which they are collected. Data collected for one specific purpose shall not be used for any other purpose or in any other manner that might be incompatible with the consented purpose for which they were collected.

Personal data are used and processed exclusively by authorized persons employed at the Regulator, as part of their regular professional tasks and activities within the Regulator’s competence. The person from whom personal data are collected, i.e. the data subject, discloses the data willingly, in line with the provisions set forth in the Law on Electronic Communications, Law on Postal Services, General Administrative Procedure Act, Law on Personal Data Protection and other applicable laws and regulations.

How does the Regulator collect your data?

During the visit to our website, the browser you are using on your device will automatically, with no activity on your part, send the following data to our website server: chosen language and font size, IP address of the device the request was sent from, date and time of the access, name and URL of the downloaded database, web page from which the access was made (referrer URL), the browser you are using and, if necessary, the operating system installed on your device, along with the name of your Internet access provider. These data will be stored temporarily (for approximately one month) in a log database, for the following purposes: establishment of a smooth connection, easy and comfortable use of our website and assessment of system security and stability.

While performing public authorizations entrusted to it pursuant to the laws applicable to its activities, the Regulator decides on complaints and requests, and during this process it handles personal data of the submitters. In performing the tasks within its competence, the Regulator shall only collect personal data it needs to act accordingly and resolve the submitter’s complaint or request, during which a separate record is kept for each single file. In the process, the Regulator shall collect the following personal data: first and last name, address, e-mail address and possibly contact information (telephone number), if necessary.

The Regulator uses e-desk (e-permits, e-complaints etc.) as a tool for interested parties to submit requests electronically. While providing these services, the Regulator shall use the following user personal data: first and last name, address information and e-mail address.

In addition, the Regulator makes it possible for users to communicate electronically through e-mail address ratel@ratel.rs. In that case, the Regulator collects the following data: first and last name and e-mail address. These personal data shall only be used for the purpose of communication with the user, i.e. to provide an answer to the sent question, and shall not be processed in any other way, nor shall be passed on to third parties.

Pursuant to applicable regulations, the Regulator is obliged to publish the decisions it adopts. It shall also publish reports involving statistical data on the number of requests, without the possibility to identify the user. In addition, the Regulator shall publish specific records, i.e. databases (such as database on the use of numbering, database on the use of RF spectrum, records of operators of public communication networks and services, registry of issued permits to postal operators and other), required in line with its legal obligations, however such databases shall not contain publicly available personal data.

Definition of terms

“personal data” means any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

·      „data subject“ means any natural person whose personal data are being processed;

·    „controller“ means the natural or legal person, or public authority which, alone or jointly with others, determines the purposes and means of the processing of personal data;

·    „processor“ means a natural or legal person, or public authority which processes personal data on behalf of the controller;

·    „processing of personal data“ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, i.e. provision, replication, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (hereinafter: processing);

·    „privacy policy“ is a statement or a legal document explaining how and why personal data are collected and processed, along with collector’s responsibilities and citizens’ rights;

·    „cookies“ are text files stored locally in the user’s browser, exchanged between the website and user’s device as a short-term memory of user’s activity on the website.

How does the Regulator protect personal data?

In order to ensure personal data protection, the Regulator uses advanced technologies combined with an efficient security control management. The Regulator has also designated an officer for personal data protection, with an authorized person for the Regulator’s ICT security already in place.

 In addition, the Regulator is committed to applying the highest possible data protection standards within its business structure, subsequently implementing all necessary organizational, technical and personnel measures, including but not limited to:

·        technical protection measures,

·        physical access control to the system where personal data are stored,

·        data access control,

·        data entry control,

·        data availability control,

·       other cyber security measures,

·       all other necessary measures of personal data protection.

All personal data processors and/or recipients are equally bound to implement the prescribed protection measures pursuant to the signed contract with the Data Controller, and the legally prescribed standards and requirements.

For how long does the Regulator store its users’ personal data?

The Regulator, as a legal person entrusted with public authorizations, is obligated to store documents and data contained in it, within the set time limits defined in the applicable laws and bylaws.

Personal data recipients and processors

Personal data recipients can include:

1.      State authorities – administrative bodies and judicial organs, independent authorities (Commissioner, Ombudsman), organizations entrusted with public authorizations, regulatory bodies and operators when submitting data pertaining to user complaints, objections or requests before the competent court or to the administrative body, organizations entrusted with public authorizations, regulatory authorities, as well as operators of electronic communications or postal service providers, during the handling of user complaints about the work of these operators by the Regulator; 

2.      Other legally authorized entities (such as public enforcement officers, administrative receivers etc);

3.      Data Processors – based on special agreements or other legally binding acts made in compliance with Article 45 of the LPDP, the Regulator is entitled to hire data processors that will process personal data at the request and on behalf of the Regulator (such as independent auditors, IT companies, accounting agencies and similar).

The Regulator shall not transmit users’ personal data to other countries or international organizations.

What are the rights of persons whose personal data are processed by the Regulator?

Right of access

The data subject shall have the right to obtain from the Regulator confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed; the envisaged period for which the personal data will be stored or the criteria used to determine that period; the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority (the Commissioner); where the personal data are not collected from the data subject, any available information as to their source; and the existence of automated decision-making (Article 26 of the LPDP).

Right of rectification and completion

The data subject shall have the right to obtain without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement (Article 29 of the LPDP).

Right to erasure of personal data

The data subject shall have the right to obtain the erasure of personal data concerning him or her, if the requirements from Article 30 of the LPDP are fulfilled.

Right to restriction of processing

The data subject shall have the right to obtain restriction of processing, if one of the requirements under Article 31, paragraph 1 of the LPDP has been fulfilled.

Right to object

If deemed legitimate, the data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, to the Regulator (Palmotićeva 2, 11000 Beograd).

Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Regulator, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Regulator, if the requirements from Article 36 of the LPDP have been cumulatively fulfilled.

The Regulator shall provide information regarding the exercise of rights under Articles 26, from 29 to 31 and 36 of the LPDP, free of charge. Where the data subject’s requests are manifestly unfounded or excessive, in particular because of their repetitive character, the Regulator may:

·         charge a reasonable fee based on administrative costs, i.e. acting on the request;

·         refuse to act on the request.

Automated decision-making and profiling

Automated decision-making is the process of making a decision by automated means without any human involvement. “Profiling” means any form of automated processing of personal data relating to a natural person, that person’s habits, interests or online behaviour.

The Regulator does not employ automated decision-making nor does it perform any kind of profiling on this site.

Cookies

At its website www.ratel.rs, the Regulator uses only necessary cookies that enable site functionality and provide a better user experience.

Necessary cookies - help make the website usable by enabling basic functions such as page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

Other sites’ privacy policy

From the Regulator’s website www.ratel.rs it is possible to get connected to other Internet pages, the Regulator’s sub-domains, via the following links: https://nettest.ratel.rs/, http://emf.ratel.rs/, http://benchmark.ratel.rs/, http://www.prenesibroj.rs, https://www.ceneusluga.rs/, https://www.cert.rs/, https://gis.ratel.rs/smartPortal/postanskeUsluge, https://www.nezovi.rs/#/search). This Privacy Policy does not apply to these websites.

On the Regulator’s website there are links to social networks (Facebook, Youtube, Linkedin and Instagram), possibly including other platforms as well. All data collected by these platforms during your website visit, as well as the data you willingly disclose on these social networks, are subject to both this Policy and the provisions prescribed by the above platforms. As for the legal definition referring to the collection and processing of personal data gathered in this manner from the data subjects, both the Regulator and relevant social networks shall be considered as joint controllers.

Privacy policy of the above platforms can be found at the following links:

-          https://www.facebook.com/policy.php

-          https://www.youtube.com/about/policies/#community-guidelines

-          https://www.linkedin.com/legal/privacy-policy

-          https://privacycenter.instagram.com/policy

Entry into force and updating of the Act on RATEL’s privacy policy

This Privacy Policy shall enter into force on the day of its publishing on the Regulator’s website www.ratel.rs.

The Regulator’s Privacy Policy can be changed or amended due to changes in the applicable legislation, following an initiative by the Regulator, the users or the competent body (the Commissioner for Information of Public Importance and Personal Data Protection).

All subsequent changes will be published in a timely manner on the Regulator’s official website www.ratel.rs.

How to contact us?

You can send your questions and requests regarding personal data processing to the authorized person for personal data protection, via the following:

Ø  e-mails: milica.bosnic@ratel.rs or ratel@ratel.rs.

Ø  Headquarters address: Regulatory Authority for Electronic Communications and Postal Services, Palmotićeva 2, 11000 Belgrade.

Supervisory authority

The monitoring of the LPDP application is carried out by the Commissioner for Information of Public Importance and Personal Data Protection.

If you feel your right to personal data protection has been violated by the Regulator, you are entitled, pursuant to Article 82, paragraph 1 of the LPDP, to lodge a complaint with the Commissioner at:

Ø  e-mail: office@poverenik.rs or

Ø  Headquarters address: Commissioner for Information of Public Importance and Personal Data Protection, Bulevar kralja Aleksandra 15, 11000 Belgrade.

The complaint form is available on the website of the Commissioner www.poverenik.rs, in the section Data protection/forms.