Privacy policy

[1] INTRODUCTORY PROVISIONS

1.1. Comtrade Distribution d.o.o. Beograd with the registered seat in Belgrade, Municipality of Novi Beograd, Bulevar Zorana Đinđića 125i, Company Reg. No.: 17172140, TIN: 100000104 [hereinafter referred to as: »Comtrade«] informs all persons whose personal data are subject to collection and processing that their personal data will be processed in accordance with all the applicable laws and bylaws as well as in accordance with the rules contained in these Rules on Personal Data [hereinafter referred to as: »Rules«].

1.2. While conducting its business operations, Comtrade may assume the role of a personal data controller when, either independently or jointly with other controllers, defines the data processing purpose and method, whereas in certain other activities it may function as a processor processing the personal data on behalf of a third-party controller. In situations when Comtrade assumes the role of a personal data processor on behalf of a third-party controller, the data are being processed in accordance with an agreement or any other legally binding document defining the issues of personal data processing and protection, fully in compliance with the Law on Personal Data Protection [“Official Gazette of the RS”, No. 87/2018 – hereinafter referred to as: »Law«] as well as with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [“Official Gazette of the RS”, No. 87/2018 – hereinafter referred to as: »GDPR«].

1.3. The Rules have been published on Comtrade website [https://www.www.comtradedistribution.com] in order to inform everyone in detail about how Comtrade processes personal data, including the information about: [1] how personal data are collected, processed and protected, [2] how data subjects enforce their rights, [3] internationally recognised standards for personal data processing and protection.

1.4. The purpose of these Rules is to establish the basic principles regarding protection of personal data during their collection. In the course of personal data collection and processing, Comtrade shall follow the principles laid down in Article 5 of the Law and Article 5 of the GDPR stating that personal data shall be:

processed lawfully, fairly and in a transparent manner in relation to the data subject [lawfulness, fairness and transparency];
collected for specified, explicit, justified and legitimate purposes and not further processed in a manner that is incompatible with those purposes [purpose limitation];
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed [data minimisation];
accurate and, where necessary, kept up to date [accuracy];
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed [storage limitation];
processed in a manner that ensures appropriate protection of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical, organisational, and personnel-related measures [integrity and confidentiality].

1.5. Personal data protection in the Republic of Serbia is provided by the Commissioner for Information of Public Importance and Personal Data Protection [hereinafter referred to as: Commissioner] whose head office is in Belgrade, Bulevar kralja Aleksandra 15. The Commissioner’s contact information:

EMAIL ADDRESS: office@poverenik.rs
PHONE: +381 11 34 08 900
WEBSITE: www.poverenik.rs

[2] MEANING OF THE TERMS USED IN THE RULES

2.1. The specific terms used in these Rules shall have meaning stated below:

TERM	MEANING

CONTROLLER	Comtrade Distribution d.o.o. Beograd, Belgrade, Municipality of Novi Beograd, Bulevar Zorana Đinđića 125i Company Reg. No.: 17172140, TIN: 100000104 email: distribution.rs@comtrade.com contact phone: +381 (11) 201 55 55

DATA PROTECTION OFFICER	Dejan Perkovski email: dperkovski@comtrade.com contact phone: +381652096909

PERSONAL DATA	Any information relating to a natural person who is or can be identified, directly or indirectly, in particular by reference to an identifier such as a name and identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

DATA SUBJECT	A natural person whose personal data are processed

PROCESSING OF PERSONAL DATA	Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, grouping or structuring, storage, adaptation or alteration, disclosure, consultation, use, disclosure by transmission or submission, reproduction, dissemination or otherwise making available, comparison, restriction, erasure or destruction (hereinafter referred to as: processing)

RESTRICTION OF PROCESSING	The marking of stored personal data with the aim of limiting their processing in the future

PROFILING	Any form of automated processing used to evaluate certain personal aspects, in particular to analyse or predict aspects concerning a natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements

PSEUDONYMISATION	The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical, organisational and personnel-related measures to ensure that the personal data are not attributed to an identified or identifiable person

FILING SYSTEM	Any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis

PROCESSOR	A natural or legal person processing personal data on behalf of Comtrade

RECIPIENT	A natural or legal person, or a public authority to which the personal data are disclosed, whether a third party or not, unless this involves public authorities which receive personal data in accordance with the law and as a part of research of a specific case, and further process these data in compliance with the personal data protection rules relating to the purpose of the processing

THIRD PARTY	A natural or legal person, or a public authority other than the data subject, controller or processor, and other than the person who, under the direct authority of the controller or processor, is authorised to process personal data

CONSENT	Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her

PERSONAL DATA BREACH	A breach of personal data security leading to an accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed

PUBLIC AUTHORITY	A state authority, body of a territorial autonomy or unit of local self-government, public enterprise, institution or any other public service, organisation or any other legal or natural person with public authorities

COMPETENT AUTHORITIES	[1] Public authorities in charge of prevention, investigation and detection of criminal offences as well as of prosecution of criminal offenders or imposition of criminal sanctions, including protection and prevention of public and national security threats; [2] A legal entity authorised by law to perform the activities referred to in item a) hereof

[3] ENFORCEMENT OF RULES

3.1. The Rules apply to all actions involving collection and processing of personal data of the employees, potential employees – candidates [potential future employees], customers, users of Comtrade services such as Comtrade software and mobile app users, as well as other persons who consent to the usage of their personal data to receive marketing messages and persons who use Comtrade accounts on social media or Comtrade website referred to in Article 1.3 fully in compliance with these Rules.

3.2. Comtrade collects, processes and stores only the minimum personal data as defined by the Law or GDPR by applying the corresponding technical and organisational measures in order to accomplish the purpose of data collection and processing.

[4] CATEGORIES OF PERSONAL DATA COLLECTED AND PROCESSED

4.1. Comtrade processes only the minimum personal data that is necessary to achieve the specific purpose, including the following:

Regarding the employees, the data collected and processed are those laid down by the applicable Labour Law and the laws governing the social protection and health care of the employees, whereas the purpose of processing these categories of data is to fulfil legal obligations Comtrade has as an employer, which makes such processing necessary in order to meet Comtrade obligations fully in accordance with Article 12, paragraph 1, item 3 of the Law and Article 6, paragraph 1, item 3 of the GDPR. Furthermore, Comtrade also processes other data that the employees decide to make available to Comtrade to accomplish other purposes according to other legal bases.
Regarding the job candidates [potential future employees], the data collected and processed include first and last name, personal ID number, gender, date and place of birth, permanent residence address, accommodation address, phone number, email address, education level and educational qualifications as well as other personal data that a person decides to share with Comtrade. Such processing is necessary in order to take action, as demanded by the data subject and in accordance with Article 12, paragraph 1, item 2 of the Law and Article 6, paragraph 1, item 2 of the GDPR, prior to signing the Employment Contract or any other work engagement, to contact such person should the need for their employment arise. After a specific job opening expires, the persons who are not hired can decide to leave their data available in Comtrade’s electronic records so that Comtrade could be able to contact them again should the need for their work engagement arise in the future. This means that, starting from the expiry of a specific job opening, any further processing of personal data shall be based on consent of the job candidates [potential future employees] in terms of Article 12, paragraph 1, item 1 of the Law and Article 6, paragraph 1, item 1 of the GDPR. If a job candidate is hired, his/her data shall be further processed in accordance with the method of data processing defined for all other employees.
Regarding the users of Comtrade services, such as software and mobile app users, and the participants in promotions organised by Comtrade, the personal data which are collected and processed are the personal data required to perform the services under the contract and these include first and last name, email address, payment card details and phone number, which is in accordance with Article 12, paragraph 1, item 2 of the Law and Article 6, paragraph 1, item 2 of the GDPR.
Regarding the interested persons who opt to receive marketing-related messages from Comtrade as well as newsletters, the personal data which are collected and processed include email address as well as first and last name, and these data are required in order to serve Comtrade’s legitimate interests such as promoting the sale of new products and providing Comtrade services based on the consent of the interested persons in terms of Article 12, paragraph 1, item 1 of the Law and Article 6, paragraph 1, item 1 of the GDPR as well as Article 12, paragraph 1, item 6 of the Law and Article 6, paragraph 1, item 6 of the GDPR.
Regarding the persons who follow Comtrade on social media, the personal data collected and processed shall be the ones that comply with the privacy policies of respective social media and that are marked as publicly available. Such data processing shall be performed based on consent of the data subjects. By consenting to the use of specific social media and by liking, following or taking any other similar action on social media within the meaning of Article 12, paragraph 1, item 1 of the Law and Article 6, paragraph 1, item 1 of the GDPR, a person shall be deemed to consent to processing of his or her personal data and such data shall be processed for marketing purposes [promotions] related to Comtrade products and services;

[5] HOW PERSONAL DATA ARE COLLECTED

5.1. Comtrade shall collect personal data directly from the data subjects which include:

Employees and persons hired according to some other legal basis, without employment, fully in compliance with the Labour Law, as well as future candidates for employment [potential future employees];
Comtrade product buyers and Comtrade service users;
Participants in promotions organised by Comtrade, recipients of newsletters and other marketing messages;
Comtrade website users and users of Comtrade social media accounts.

5.2. When personal data are collected indirectly, Comtrade shall, if possible and feasible in a specific situation, previously obtain information about whether the person imparting the data is authorised to disclose other person’s personal data to Comtrade for Comtrade’s use and further processing. The person imparting other person’s personal data shall notify the person whose personal data are given to Comtrade about this and inform such person about all relevant aspects of processing, fully in accordance with Article 24 of the Law and Article 14 of the GDPR.

[6] COLLECTING AND PROCESSING OF SPECIAL PERSONAL DATA

6.1. Comtrade shall not collect or process personal data revealing race or ethnicity, political opinion, religious or philosophical belief or union membership, and it shall not process genetic information, biometric information used for unique identification of a person, health-related information or sexuality-related information or a natural person’s sexual orientation, which data are defined as special categories of personal data pursuant to Article 17 of the Law and Article 9 of the GDPR.

[7] LEGAL BASIS FOR PERSONAL DATA COLLECTION AND PROCESSING

7.1. Pursuant to Article 12 of the Law and Article 6 of the GDPR, processing shall be lawful and data shall be collected from persons if one of the following conditions of lawfulness of collection and processing applies:

the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
processing is necessary for compliance with legal obligations to which the controller is subject;
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
processing is necessary for the performance of tasks carried out in the public interest or in the exercise of official authority vested in the controller;
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a minor.

[8] PURPOSE OF PROCESSING

8.1. In a specific case, Comtrade shall collect and process personal data for the following purposes:

performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, pursuant to Article 12, paragraph 1, item 2 of the Law and Article 6, paragraph 1, item 2 of the GDPR, and in relation to Comtrade product buyers and/or Comtrade service users;
obtaining consent from data subjects within the meaning of Article 15 of the Law and Article 7 of the GDPR with regard to Comtrade job candidates and Comtrade newsletter receivers, in which case you will be entitled to withdrawal at any time pursuant to Article 12 of this Privacy Policy;
meeting Comtrade’s legal obligations, fully in accordance with Article 12, paragraph 1, item 3 of the Law and Article 6, paragraph 1, item 3 of the GDPR with regard to Comtrade employees;
serving Comtrade’s or a third party’s legitimate interests such as promoting the sale of new products and providing Comtrade’s services based on the consent of the interested persons fully pursuant to Article 12, paragraph 1, items 1 and 6 of the Law and Article 6, paragraph 1, items 1 and 6 of the GDPR, depending on the category of the personal data being processed as well as on the purpose of personal data processing.

8.2. In accordance with the principles and provisions contained in these Rules, Comtrade shall collect and process personal data depending on the category of persons whose personal data are subject to processing, and shall do so for the following purposes:

meeting the obligations referred to in the signed Employment Contract or any other contract based on which a certain person is hired without employment, in relation to persons employed or in some other way hired by Comtrade;
employment or any other type of work engagement without employment, in relation to job candidates [future employees];
reaching out to job candidates [future employees] after a specific job opening expires, in relation to candidates who consent to processing of their data after expiry of the specific job opening;
meeting the legal obligations Comtrade has as an employer, which obligations are referred to in the Labour Law, Law on the Records in the Field of Employment, and other laws governing the field of social and health insurance, in relation to persons employed or in some other way hired by Comtrade;
meeting the obligations referred to in the Comtrade Products Purchase Agreement, making use of Comtrade services via software or online apps, and processing of persons’ data, with their own consent, for marketing purposes – promotion of Comtrade products.

[9] STORAGE OF PERSONAL DATA

9.1. Collected personal data shall be stored over the time interval required to achieve the purpose of personal data processing for which such personal data have been originally collected, and on that account:

Data on employees shall be stored permanently, in compliance with the obligations laid down by the law governing the records in the field of employment, whereas the data on job candidates shall be stored until the processing for the purpose of potential employment is achieved or until a consent is withdrawn within the meaning of Article 15, paragraph 3 of the Law and Article 7, paragraph 3 of the GDPR. In case of employment or work engagement on any other basis stipulated by the Labour Law, personal data shall be stored in compliance with the employee data storage period;
Data collected via the video surveillance system installed in Comtrade’s business premises shall be stored for a one-year interval starting from the date of their collection;
Data collected for the purpose of execution of the contract concluded with the product buyers and service users shall be stored until the purpose for which they have been collected is achieved, i.e. until the contract is executed and contractual services are provided;
Data on persons who consent to the use of their personal data for marketing purposes [notifications on promotions and new products, newsletters etc.] shall be stored until their consent is withdrawn pursuant to Article 15, paragraph 3 of the Law and Article 7, paragraph 3 of the GDPR, having in mind that such persons have opted to be informed by Comtrade about all the news and promotions, and such data shall consequently be used until these persons no longer want them to be used in such manner;
Personal data collected from persons following Comtrade on social media shall be stored in accordance with the rules of these social media.

[10] AUTOMATED DECISION-MAKING AND PROFILING

10.1. Data subject has the right not to be subject to a Comtrade’s decision based solely on automated processing, including but not limited to profiling, if such decision produces legal consequences for such person or if such decision significantly affects his or her position, except if such decision:

is necessary for entering into, or performance of, a contract between the data subject and Comtrade;
is based on law, provided that such law lays down suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests;
is based on the data subject’s explicit consent.

10.2. Comtrade shall implement suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests, including at least the following: [1] the right to obtain an intervention by a natural person controlled by Comtrade with regard to decision-making, [2] the data subject’s right to express his or her point of view with regard to Comtrade’s decision, and [3] the data subject’s right to contest the decision before Comtrade’s authorised person.

[11] SECURITY OF PROCESSING

11.1. All personal data collected and processed by Comtrade shall be stored in hardcopy or electronic format. In order to ensure security of personal data collected by Comtrade, all the necessary and applicable organisational, technical and personnel-related measures shall be implemented fully in accordance with the Law and GDPR by applying the following:

pseudonymisation and encryption of personal data;
restriction of physical access to the system containing the data which may be accessed only by authorised persons. An authorised person shall exclusively mean a person whose work assignments involve access to personal data to the extent demanded by such assignments. Authorised persons shall access personal data using a password.

[12] RIGHTS OF PERSONS WHOSE PERSONAL DATA ARE PROCESSED

12.1. Any person whose personal data are collected and processed has the right to be informed at the time of data collection, i.e. to be provided with the information as defined by the Law and GDPR, which is referred to in Article 23 of the Law and Article 13 of the GDPR and which includes the following data:

the identity of the controller;
the contact details of the data protection officer;
the purpose of the intended processing as well as the legal basis for the processing;
the existence of legitimate interest pursued by the controller or by a third party;
the recipients or categories of recipients of the personal data;
the fact that the controller intends to transfer personal data to a third country or international organisation and the information on whether such country or international organisation is a member of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data;
the period for which the personal data will be stored;
the existence of the right to request from the controller access to and rectification or erasure of personal data concerning the data subject or the existence of the right to restriction of processing or the right to object to processing as well as the right to data portability;
the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
the right to lodge a complaint with the Commissioner;
whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data concerning him or her and of the possible consequences of failure to provide such data;
the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;

12.2. In addition to the right to be informed, any person whose personal data are collected and further processed shall also have the following rights:

to request the information about whether or not Comtrade processes personal data concerning him or her and to access the personal data and the copies thereof;
to request without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data concerning him or her completed;
to request erasure of personal data concerning him or her, and Comtrade shall have the obligation to erase personal data within the shortest time possible where the following grounds apply:
the personal data are no longer necessary in relation to the purposes for which they were collected;
the data subject withdraws consent on which the processing is based and there are no legal grounds for the processing;
the data subject objects to the processing and there are no legal grounds for the processing overriding the legitimate interest, right or freedom of the data subject;
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with legal obligations to which the controller is subject;
the personal data have been collected in relation to the offer of information society services.
to obtain restriction of processing of personal data concerning him or her where one of the following applies:
the accuracy of the personal data is contested by the data subject;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
the personal data are no longer needed the for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
the data subject objects to the processing and the verification whether the legitimate grounds relating to the processing override those of the data subject’s interests is pending.
to receive the previously supplied personal data concerning him or her in a structured, commonly used and machine-readable format, and to have the right to transmit those data to another controller;
to object at any time to processing of personal data concerning him or her which is done for the performance of a task carried out in the public interest or for the exercise of official authority or for the serving of the legitimate interests pursued by Comtrade or a third party, including profiling based on such processing.
not to be subject to a decision based solely on automated processing, including profiling, if such decision produces legal consequences for such person or if such decision significantly affects his or her position, except if such decision is necessary for entering into, or performance of, a contract between the data subject and Controller, is authorised by the law or is based on the data subject’s explicit consent;

12.3. Comtrade shall provide to the data subject information on action taken on a request to exercise these rights without undue delay and in any event within 30 days of receipt of the request. However, that period may be extended by another 60 days where necessary, taking into account the complexity of the request. The data subject shall be informed of any such extension within 30 days of receipt of the request, together with the reasons for the delay.

12.4. Comtrade shall inform the data subject without delay, and at the latest within 30 days of receipt of the request, of the reasons for not taking action and on the right to lodge a complaint with the Commissioner and seek a judicial remedy.

12.5. All of the above information shall be provided to the data subject free of charge. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, Comtrade may charge a fee for the administrative costs of providing the information or taking the action requested, or refuse to act on the request fully at Comtrade’s own discretion.

12.6. The data subject shall be entitled to contact the Commissioner if he or she believes that his or her rights guaranteed by the Republic of Serbia legal regulations in force are violated.

[13] ENTRUSTMENT OF PROCESSING ACTIVITIES

13.1. As a data controller, Comtrade may also transfer the personal data to third parties providing complementary services. Only the person fully guaranteeing implementation of appropriate technical, organisational and personnel-related measures in a manner ensuring that the processing will meet the regulations and secure the protection of the rights of the data subject shall be designated as a processor.

13.2. The processing carried out by a processor shall be governed by a contract or other legal act that is binding on the processor in terms of complying with the Law and GDPR, and that governs all other relevant elements of the processing. For example, processors may include the companies providing the IT services [information and communication technology system maintenance or online presentation companies] as well as other persons performing specific processing activities in the name and on behalf of Comtrade, such as an accounting firm processing the employees’ salaries and other persons performing specific activities on behalf of Comtrade.

[14] TRANSFER OF PERSONAL DATA TO USERS AND THIRD PARTIES

14.1. Personal data shall be transferred when there is a legal obligation of their submittal based on request of a competent national authority. Furthermore, Comtrade may also transfer the personal data to its business partners when this proves to be essential for their business relations in accordance with the contract used to define the personal data safety pursuant to the regulations.

[15] TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

15.1. Any transfer of personal data to a third country or to an international organisation shall be permitted pursuant to the regulations governing the personal data protection, and these shall be transferred to the countries or international organisations ensuring an adequate level of personal data protection, including the following countries and international organisations:

those which are members of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data;
those which have been established by the European Union to ensure an adequate level of protection;
those with whom the Republic of Serbia has signed international agreements on transfer of personal data; and
those included in the list prepared by the Government of the Republic of Serbia based on the criteria and rules stipulated by the Law, which list is published in the “Official Gazette of the Republic of Serbia”.

15.2. Your personal data may be transferred to recipients in the third countries or international organisations located outside the Republic of Serbia, depending on our affiliates and contact data processors. Such transfers are safeguarded, to the greatest extent possible, as defined by the Law or depending on the country of residence of the given natural person/data subject.

15.3. Transfer of personal data to recipients located outside the Republic of Serbia, namely our affiliates and data processors, involves implementation of the following safeguards:

The Government of the Republic of Serbia has brought a Decision on the List of Countries, Parts of Their Territories or One or More Sectors of Certain Activities in Those Countries and International Organisations where it is Considered That an Adequate Level of Protection of Personal Data is Ensured, or the member states and international organisations that are signatories of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, and countries, parts of their territories or one or more sectors of certain activities in those countries and international organisations where it is considered by the European Union that an adequate level of protection is ensured.

The Commissioner for Information of Public Importance and Personal Data Protection has issued Standard Contractual Clauses which shall be put into effect when your personal data need to be transferred outside the Republic of Serbia and into the countries not marked as suitable in terms of personal data protection pursuant to the Decision on the List of Countries, Parts of Their Territories or One or More Sectors of Certain Activities in Those Countries and International Organisations where it is Considered That an Adequate Level of Protection of Personal Data is Ensured. Standard Contractual Clauses issued by the Commissioner for Information of Public Importance and Personal Data Protection are available in Serbian and can be found on the following link: https://www.poverenik.rs/sr/%D0%BF%D0%BE%D0%B4%D0%B7%D0%B0%D0%BA%D0%BE%D0%BD%D1%81%D0%BA%D0%B8-%D0%B0%D0%BA%D1%82%D0%B84/3251-%D0%BE%D0%B4%D0%BB%D1%83%D0%BAa-%D0%BE-%D1%83%D1%82%D0%B2%D1%80%D1%92%D0%B8%D0%B2%D0%B0%D1%9A%D1%83-%D1%81%D1%82%D0%B0%D0%BD%D0%B4%D0%B0%D1%80%D0%B4%D0%BD%D0%B8%D1%85-%D1%83%D0%B3%D0%BE%D0%B2%D0%BE%D1%80%D0%BD%D0%B8%D1%85-%D0%BA%D0%BB%D0%B0%D1%83%D0%B7%D1%83%D0%BB%D0%B0.html

Transfer of personal data belonging to data subjects located in the EU to recipients located outside the EU, namely our affiliates and data processors, involves implementation of the following safeguards:

The European Commission has the power to determine, on the basis of Article 45 of the GDPR, whether a country outside the EU offers an adequate level of data protection. At any time, the European Parliament and the Council may request the European Commission to maintain, amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the regulation.

The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. Transfers to the country in question will be assimilated to intra-EU transmissions of data.

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, and Uruguay as providing adequate protection.

15.4. The Standard Contractual Clauses for transfer of personal data to third countries pursuant to the Regulation (EU) 2016/679 of the European Parliament and the Council adopted by the Commission on 4 June 2021 can be found on the European Commission webpage https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en.

[16] RECORDS OF PROCESSING ACTIVITIES

16.1. The electronic records of processing activities which are the responsibility of Comtrade, as the controller, shall contain the following information:

the name and contact details of the controller, the joint controller, the controller’s representative and the data protection officer;
the purposes of the processing;
the categories of data subjects and the categories of personal data;
the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation;
where applicable, the envisaged time limits for erasure of the different categories of personal data;
a general description of the security measures.

[17] NOTIFICATION OF A PERSONAL DATA BREACH

17.1. Comtrade shall, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the Commissioner about the personal data breach which can result in an increased risk to the rights and freedoms of natural persons. If Comtrade fails to act within the specified interval of 72 hours after having become aware of the breach, Comtrade shall provide reasons for the delay in acting. In addition to the Commissioner, Comtrade shall also notify the data subject and shall describe in clear and plain language the nature of the personal data breach.

17.2. Comtrade shall not be required to notify the data subject about the data breach if:

Comtrade has implemented appropriate technical, organisational and personnel-related protection measures with regard to the personal data which are affected by the personal data breach, in particular those that render the personal data unintelligible to any person not authorised to access such data by way of encryption or other measures;
Comtrade has taken subsequent measures which ensure that the personal data breach characterised by high risk to the rights and freedoms of data subjects is no longer likely to materialise;
notification of the data subject would involve disproportionate consumption of time and resources, in which case a public communication or any other effective means of communication shall be used to inform the data subject.

[18] RULES ON COOKIES

18.1. A cookie is a small text file containing data, which is stored on a computer or any other device used to access an online presentation and which allows monitoring and analysis of behaviour of an online presentation user in order to personalise the content on Comtrade website. If the use of cookies enables identification of website users, such cookies represent the personal data, and they are subject to the provisions of these Rules.

18.2. The use of the cookies is permitted if the users are offered a clear and comprehensive explanation about the purpose of collection and processing of the data in accordance with the Law and provided that they are given an opportunity to either accept or reject such processing of the data.

18.3. Cookies can be disabled by changing the browser settings, but disabling the cookies may result in reduced website functionality.

18.4. Comtrade uses the following cookies on its website:

Necessary cookies that help make a website functional by allowing basic features such as navigating the pages and access to different areas of the website;
Preference cookies that allow a website to remember information that affects the behaviour and design of the website;
Analytical cookies help Comtrade, as a website owner, to understand how visitors interact with the website by collecting data anonymously;
Marketing cookies which are used to track visitors of the website and whose purpose is to serve ads relevant to and tailored to the individual user;
Unclassified cookies are the cookies that have not been classified into any of the above categories, but will be so in the future.

[19] FINAL PROVISIONS

19.1. All amendments to these Rules shall be made in writing and published on Comtrade website.

19.2. The Rules were published on Comtrade website on [date] and shall enter into force on the eighth day following that of its publication, namely on [date].

COMTRADE DISTRIBUTION D.O.O. BEOGRAD

Belgrade, Municipality of Novi Beograd, Bulevar Zorana Đinđića 125i

Company Reg. No.: 17172140, TIN: 100000104