2. Data processed by Data Controller
2.1 The Data Controller can collect different categories of personal data, which are used for different purposes and on different legal Typically, it is a data set that enables the Data Controller to fulfil its legal obligations, the identification of the person whose data is processed, communicating with the person whose data is processed or necessary to provide a specific service at the request of that person, etc. Such processing include:
a) Data collected from employees, proscribed by laws governing labour relations, evidences in labour relationship, as well as laws governing social protection and health protection, according to prescribed obligations of the Data Controller under Article 12 paragraph 1 point 3 of the Law;
b) Data collected from job candidates interested in employment (name and surname, contact phone number and e-mail address, and other information candidate voluntarily shares through the contact message or through CV). Processing is based on informed consent under Article 12 paragraph 1 point 1 of the Law;
c) Data collected from business partners (name, surname, contact phone, e-mail address, function, personal identification number; in the case of contact persons in legal entities, the name of the legal entity they represent, and the position of those persons in that legal entity, etc.). Processing is based on Article 12 paragraph 1 point 2) of the Law for the purpose of concluding an Agreement or undertaking previous actions to conclude a Agreement at the request of the person to whom the data refer fulfilling contractual obligations and exercising rights based on a specific Agreement;
2.2 Personal data is collected only to the extent that it is necessary for specific purposes to be achieved. The Data Controller uses the data for different purposes that are always directly related to the legal basis of processing. The Data Controller offers different types of services to legal entities, entrepreneurs, individuals and to establish a business relationship, collect and process certain personal data. This is especially related to the data provided through the Data Cotrollers web page by the page’s visitor to make business contact with Data Controller and to receive a non-binding offer to provide services. Processing can be done for contact in order to negotiate the conclusion of the contract and to execute other possible obligations in the contractual relationship. For all additional purposes of processing for which the need arises, the person to whom the data relates will be notified of all necessary information, prior to the commencement of such processing actions, and the processing itself will be based on the appropriate legal basis, in accordance with the law.
2.4 We do not collect your sensitive data, unless you make it available to us voluntarily. There are cases when you can provide us with personal data of third parties, in which case we will consider that you are authorized by such person for such action and in no case will we bear responsibility for the processing of Personal Data of third parties.
3. Personal Data Disclosing and Transfer
3.1 The data may be disclosed to employees of the Data Controller in accordance with their work duties and authorizations, persons who are in a contractual relationship with the Data Controller (Data Processors) and who are entrusted with certain data processing activities, in accordance with the legally prescribed conditions relating to information security, confidentiality and contractual regulation of rights and obligations (for instance, legal service providers, IT service providers, accounting service providers, insurance companies etc). The data may be disclosed to competent state authorities (various administrative bodies, authorized control and regulatory state bodies, competent courts and prosecutor’s offices, etc.), in case such authorities have the appropriate entiltment for access or data processing in accordance with the law and to the extent provided by law.
3.2 All persons are obliged to act in accordance with all provisions of the Law regarding the security of personal data processing. Contracts that the Data Controller concludes with its processors/joint controllers shall contain all relevant provisions prescribed by the Law.
3.3 Data may be transferred to another country or international organization, without prior authorization, if it has been established that that other country/international organization ensures an adequate level of protection of personal data. Company may disclose Data outside the borders of the state where Company is established in case where appropriate safeguards (standard contractual clauses or other transfer mechanism) have been provided and on condition that enforceable data subject rights and effective legal remedies for the data subject are available.
4. Data subject rights in connection with the processing of Personal Data
4.1 Data subject may request: access to Personal Data, update of personal data, deletion of Personal Data, limit the processing of Personal Data, transfer personal data. Additionally, data subject may file a complaint before the Commissioner for Information of Public Importance and protection of personal data. Regarding all questions related to the processing of personal data, you can get via e-mail: [email protected] or by sending an inquiry to the address Belgrade, Serbia, 11 Splitska Street. We will respond to your inquiry as soon as possible, depending on the complexity of the inquiry itself, but each within 30 days from the date of addressing the data subject, with the possibility of extending the deadline in special situations and with an explanation, in accordance with law.
4.2 Certain rights (e.g. the right to be deleted), in certain situations may be subject to legally prescribed restrictions, and the use of them may have different legal consequences, in accordance with the law (e.g. inability to provide certain services, liability for damages, etc.).
5. Security of Personal Data
5.1 The Data Controller within his business organization strives to apply the highest possible standards in the area of personal data protection and take administrative, technical, organizational and other measures to ensure the appropriate level of security of personal data we process. Some of the measures apply include access control of physical access to the system where Personal Data is stored, electronic data access control (user account and password), information classification (and handling thereof), protection of integrity and confidentiality, data backup, firewalls, data encryption and other appropriate measures. Data Controller`s staff is equipped with the appropriate knowledge and understanding of the importance and confidentiality of your personal data security.
5.2 The Data Controller ensures that employees are obliged to produce and process data, documents and information on company computers and associated storage devices, while keeping confidential data and documents is prohibited on the same. All company computers and external storage devices are protected by “bitlocker” encryption. In addition, Data Controller ensures that employees do not use arbitrarily determined systems, private, public and cloud computer resources and storage systems for processes of creation, processing, storage and access to data, documents, and information. Finally, Data Controller periodically implements the education of employees regarding the safety of the use of system applications.
5.3 All processors and/or other recipients of personal data are also obliged to apply all prescribed safeguards, in accordance with the signed contract with the Data Controller and the law prescribed standards and obligations.
6. Personal Data Retention Period
6.1 The Data Controller store the data in the period necessary for a specific, concrete purpose of processing to be achieved, after which the data is deleted or made unrecognizable.
6.2 When Personal Data is processed by the Data Controller based on consent, data collected for the purposes of obtaining a business contact, the Data Controller then stores personal data in its databases until the consent revocation.
6.3 Personal data of employees are stored permanently in accordance with the obligations of the law governing records in the labor field. Personal data you have submitted to us in the CV as job candidate we will keep in our database in period of 1 year from the date of receipt of personal data after which we will delete it.
6.4 Data processed on the basis of a concluded Agreement are stored within 5 years from the date of execution of the Agreement, i.e. the expiration of the term of the Agreement (general period for statute of limitations) or longer, if a longer period is prescribed by law;
6.6 Additional information about the retention periods and way of storing can be found in separate notifications.
7. Additional information
7.1 Personal data collected through the alchemists.rs website is not transferred from the Republic of Serbia, except for the possible use of third-party cookies, for which the Data Controller cannot be held responsible. The servers used to transfer data are located within EEA countries where an appropriate level of personal data protection is provided. If, in exceptional cases, data transfer is carried out through servers outside the EEA, such data transfer will be carried out with appropriate safeguards in accordance with the law.
7.2 In case of the need to take personal data to another state or outside the territory of the Republic of Serbia, the transfer will be made in accordance with all rules prescribed by the applicable Law, with the application of standard contractual clauses prescribed by the Commissioner for Information of Public Importance and protection of personal data or other appropriate transfer mechanism.
7.3 Providing data by the data subject is not a legal or contractual obligation, when it comes to using of the website. Failure to provide the requested data may have as a result only inability to establish the contact, necessary for further communication, or the inability to use the services available on the alchemists.rs website.
7.5 When processing data collected through the Data Controller web site, the Data Controller does not use any automated decision-making or profiling of the persons to whom the data refers.
7.6 Based on the particular purpose that collection and processing of data should achieve and in relation to the legal ground, the Data Controller shall, if necessary, in relation to such processing, previously inform the Data Subject to whom the data refer about all details regarding processing. This Policy and separate special notice will apply to such processing.
7.7 This Policy enters into force on 21 June 2023. This Policy may be updated periodically, but in such a way that the level of achieved data protection will not be reduced. All possible changes enter into force on the day of their publication on the Data Controller’s website.