Pursuant to Articles 9 and 10 of the Decision of founding a limited liability company “FOX MI” LLC Podgorica (hereinafter: the Company), and in accordance with the Law on Personal Data Protection (“MNE Official Gazette” No. 079/08 from 23.12.2008, 070/09 from 21.10.2009, 044/12 from 09.08.2012, 022/17 from 03.04.2017), the director of the Company on August 01, 2020, adopts the following act:
Personal Data Protection
P o l i c y
- Introduction
The Personal Data Protection Policy (hereinafter: the Policy) is a general act of “FOX MI” LLC Podgorica (hereinafter: the Company) which aims to establish a framework for the protection of personal data, all in accordance with the Law on Personal Data Protection (hereinafter: the Law) and other bylaws governing this area.
The Policy establishes rules governing the protection of individuals’ rights in terms of the collection and processing of personal data as well as the further management and movement of such data.
The provisions of this Policy and other internal acts of the Company regulating this area must be complied with by all employees and organizational units of the Company, within their scope of work.
- Definitions and meanings of certain terms
“Personal data” is any data relating to a natural person whose identity is identified or identifiable, directly or indirectly, particularly on the basis of an identity mark, such as name and identification number, location data, identifiers in electronic communications networks or one or more features of one’s physical, physiological, genetic, mental, economic, cultural and social identity.
“Personal data processing” is any action or set of actions that is performed automatically or non-automatically with personal data or their sets, such as collecting, recording, sorting, grouping, or structuring, storing, matching or changing, discovering, inspecting, using, disclosing by transmission or submission, duplicating, spreading or otherwise making available, comparing, restricting, deleting or destroying (hereinafter: processing).
“Data subject” is a natural person whose personal data are processed.
“Controller” is a natural or legal person, that is, a government body that independently or together with others determines the purpose and manner of processing – for the purposes of this Policy and other internal acts of the Company, the Controller is the Company.
“Processor” is a natural or legal person, that is, a public authority that processes personal data on behalf of the controller.
“Recipient” is a natural or legal person to whom personal data have been disclosed, regardless of whether it is a third party or not, unless it is the authorities that in accordance with the law receive personal data as part of a case investigation and process this data in accordance with the rules on the protection of personal data relating to the purpose of processing.
“Commissioner for Information of Public Importance and Personal Data Protection” (hereinafter: the Commissioner) is an independent and autonomous authority established on the basis of law,responsible for supervising the implementation of the Law and performing other tasks prescribed by law.
“Violation of personal data” is a violation of the security of personal data that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.
“Profiling” is any form of automated processing used to assess a particular personality trait, especially for the purpose of analyzing or predicting the performance of an individual, their economic situation, health, personal preferences, interests, reliability, behavior, location or movement.
“Pseudonymization” is processing in a way that prevents the attribution of personal data to a particular person without the use of additional data, provided that these additional data are stored separately and that technical, organizational and personnel measures are taken to ensure that personal data cannot be attributed to a particular or identifiable person.
- Goal, purpose, and scope of application
The Company, through this Policy and other harmonized internal acts, aims to protect the fundamental rights and freedoms of individuals, especially their right to personal data protection.
The goal of the Policy is to establish new and harmonize existing processes and measures for protection and management of personal data of customers, employees, business partners of the Company and other persons, whose personal data the Company processes within its business activities in the territory of Montenegro, regardless of whether the processing is performed on the territory of Montenegro.
- Principles of personal data processing
The Company has the obligation to harmonize its operations with the Law on Personal Data Protection, which includes processing of personal data in accordance with the principles of processing which imply that personal data must be processed legally, fairly and transparently in relation to the data subject (“legality, fairness and transparency”), be collected for purposes that are specifically defined, explicit, justified and lawful (“restriction in relation to the processing purpose”), be appropriate, relevant and limited to what is necessary in relation to the processing purpose (“data minimization”), be accurate and, if necessary, updated (“accuracy”), be kept in a form that allows the identification of the person only within the period necessary to achieve the processing purpose (“storage restriction”), be processed in a way that provides adequate protection personal data (“integrity and confidentiality).
All persons who process personal data must adopt and implement the mentioned principles, which are listed and further explained in this Policy, in their work.
All organizational units of the Company are obliged to adhere to the prescribed principles of data processing in their scope of work as well as all internal acts of the Company that regulate this area.
4.1 The principle of legality, fairness, and transparency
The company, in conducting its business, should process personal data in a legal manner.
In order for the processing to be legal, it is necessary that the Controller has a valid legal basis for it.
The Company’s conduct as the controller must be lawful, fair and transparent towards the data subject, that is, it is necessary to indicate to the data subject, in a clear and unambiguous manner, in simple, understandable language, all the rights it has on the basis of data protection.
4.2 The principle of restriction in relation to the processing purpose
Personal data may be collected for purposes that are specifically defined, explicit, justified, and lawful and cannot be further processed in a way that is inconsistent with those purposes.
4.3 The principle of data minimization
Personal data that are collected and processed must be appropriate, relevant, and limited to what is necessary in relation to the processing purpose, so the processing of data that are not necessary to fulfill a specific purpose is not allowed.
4.4 The principle of accuracy
The data collected by the Company must be accurate and, if necessary, updated.
Taking into account the processing purpose, all reasonable measures must be taken to ensure that inaccurate personal data are deleted or corrected without undue delay.
4.5 The principle of storage restriction
Data collected and processed may be stored in a form that allows the identification of persons only within the period necessary to achieve the processing purpose.
4.6 The principle of integrity and confidentiality
Personal data may be processed in a way that ensures adequate personal data protection, including protection against unauthorized or unlawful processing, as well as against accidental loss, destruction, or damage through the application of appropriate technical, organizational and personnel measures.
4.7 The principle of responsibility for actions
The controller is responsible for the application of all principles of data processing and must be able to present their application – this is the principle that applies to the controller.
- Purpose and legal basis of processing
The Company processes personal data of individuals based on their explicit consent, for the purpose of providing extended warranty benefits, maintaining contact with customers through various channels, monitoring customer satisfaction, delivering and distributing advertising materials and information in order to inform about benefits and innovations in its offer, participating in sweepstakes and the like.
Besides the reasons mentioned in paragraph 1, the Company may process personal data on the following grounds:
- processing based on consent – the data subject has agreed to the processing of their personal data for one or more specially defined purposes;
- necessity for execution of the contract concluded with the data subject or for undertaking actions, at the request of the data subject, before concluding the contract;
- processing based on laws and other binding regulations – compliance with the legal obligations of the controller;
- processing in order to protect the vital interests of the data subject or another natural person;
- processing for the purpose of performing activities in the public interest or performing the legally prescribed authorizations of the controller;
- processing necessary for the purpose of realizing the legitimate interests of the controller or a third party, unless those interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring personal data protection, especially if the data subject is a minor.
5.1 Processing based on consent
If the data processing is based on this basis, the Company must be able to prove that the data subject has consented to the processing.
Prior to giving consent, the data subject must be informed of the right of revocation as well as of the effect of the revocation.
Revocation of consent does not affect the admissibility of processing carried out on the basis of consent prior to revocation. The data subject has the right to revoke consent at any time.
- Collection and storage of personal data
The Company can collect personal data of individuals in different ways.
Most often, personal data are submitted directly by the data subjects, but the Company may also use other information on natural persons that is available in public registers, databases, Internet applications, social networks, and other public data sources. All the above data and information are processed by persons employed by the Company within their work activities, all in accordance with the Law and internal acts of the Company.
In the process of collecting and processing personal data, one of the obligations of the Company as the controller is to provide the data subject with information on the period of storage (and processing) of personal data, and if this is not possible, then at least on the criteria for determining it.
The period in which data is collected and processed depends on the legal basis and purpose of processing a certain category of personal data.
Personal data that are processed exclusively based on the consent of the data subject are processed in accordance with the purpose for which they were collected (i.e. until the purpose is fulfilled), that is, until the withdrawal of consent by the data subject.
After fulfilling the purpose of processing (unless there is some other basis for processing, e.g. law), personal data are deleted, destroyed, blocked, or anonymized.
When the Company has the obligation to keep the data even after the end of business cooperation with the data subject, e.g. based on law or legitimate interest, personal data are processed until the deadline for the legal obligations of the Company expires, and in case of legitimate interest (e.g. in case of a possible dispute between the data subject and the Company), the processing is performed as long as the legitimate interest lasts.
- Rights of data subjects
Data subjects have certain rights guaranteed by the Law, and the Company, as the controller in data processing, is obliged to enable the mentioned subjects to exercise these rights in full.
7.1 The right to be informed
The Company, in its capacity as the controller of personal data, has the obligation to provide the data subjects with all available information concerning their rights.
The right to be informed is a direct application of the principle of transparency in the Company’s operations.
When we talk about providing information at the time of giving consent to the processing of personal data, before giving consent, it is necessary for the Company to provide information to the person giving consent, about the right to revoke, as well as about the effect of revocation on further data processing.
At the time of collecting personal data, the Company will provide the data subject with the following information:
- identity and contact details of the controller;
- contact details of the Personal Data Protection Officer;
- the purpose of the intended processing and the legal basis for the processing;
- about the recipient or group of recipients, if any;
- on the intention to transfer personal data to another country or international organization;
- on the period of storage of personal data or, if that is not possible, on the criteria for its determination;
- on the existence of the right to request from the controller access, correction or deletion of one’s own personal data, i.e. the existence of the right to limit processing, the right to object, as well as the right to data portability;
- on the existence of automated decision making, including profiling;
- on the right to lodge a complaint with the Commissioner;
- on whether the provision of personal data is a legal or contractual obligation or whether the provision of data is a necessary condition for the conclusion of a contract;
- on the existence of the right to revoke consent at any time, as well as that the revocation of consent does not affect the admissibility of processing based on consent prior to revocation.
If personal data are not collected from the data subjects, in addition to all the information from the previous paragraph, it is necessary to submit information on the source from which the personal data originate and, if necessary, whether the data come from publicly available sources.
7.2 The right to access, correct, update, and delete data
The data subject has the right to request from the controller information on whether he/she processes their personal data, access to such data, that is, the right to have the Company provide them, upon request, with all information regarding the data processed.
The controller is obliged to submit a copy of the data he/she is processing to the data subject, upon request.
The controller may request reimbursement of the necessary costs for making additional copies requested by the data subject.
The rights under this item also represent the direct application of the principle of transparency in practice.
The data subject has the right to have his/her inaccurate personal data corrected without undue delay.
Depending on the processing purpose, the data subject has the right to supplement his/her incomplete personal data, which includes giving an additional statement.
The data subject has the right to have his/her personal data deleted by the controller in the following cases:
- the data is no longer necessary to achieve the purpose for which it was collected,
- the person revoked the consent on the basis of which the processing was performed,
- personal data were processed illegally,
- the data must be deleted in order to fulfill the legal obligations of the controller,
- the data subject has lodged an objection to the processing – valid only in certain cases.
The controller is obliged to inform all recipients to whom personal data have been disclosed of any correction or deletion of personal data or restriction of their processing unless this is impossible or requires excessive time and resources.
The rights under this item also represent the direct application of the principles of transparency and accuracy in practice.
7.3 The right to restrict processing
The data subject has the right to restrict the processing of his/her personal data by the controller in one of the following cases:
- the data subject disputes the accuracy of the personal data, within the period that allows the controller to verify the accuracy of the personal data;
- processing is illegal, and the data subject opposes the deletion of personal data and, instead of deleting, requests a restriction on the use of data;
- the controller no longer needs personal data for the purpose of processing, but the data subject requested them in order to submit, realize or defend a legal claim;
- the data subject has lodged an objection to the processing, and there is an ongoing assessment as to whether the legal basis for the processing by the controller outweighs the interests of that person;
- if the processing is restricted in accordance with the above, such data may be further processed only with the consent of the data subject.
If the reasons for the restriction cease, the controller is obliged to inform the data subject about the termination of the restriction before the restriction ceases to be valid.
7.4 The right to data portability
The data subject has the right to obtain from the controller his/her own personal data previously submitted to the controller in the usual form (electronic, legible, structured), and has the right to transfer this data to another controller without interference by the controller to whom the information was provided.
This right includes the right to have his/her personal data transmitted directly to another controller by the controller to whom the data were previously provided, if technically feasible.
7.5 The right to object
The controller is obliged to warn the person about the existence of the right to object at the latest when establishing the first communication with the data subject and to inform him/her about these rights in an explicit and clear manner, separate from all other information provided to him/her.
The data subject has the right at any time to object to the processing of his/her personal data if he/she considers that there are justifiable reasons for doing so.
The controller is obliged to stop processing the data on the person who filed the objection, unless there are legal reasons for the processing that prevail over the interests, rights, and freedoms of the data subject.
The data subject has the right to object at any time to the processing of his/her personal data which are processed for the purposes of direct advertising, including profiling, in which case the personal data may not be further processed for such purposes.
The data subject has the right to file an objection in an automated way, in accordance with the technical specifications for the use of services.
7.6 Rights related to automated decision making and profiling
The company also uses automated processing methods (including profiling) in data processing and makes decisions based on such processed data.
The data subjects have the right to request that the decision made in this way not be applied to them if the said decision significantly affects their position or produces legal consequences.
This right is excluded if the decision is necessary for the conclusion or execution of a contract between the data subject and the controller, or if the decision is based on the explicit consent of the data subject, but in these cases it is necessary for the controller to ensure the participation of an individual, under the control of the controller, in the decision-making process, the right of the data subject to express his/her position regarding the decision, as well as to challenge the decision before the authorized person of the controller.
- Controller, joint controller, and processor
When determining the processing method, and in the processing process itself, the controller is obliged to apply measures aimed at ensuring the application of the principles of personal data protection, such as: reduction of the number of data, processing in a way that prevents the attribution of personal data to a certain person without the use of additional data – pseudonymization, as well as other measures, all in accordance with technical possibilities.
The controller is obliged to ensure, by constant application of appropriate technical, organizational and personnel measures, that only those personal data that are necessary for the realization of each individual purpose of processing are processed. This obligation applies in relation to the number of data collected, the scope of their processing, the period of their storage and their availability (this is a direct application of the principle of data minimization and restrictions in relation to the processing purpose).
If two or more controllers jointly determine the purpose and method of processing, they are considered joint controllers. In cases where there are joint controllers, the responsibility of each of them for compliance with the obligations prescribed by this Law shall be determined in a transparent manner, especially when it comes to the obligations regarding the exercise of the data subject’s rights and fulfillment of the controller’s obligations.
If the data processing is performed by the processor on behalf of the controller, the controller may designate as processor only the person or authority that fully guarantees the application of appropriate technical, organizational and personnel measures, in a way that ensures that processing is performed in accordance with the provisions of the Law and that the protection of the rights of the data subject is ensured. The processor may entrust the processing to another processor only if the controller authorizes him/her to do so on the basis of a general or special written authorization.
Processing by the processor must be regulated by a contract or other legally binding act, which is concluded or adopted in writing, which includes electronic form, that binds the processor to the controller and regulates the subject and duration of processing, nature and purpose of processing, type of personal data and type of data subject, as well as the rights and obligations of the controller.
When processing data, the processor has the following duties:
- to process personal data only on the basis of written instructions;
- to ensure that the natural person authorized to process personal data undertakes to maintain the confidentiality of data;
- to delete or return to the controller all personal data and delete all copies of these data after the completion of the agreed processing operations, and based on the decision of the controller, unless the law prescribes the obligation to keep data;
- to assist the controller by applying appropriate technical, organizational and personnel measures, as much as possible, in fulfilling the obligations of the controller in relation to the requirements for exercising the rights of the data subject;
- to comply with the conditions for entrusting processing to another processor;
- to make available to the controller all the information necessary to present the fulfillment of the processor’s obligations prescribed by this Article, as well as the information that enables and contributes to the control of the processor’s work.
If the processor violates the provisions of the Law by determining the purpose and manner of processing personal data, the processor is considered a controller in relation to that processing.
The processor, or another person authorized by the controller or processor to access personal data, may not process such data without the controller’s order.
- Records of processing operations
The company, as the controller, and its representative, if appointed, have the obligation to keep records of processing operations, with the following information:
- information on the name and contact details of the controller, joint controllers, representatives of the controller and the Personal Data Protection Officer, if appointed;
- information on the purpose of processing;
- information on the type of data subject as well as the type of data being processed;
- information on the types of recipients to whom personal data will be disclosed;
- information on the transfer of data to other countries or international organizations, the names of those countries and organizations as well as documents on the application of measures for the protection of such data, all if such transfer is made;
- information on the period of storing data if such a period is specified;
- a general description of the data protection measures, if possible.
The previously described records are kept in written form, which includes electronic form, and are kept permanently.
The Company, as the controller, as well as its representatives, if appointed, are obliged to make the described records available to the Commissioner, at his/her request, as well as to cooperate with the Commissioner in the exercise of his/her powers.
- Security of personal data
The Company stores and processes all data with the application of all available technical and organizational data protection measures in accordance with the Law and internal acts of the Company. The company is obliged to ensure data security by applying technological advancements, as well as by technical, personnel and organizational measures at its disposal.
10.1 Processing security
The company, as the controller, uses measures in data processing to ensure the security of processing, and these measures include in particular:
- pseudonymization and crypto-protection of personal data;
- the ability to ensure lasting confidentiality, integrity, availability and resilience of processing systems and services;
- ensurance of the re-availability and access of personal data in the event of physical or technical incidents as soon as possible;
- the procedure of regular testing, evaluation, and assessment of the effectiveness of technical, organizational and personnel security measures for processing.
The company, within its work tasks, regulates the access of employees to personal data by internal acts.
10.2 Notifying the Commissioner of data breaches
If there is a violation of personal data that may pose a risk to the rights and freedoms of individuals, the Company is obliged to notify the Commissioner without undue delay, or no later than 72 hours after learning of the violation, otherwise it must explain the reasons why it did not act within that period.
The notification referred to in the previous paragraph must contain at least the following information:
- a description of the nature of the personal data breach, including the types of data and the approximate number of data subjects, as well as the approximate number of personal data the security of which has been violated;
- name and contact details of the Personal Data Protection Officer or information on other ways in which data on the violation can be obtained;
- a description of the possible consequences of the violation;
- a description of the measures taken or proposed by the controller in relation to the violation, including measures taken to mitigate the adverse effects.
The company, as the controller, is obliged to document any violation of personal data, including the facts about the violation, its consequences and the measures taken to eliminate them.
The Commissioner prescribes the notification form and closely regulates the manner of notification.
10.3 Notifying individuals of personal data breaches
If the violation of personal data may pose a high risk to the rights and freedoms of individuals, the Company has the obligation to notify the data subject without undue delay of the violation.
If the Company has not notified the data subject of the personal data breach, the Commissioner may order the Company to do so.
10.4 Assessment of the impact of processing on the protection of personal data
If there is a likelihood that some type of processing, especially with the use of new technologies and taking into account the nature, scope, circumstances and purpose of processing, will cause a high risk to the rights and freedoms of individuals, the Company is obliged to, before starting the processing, assess the impact of the planned processing operations on the protection of personal data. When assessing the impact, the Company is obliged to seek the opinion of the Personal Data Protection Officer.
Assessment of the impact of processing operations must be performed in the case of:
- systematic and comprehensive assessment of the status and characteristics of an individual by means of automated processing of personal data, including profiling, based on which decisions that are relevant to the legal status of an individual or similarly significantly affect him/her are made;
- processing of special types of personal data or personal data in connection with criminal verdicts and criminal offenses;
- systematic supervision of publicly available areas to a large extent.
10.5 Preliminary opinion of the Commissioner
If the assessment of the impact of processing operations on the personal data protection indicates that the intended processing operations will produce a high risk if no risk mitigation measures are taken, the Company is obliged to seek the opinion of the Commissioner before starting the processing operation.
- Transfer of personal data to other countries and international organizations
The transfer of personal data to other countries and international organizations may be performed if the Company acts in accordance with the conditions prescribed by this Policy. This transfer implies further transfer of data from another country or international organization to a third country or international organization, and all of the above will be regulated by a special agreement. The aim of this procedure is to provide an appropriate level of protection of individuals equal to the level guaranteed by the Law on Personal Data Protection.
11.1 Transfer based on appropriate level of protection
The transfer of personal data to another country, to a part of its territory, or to one or more sectors of certain activities in that country or to an international organization, without prior authorization, may be effected if that other country, part of its territory or one or several sectors of certain activities in that country or that international organization provides an appropriate level of protection of personal data.
An adequate level of protection is considered to be provided in countries and international organizations that are members of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, i.e. in countries, parts of their territories or in one or more sectors of certain activities in those countries or international organizations determined by the European Union to provide an adequate level of protection.
If an international agreement on the transfer of personal data has been concluded with another country or international organization, it is considered that an appropriate level of protection has been provided.
11.2 Transfer with appropriate protection measures
The controller or processor may transfer personal data to another country, a part of its territory or to one or more sectors of certain activities in that country or to an international organization for which no adequate level of protection has been established, only if the controller or processor has provided appropriate measures to protect this data and if the data subject is provided with the feasibility of his/her rights and effective legal protection.
The data protection measures referred to in the preceding paragraph may be provided with or without the special approval of the Commissioner.
- Personal Data Protection Officer
The company, as the controller, may, by its decision, designate a Personal Data Protection Officer.
If the Company, as the controller, appoints a Personal Data Protection Officer, it is obliged to publish the contact details of the Personal Data Protection Officer and submit them to the Commissioner, who keeps records of persons in charge of personal data protection.
The data subjects may contact the Personal Data Protection Officer in connection with all issues related to the processing of their personal data, as well as in connection with the exercise of their rights prescribed by this Law.
12.1 The relationship between the Company as the controller and a Personal Data Protection Officer
The bodies of the Company appoint a Personal Data Protection Officer from among their employees.
The Company, as the controller, has the obligation to timely and appropriately include the Personal Data Protection Officer in all matters related to the protection of personal data. In fulfilling this obligation, the Company needs to enable this person to perform all obligations by providing him/her with the necessary means to perform these obligations, access to personal data and processing operations, as well as his/her professional development. The company must provide the Personal Data Protection Officer with independence in the performance of his/her duties, and cannot punish him/her, nor terminate his/her employment, i.e. contract with him/her for the performance of his/her duties. The Personal Data Protection Officer is directly responsible to the Company, and has the obligation to maintain the secrecy, i.e. confidentiality of data obtained in the performance of his/her obligations.
The data subjects may contact the Personal Data Protection Officer in connection with all issues related to the processing of their personal data, as well as in connection with the exercise of their rights prescribed by law.
The Personal Data Protection Officer may perform other tasks and obligations, and the Company, as the controller, is obliged to ensure that the performance of other tasks and obligations does not bring the Personal Data Protection Officer into conflict of interest.
12.2 Obligations of the Personal Data Protection Officer
The Personal Data Protection Officer has the obligation to:
- inform and give an opinion to the Company, as the controller, as well as to employees who perform processing activities, on their legal obligations regarding personal data protection and internal acts of the Company that regulate this area;
- monitor the application of the Law, other laws and internal regulations of the controller or processor related to personal data protection, including issues of sharing responsibilities, awareness raising and training of employees involved in processing and control operations;
- give an opinion, when requested, on the assessment of the impact of processing on the protection of personal data and to monitor the procedure for that assessment;
- cooperate with the Commissioner, represent a contact point for cooperation with the Commissioner and consult with him on issues related to processing, including informing and obtaining the opinion of the Commissioner.
In performing his/her duties, the Personal Data Protection Officer shall take special care of the risk related to the processing operations, taking into account the nature, scope, circumstances, and purposes of the processing.