Privacy and personal data protection rules

Privacy and personal data protection rules

These Privacy and Personal Data Protection Rules (hereinafter: Rules ), based on the Regulation of the European Parliament and the Council (EU) 2016/679 of 27 April 2016 on the protection of individuals in connection with the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46/EC (hereinafter referred to as the General Data Protection Regulation), explain what personal data is collected in connection with the provision of our services and products, how we process, use and protect this data, for what purposes we use it, as well as what your rights are.

The data controller responsible for processing your data depends on where you are or which website you are viewing:

Country / website	Data controller	Contact	Data Protection Officer Contact
Croatia / www.vivax.com	M SAN Grupa d.o.o. Dugoselska ulica 5, HR-10372 Rugvica	Tel: +385 (0) 1 3654 900 Fax: +385 (0) 1 3654 926 Email: komunikacije@msan.hr	voditelj@msan.hr
Bosnia and Herzegovina	Kim Tec d.o.o. Poslovni Centar 96-2 BiH-72 250 Vitez	Tel: +387 (30) 718 800 Fax: +387 (30) 718 897 Email: komunikacije@kimtec.ba	Ivana.sokanovic@bss.ba
Montenegro	KIM TEC CG d.o.o. Ćemovsko polje bb, 81000 Podgorica	Tel.: 382 20 608 245 Email: prodaja@kimtec-cg.com	finansije@kimtec-cg.com
Kosovo	AskTec d.o.o. / HQ – Ferid Curri Str. Entrance C, Local 3/1 and 5/1, Arbëri / 10000 Prishtinë, Kosovë	Email: info@asktec-ks.com	info@asktec-ks.com
Serbia	KIM-TEC d.o.o. Beograd, Viline vode bb, Palilula	Tel.: +381(0)112070684 Email: marketing@kimtec.rs	zastitnik@kimtec.rs
North Macedonia	Pakom Kompani d.o.o.e.l., Skopje, Jadranska Magistrala 12	Tel.: +389 2 3202 800 Email:opstiraboti@pakom.com.mk	opstiraboti@pakom.com.mk
Slovenia	Vivax d.o.o., Dunajska cesta 151, 1000 Ljubljana	Phone: +386 (01) 520 28 00 Email: info_slo@vivax.eu	blaz.zdesar@vivax.eu

In order to know how and for what purposes the Data Controller processes your data, please read these Rules. Your privacy and the protection of personal data are of utmost importance to us. These Rules also apply to the mobile application managed by the Controller, except for the part regarding data processing via cookies or the part relating to cookies. If you wish to contact us regarding these Rules or regarding your personal data, please use the following contact details as specified in the table above.

• Who processes your personal data?

The Data Controller collects personal data on this website for marketing purposes, for the purpose of improving business and your user experience, and complies with all applicable regulations aimed at protecting the privacy of its Customers or Users. This document describes how the Data Controller processes the personal data of customers and/or potential customers. The Data Controller is responsible for ensuring all security measures for your personal data. For all questions regarding personal data, you can contact the appropriate data protection officer via the email contact listed above in the table. Customers of the Data Controller (hereinafter: Customers) or Users of our products and services, and Users who are recipients of our notifications about products and services (hereinafter: Users) are advised to read everything stated in these Rules in order to better understand what data the Data Controller collects and processes, for what purpose, on what legal basis, with whom and why it shares it, what protective measures it implements, and what the rights of Customers or Users as data subjects are.

• What categories of personal data do we process?

When performing the tasks for which we are registered as a company, we will process different categories of personal data.

• a) Customer support

If you contact our office or customer support or through any other means of communication available to you, we need your contact information in order to resolve the issue you are contacting us with. In addition to the above, we will have to identify you in a manner that is prescribed in detail in our other internal acts. The data you give us will be used only for the stated purpose. In certain cases, we will use the services of other legal entities to whom we entrust your data only to the extent that this will be necessary to solve your case (eg authorized companies that provide customer support for us or maintain the system or perform some repairs).

• b) Website

When you send any type of inquiry through our website, we collect your first and last name and contact information (email address, phone number). The controller automatically collects personal data from your computer, and there are also situations in which we collect other types of data, such as the date and time of access to our website, information about the hardware, software or internet browser you use, as well as your computer’s operating system and version application and your language settings. We may collect information about the clicks and your access to our pages that are shown to you.

• c) Employees and associates

The data controller collects and processes personal data from its employees and other associates for the purpose of executing employment contracts signed with employees and consulting contracts and/or work contracts signed with associates, which relate to personnel, administrative or other business/contractual purposes. In the latter case, we collect and process data such as: name, surname, gender; marital status, citizenship, residence, date and place of birth, personal identification number; title, occupation, information on professional training, information related to health insurance, work experience; information about the account number (IBAN), signature, etc.

• d) Suppliers and our business partners

We collect and process data from suppliers and other clients, ie associates and business partners, for the purpose of fulfilling contractual obligations, such as: name and surname of the responsible person in the legal entity; contact details of the person in charge of communication and fulfillment of contractual obligations.

• e) Tender procedure

From job candidates, all for the purpose of possible employment, the data that the Data Controller collects and processes may include: name, surname, address, contact information, level of education, citizenship, title and occupation, data on previous work experience, data on professional training and trainings, and test results that may also reflect the candidate’s ability to perform all work duties that the specific position applied for places before him/her. Obada is based on consent for a clearly indicated purpose of data collection. We will inform you about everything when the tender procedure is opened.

• f) Receiving information about our services and products/newsletter

We collect information such as e-mail address from subscribers to our newsletter, for the purpose of informing them about our new products and benefits that you can enjoy. The processing of this category of data is based on consent or on the basis of our legitimate interests, primarily to control and ensure a high standard of quality of our services and products, and thus to achieve your satisfaction, especially for the purpose of sending information about our products and services with which you can achieve additional savings, reduce the cost of using electricity and increase satisfaction with our services.

• g) Exercising the rights of respondents and responding to the requests of Users and Customers

When processing your requests for the protection of rights, your personal data such as name, surname, OIB, or address will be processed. We must process the data in order to fulfill the obligations arising from the applicable regulations.

• What are your rights in terms of personal data protection?

The controller respects that every user should be able to ensure the accuracy, completeness and updating of their personal data. If the user believes that their personal data is incomplete, inaccurate or not up to date, they may contact the Data Controller by sending an email to the appropriate email address listed in the table at the beginning of these Rules.
Please note that you have the right to request the following from the Controller at any time:

In order to exercise any of the above rights, please use the contact information provided at the beginning of these Rules.

• Competent authorities for the protection of personal data

If you are not satisfied with how we have collected or used your personal data, you can submit a formal complaint to the competent authority for the protection of personal data:

• for Croatia: Personal Data Protection Agency, Selska cesta 136, 10000 Zagreb, azop@azop.hr
• for Serbia: Commissioner for Information of Public Importance and Personal Data Protection, Bulevar kralja Aleksandra 15, 11120 Belgrade, office@poverenik.rs
• for Bosnia and Herzegovina: Agency for the Protection of Personal Data in Bosnia and Herzegovina, Dubrovačka no. 6, 71000 Sarajevo, azlpinfo@azlp.ba
• for North Macedonia: Personal Data Protection Agency, bul. “Goce Delchev” no. 18 (building of Macedonian Radio Television MRTV – floor 14), PO Box 417, 1000 Skopje, info@privacy.mk
• for Kosovo: Agency for Information and Privacy, Rr. Zejnel Salihu no. 22, 10000 Pristina, aip@rks-gov.net
• for Montenegro: Agency for Personal Data Protection and Free Access to Information, Bulevar Revolucije 11, Podgorica, azlp@t-com.me

• Where your personal data is stored and who has access to your data

We store the personal data we collect about you in a secure environment. Your personal data is protected from unauthorized access, disclosure, use, modification or destruction by any organization or individual. The processed data is stored on our premises and IT systems, but sometimes we store the data on the servers of our trusted service providers (trusted service providers). data), which can only be accessed by authorized persons. Data collected for the purposes specified in these Rules will be stored only as long as it is necessary to fulfill the specified purposes. Your personal data will not be stored in a form that allows you to be identified for longer than the Controller reasonably considers necessary to achieve the purpose for which it was collected or processed. If you are interested in specific data retention periods, you can always contact our data protection officer. The Data Controller will retain certain personal data for the period prescribed by law or other regulation that obliges the Data Controller to retain data. In the event that you have given us consent, we will process your personal data until you withdraw your consent. If you file a well-founded objection to the processing of personal data based on legitimate interest, we will not process your personal data in the future. In addition to all of the above, it is important to point out the following: if a judicial, administrative or extrajudicial procedure has been initiated, personal data may be stored until the end of such procedure, including the possible period for filing legal remedies. Therefore, the Data Controller will retain certain personal data for the period prescribed by law or regulation that obliges the Data Controller to retain data. Privacy protection is important to us, therefore we will never share your personal data with third parties except for the purposes described in these Rules.

• Does the Controller exchange data with third parties?

The data controller cooperates with other companies. This means that we sometimes share your personal data, using secure IT systems. When we do so, the data is transferred to servers located in the EU or in a country that ensures an adequate level of protection in accordance with EU legislation. The Controller may transfer personal data outside the EU if it is necessary for the performance of a contract between the Controller and the processor and/or another processor or to comply with legal obligations. In the latter case, the Controller transfers personal data only to countries that provide an adequate level of protection, through model contracts containing binding provisions or through binding corporate rules; or in accordance with an approved certification mechanism and/or a privacy protection framework when transferring personal data from the European Union. The Controller uses social media tools and services that also operate outside the European Union and we are obliged to inform you how these third parties operating social media may transfer your data to third countries outside the European Union or the EEA. The transfer of data to social networks owned by Google Ireland Ltd., Linkedin Ireland Unlimited Company and Meta Platforms Ireland Limited as independent processors who may transfer this data to the USA is carried out in accordance with the relevant Decision on the adequacy of the EU-USA data protection framework. The Controller will send a special notice to Users or Customers in cases where:- the transfer of data is necessary for the performance of a contract or the implementation of pre-contractual measures at the request of the data subject; or- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of you as a Customer or User, between us as a processor and another natural or legal person; or- the transfer is necessary for the establishment, exercise or defense of certain legal claims. We may provide your personal information to our trusted partners who maintain our IT system or provide services on behalf of the Controller, for example, for the purposes of marketing, delivery, finance, advertising, maintenance services, debt collection services, legal services and other services, without which we would not be able to adequately ensure the performance of our obligations and contracted services. These service providers are nevertheless obliged, according to the relevant contracts, to use the data entrusted to them only in accordance with our guidelines and exclusively for the purpose that we have strictly determined. We also oblige them to adequately protect your data and to consider it a business secret. In addition, you don’t have to worry because our partners’ compliance with current regulations is checked through regular audits.

• Period and location of data storage

The period for which we retain the personal data we collect depends on the purpose of the processing for which it was collected. We retain your personal data during the contract conclusion process and during the use of our services or products, and we delete it upon termination of the contractual relationship, upon the expiration of all legal obligations or the cessation of the legal grounds from the General Data Protection Regulation related to the processing of your personal data. Therefore, we must inform you that in certain situations we will not be able to delete your data because we are obliged to retain it under other applicable regulations. We retain your personal data, in the event that a procedure for the forced collection of unpaid receivables has been initiated, until the final conclusion of the procedure or, if a complaint about the product or service has been filed within the deadline, until the final completion of the complaint procedures in accordance with applicable regulations.

• Other websites

This Privacy Policy applies only to the use and use of data that the Controller collects from users (respondents). Other websites that can be accessed through the Controller’s website have their own privacy and data collection statements and methods of their use and disclosure. The Controller is not responsible for the methods and conditions of operation of third parties. You can read more about the privacy policies of third parties on their websites.

In the event that you have questions regarding the collection and processing of data by Facebook, YouTube, Instagram and/or LinkedIn or wish to exercise any of your rights guaranteed by the General Data Protection Regulation, please contact:

• Use of Internet cookies (“cookies”)

In order to maintain the website and ensure its functionality, the Controller uses a technology commonly known as “cookies”. A cookie is a small text file that is stored on your computer or mobile device when you visit a particular website. With the help of cookies, the website can remember your actions and settings (such as login, language, font size and other display-related settings) for a given period of time, so that you do not have to re-enter them each time you return to the site or browse various other pages of the Controller. Cookies can be temporary or permanent, for example, JavaScript technology. Thanks to cookies on our site, you can browse the content without any problems and you will be shown results that are relevant to you. Read more in the Cookie Policy.

• Use of Google Analytics tools

For statistical analysis and measuring the effectiveness of this website, we use Google Analytics – a service for measuring traffic and related Google services. You can find out more about Google’s privacy policy at the link: https://policies.google.com/privacy?hl=hr.This Policy does not apply to services and third parties that have separate privacy policies, however, in accordance with the regulations relating to the protection of personal data, the Controller is obliged to inform its users about the data collected by Google when providing its services to other natural and legal persons. The Controller cannot fully influence the processing of data by Google as part of your use of their services. Please read the sections of this Policy carefully to learn how Google processes your personal data. The data that Google collects includes unique identifiers, browser type and settings, device type and settings, operating system, mobile network information including carrier name and phone number, and application version number. In addition, Google collects data about the interaction of applications, browsers, and devices with Google services, including IP address, crash reports, system activity, and the date, time, and referral URL of the web request of the data subject. Google collects data when a Google service on your device contacts Google servers – for example, when you install an application from the Play Store or when the service checks for automatic updates. If you use an Android device with Google apps, your device periodically contacts Google servers to provide information about your device and connect to their services. This includes information such as your device type, carrier name, crash reports, and apps you’ve installed. For more information about the cookies used by Google and other companies, see our Cookie Policy.

• Data processing via mobile application

This Policy also applies to data processing via a mobile application administered by the Data Controller, except in relation to the chapters: “7. Other websites, 8. Use of Internet cookies (“cookies”) and 9. Use of Google Analytics tools”. In relation to the categories of data to be processed, it is important to note that in relation to the application, the mobile identifier, i.e. data about the mobile device, the operating system of the mobile device, contact information of the registered user, data about the legal entity on whose behalf the employee uses the mobile application, name and surname if the aforementioned data of the registered user can be found from the e-mail, e-mail and official mobile or other telephone number will also be processed.

• Processing of personal data in the process of payment by credit and debit cards and directly from the accounts of business partners of M SAN Grupa doo via IBAN

At the time of payment on the webshop https://webshop.msan.hr/hr/ or when using the MSAN mobile application, as a condition for paying for products and services directly from the customer/business partner’s account via IBAN (CorvusPay by IBAN service) or by credit or debit cards, M SAN Grupa doo requests from the customer/business partner data for activating the payment process via the company Corvus Pay doo Buzin, Buzinski prilaz 10, a provider of processing and collection services (credit or debit) cards, a contractual partner of M SAN Grupa doo and the Personal Data Processor. For the above purpose, the customer’s personal data (for the credit or debit card payment service: customer’s name and surname, customer’s address, customer’s card data or for the CorvusPay by IBAN service: customer’s name and surname, customer’s address, IBAN account number, OIB or the number of the authentication device that the bank has provided to the customer) are temporarily stored at Corvus Pay doo Buzin, Buzinski prilaz 10, which stores this data in accordance with PCI DSS certification, the highest level of protection and storage confidential data. The customer activates the card processing and collection process by confirming (clicking) on ​​the “pay” link. M SAN Grupa does not at any time dispose of, collect or process personal data entered for the purpose of processing and collecting cards or payments directly from the customer’s account. In case you are interested in details about your personal data collected for the aforementioned purpose, customers are asked to inform themselves about the processing of personal data by Corvus Pay doo on the website where the payment process takes place https://www.corvuspay.com/politika-zastite-osobnih-podataka/ . M SAN Grupa warns the customer to take care of the data specified on the card so that this data is not available to third parties and is not misused. The webshop or mobile application allows customers to pay via Corvus Wallet. Corvus Wallet is a separate payment and card data storage service owned by Corvus Pay doo. In order to use this service, the customer must register during the purchase process or be previously registered on the Corvus Wallet service. M SAN Grupa does not at any time dispose of, collect or process personal data entered for the purpose of processing and collecting cards via Corvus Wallet. Customers are advised to inform themselves about the processing of personal data related to Corvus Wallet by Corvus Pay doo on the website where the payment process takes place: https://www.corvuspay.com/politika-zastite-osobnih-podataka/

• Entry into force and changes to the Rules

These Rules shall enter into force upon publication on the Website. The Controller reserves the right to amend and supplement these Rules and they shall be published on the Website. In the event that the change significantly affects your rights or poses a risk to the exercise of your rights, we will inform you of the changes in another, most appropriate manner, depending on the specific situation.
Last updated: September 18, 2024

Country / website	Data controller	Contact	Data Protection Officer Contact
Croatia / www.vivax.com	M SAN Grupa d.o.o. Dugoselska ulica 5, HR-10372 Rugvica	Tel: +385 (0) 1 3654 900 Fax: +385 (0) 1 3654 926 Email: komunikacije@msan.hr	voditelj@msan.hr
Bosnia and Herzegovina	Kim Tec d.o.o. Poslovni Centar 96-2 BiH-72 250 Vitez	Tel: +387 (30) 718 800 Fax: +387 (30) 718 897 Email: komunikacije@kimtec.ba	Ivana.sokanovic@bss.ba
Montenegro	KIM TEC CG d.o.o. Ćemovsko polje bb, 81000 Podgorica	Tel.: 382 20 608 245 Email: prodaja@kimtec-cg.com	finansije@kimtec-cg.com
Kosovo	AskTec d.o.o. / HQ – Ferid Curri Str. Entrance C, Local 3/1 and 5/1, Arbëri / 10000 Prishtinë, Kosovë	Email: info@asktec-ks.com	info@asktec-ks.com
Serbia	KIM-TEC d.o.o. Beograd, Viline vode bb, Palilula	Tel.: +381(0)112070684 Email: marketing@kimtec.rs	zastitnik@kimtec.rs
North Macedonia	Pakom Kompani d.o.o.e.l., Skopje, Jadranska Magistrala 12	Tel.: +389 2 3202 800 Email: opstiraboti@pakom.com.mk	opstiraboti@pakom.com.mk
· to give you access to your personal data	You can ask the data controller which of your personal data it uses, and you can also request access to this personal data. You have the right to know the purpose of the processing, which categories of your personal data we keep, the bodies or categories of bodies with which we share your personal data, the data retention period, as well as the data source in case the data is collected indirectly. You can contact us if you want a copy of some or all of the personal data we keep about you.
· request the correction of incorrect data	We want your personal information to be accurate and up-to-date. You can ask us to correct or remove information that you think is inaccurate or out of date.
· request deletion of personal data	You can ask the controller to stop processing or even delete your personal data. If we need your personal data to perform some contractual obligation towards you, the data controller may cease to be able to perform such contractual obligations. Also, if your personal data is required to fulfill certain legal obligations (eg tax obligations), your request may not be fulfilled.
· Limiting access to your data (to us and/or third parties) in certain processes or completely	If you want to dispute the accuracy of the data, or we no longer need personal data for the purpose of processing, but you need them for the establishment, execution or processing of legal requirements, or you objected to the processing on a basis that we consider legitimate, you have the right to request the restriction of the processing of personal data.
· file a complaint about the way we use your data	Remember that you have the right to object to the processing of personal data based on a legal basis that the Controller considers legitimate.
· request the transfer of data to another processor (transferability of rights)	If the processing is based on your consent or is carried out by automatic means, you have the right to ask the Controller to transfer the data to another processor.
FACEBOOK	https://www.facebook.com/policy.php
YOUTUBE	https://policies.google.com/privacy?hl=hr
INSTAGRAM	https://help.instagram.com/519522125107875
LINKEDIN	https://www.linkedin.com/legal/privacy-policy
FOR FACEBOOK: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
Contact of the data protection officer:	https://www.facebook.com/help/ https://www.facebook.com/help/contact/540977946302970
If you are not satisfied with the way in which your personal data is collected and processed, you can contact the lead supervisory authority for Facebook, the Irish Data Protection Commissioner or your competent supervisory authority in accordance with the information specified in point 4. of these Rules.
FOR YOUTUBE: Google Ireland, Ltd., Gordon House Barrow St, Dublin 4, Ireland
Contact of the data protection officer:	https://support.google.com/policies/contact/general_privacy_form
If you are not satisfied with the way in which your personal data is collected and processed, you can contact the lead supervisory authority for YouTube, the Irish Data Protection Commissioner or your competent supervisory authority in accordance with the information specified in point 4. of these Rules.
FOR INSTAGRAM: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
Contact of the data protection officer:	https://www.facebook.com/policy.php https://www.facebook.com/help/contact/540977946302970
If you are not satisfied with the way in which your personal data is collected and processed, you can contact the lead supervisory authority for Instagram, the Irish Data Protection Commissioner or your competent supervisory authority in accordance with the information specified in point 4. of these Rules.
LINKEDIN IRELAND UNLIMITED COMPANY Attn: Legal Dept. (Privacy Policy and User Agreement), Wilton Plaza, Wilton Place, Dublin 2, Ireland
Contact of the data protection officer:	https://www.linkedin.com/help/linkedin/ask/TSO-DPO
If you are not satisfied with the way in which your personal data is collected and processed, you can contact the lead supervisory authority for LinkedIn Ireland, the Irish Data Protection Commissioner or your competent supervisory authority in accordance with the information specified in point 4. of these Rules.