Mlijekoprodukt > Privacy Policy
Privacy Policy (Processing of Personal Data)
1. Introduction
1.1. This Privacy Policy (hereinafter: the “Policy“) governs the system of personal data protection within the limited liability company for production “Mlijekoprodukt” Kozarska Dubica, with its registered seat at the address Vrioci bb, Kozarska Dubica (hereinafter: the “Company” or the “Controller“), in accordance with the Law on Personal Data Protection (“Official Gazette of Bosnia and Herzegovina”, No. 12/25 – the “Law“), with which all other internal acts must be aligned.
1.2. The Company pays special attention to the protection of privacy and personal data and undertakes to process personal data lawfully, fairly, and transparently, in accordance with the basic principles of the Law.
2. Definitions
2.1 The terms used in this Policy have the following meanings:
- Personal data is any data relating to a natural person whose identity is established or can be established.
- Data Controller is a natural or legal person, public authority, or competent authority that independently or jointly with others determines the purposes and means of processing personal data. Where the purposes and means of such processing are determined by law, the data controller or specific criteria for its designation shall be prescribed by law.
- Data Subject is a natural person whose identity is established or who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
- Special categories of data include all personal data revealing:
- racial origin, national or ethnic origin, political opinion or party affiliation, or trade union membership, religious, philosophical, or other belief, health status, genetic code, and sexual life;
- criminal convictions;
- biometric data.
- Processing is any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- Restriction of processing is the marking of stored personal data with the aim of limiting its processing in the future.
- Personal data filing system is any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised, or dispersed on a functional or geographical basis.
- Processor is a natural or legal person, or public authority, that processes personal data on behalf of the data controller.
- Recipient is a natural or legal person, or public authority, to whom personal data are disclosed, regardless of whether it is a third party. Public authorities that may receive personal data in the framework of a particular inquiry in accordance with the law shall not be regarded as recipients; however, the processing of those data must comply with the applicable data protection rules in accordance with the purposes of the processing.
- Third party is a natural or legal person, public authority, agency, or other body other than the data subject, data controller, processor, or persons who, under the direct authority of the data controller or processor, are authorised to process personal data.
- Consent of the data subject is any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
- Video surveillance is an information and communication system capable of collecting and further processing personal data, which includes the creation of recordings that form, or are intended to form, part of a storage system.
3. Relationship with Other Documents
3.1. This Policy is applied in conjunction with the following set of documents:
- GPS Surveillance Rules;
- Video Surveillance Rules;
- Notice on Personal Data Processing for Individual Suppliers;
- Notice on Personal Data Processing for Employees (general);
- Notice on Personal Data Processing for Contact Persons at Suppliers and Customers – Legal Entities;
- Notice on Personal Data Processing for Persons Not Employed;
- Notice on Personal Data Processing for Job Applicants;
- Notice on Personal Data Processing for Website Visitors;
- Notice on Personal Data Processing for Participants in Prize Competitions;
- Video Surveillance Notices for Employees and Visitors;
- GPS Surveillance Notice for Employees Using Company Vehicles;
- Record of Personal Data Processing Activities (Main Register of Filing Systems);
- Contracts with Processors.
4. Obligations of Employees
4.1 All employees of the Controller are obliged to comply with all documents governing personal data protection at the Controller.
4.2 Employees of the controller or processor, and other persons who carry out the processing of personal data under a contract with the controller or processor, may process personal data only under the conditions and to the extent determined by the controller or processor.
4.3 Employees of the controller or processor, other natural persons who process personal data under a contract concluded with the controller or processor, and other persons who, in the exercise of statutory rights and duties, come into contact with personal data on the premises of the controller or processor, are obliged to maintain the confidentiality of personal data and to comply with the established security procedures.
4.4 Personal data processed by the controller or data processor in respect of employees constitute an official secret.
4.5 The obligation of personal data confidentiality remains in force after the termination of employment or a specific assignment.
4.6 Release from the obligation of personal data confidentiality may be prescribed only by law.
4.7 The Controller is not required to appoint a Data Protection Officer.
4.8 The Controller shall designate a person responsible for communication with data subjects, to whom data subjects may address all questions relating to the processing of personal data, and shall ensure the existence of communication channels through which data subjects may exercise their rights under the Law on Personal Data Protection, namely:
- electronically, via e-mail address;
- in writing, to the Company’s registered address;
- by telephone.
5. Categories of Data Subjects
5.1 The Company may process personal data of employees, job applicants, persons engaged outside of employment, business partners and their representatives, service users, visitors to business premises, and other persons in accordance with applicable regulations.
6. Categories of Personal Data
6.1 Depending on the purpose of processing, the Company may process identification data, contact data, employment status and professional qualification data, financial data, data contained in contracts and business documentation, data collected through video surveillance systems, as well as other data in accordance with the law.
6.2 The data collected are further specified in the acts referred to in Article 3.1 of the Policy.
7. Purposes of Personal Data Processing
7.1 Personal data are processed for the purposes of establishing, executing, and terminating employment relationships, conducting selection and recruitment processes for candidates, engaging persons outside of employment, fulfilling the Company’s contractual and legal obligations, calculating and paying remuneration and other earnings, maintaining statutory and internal records, protecting persons, property, and business interests, organising business operations and communication, as well as establishing, exercising, and defending legal claims.
7.2 The purposes of personal data processing are further specified in the acts referred to in Article 3.1 of the Policy.
8. Legal Basis for Processing
8.1 The processing of personal data is carried out on the basis of the legal grounds prescribed by the Law, which include: performance of a contract or taking steps at the request of the data subject prior to entering into a contract, fulfilment of the Company’s legal obligations, the legitimate interest of the Company, the consent of the data subject where applicable, as well as other grounds prescribed by the Law.
9. Provision of Personal Data and Consequences of Non-Provision
9.1 The provision of personal data may constitute a legal obligation, a contractual obligation, or a condition for entering into a contract, or may be voluntary.
9.2 In the event of failure to provide data that are necessary, the Company may be prevented from concluding or performing a contract or from fulfilling its statutory obligations.
10. Recipients of Personal Data
10.1 Personal data may be made available to competent state authorities where required by law, banks and financial institutions, tax and insurance authorities, external associates and service providers, as well as other recipients in accordance with the law.
10.2 Appropriate contracts are concluded with all personal data processors.
11. Transfer of Personal Data
11.1 Where it is necessary for the Company to process personal data through hosting and cloud services whose servers are located outside Bosnia and Herzegovina, and in the case of transfer of personal data from Bosnia and Herzegovina, the Company transfers such data outside Bosnia and Herzegovina with the application of appropriate safeguards in accordance with the Law, if:
- the Council of Ministers of BiH has determined that the country, a part of its territory, or one or more sectors within that country, or the international organisation to which the data are transferred, ensures an adequate level of personal data protection;
- the European Union has determined that the other country, a part of its territory, or one or more sectors within that country, or the international organisation, ensures an adequate level of personal data protection (list of countries available on the European Commission’s website);
- the data subjects have given consent to the transfer of data to countries for which an adequate level of protection does not exist.
12. Retention Period for Personal Data
12.1 Personal data are retained for as long as necessary for the fulfilment of the processing purpose, within the periods prescribed by law, or until the withdrawal of consent, where processing is based on consent.
12.2 Upon expiry of the retention period, personal data are deleted.
13. Technical and Organisational Security Measures
13.1 The Company applies appropriate technical and organisational measures for the protection of personal data, including access control, physical and technical security of systems, restriction of employee access, employee training, and regular improvement of security measures.
14. Rights of Data Subjects
14.1 The data subject has the right to obtain information about the processing of their personal data, the right of access, rectification, and erasure, the right to restriction of processing and the right to object, the right to withdraw consent where applicable, and the right to lodge a complaint with the competent authority.
14.2 The rights of data subjects are elaborated in detail in the acts referred to in Article 3.1 of the Policy.
15. Impact Assessment and Record of Processing
15.1 The Controller maintains a record of processing activities and, where applicable, carries out an impact assessment in accordance with the Law.
16. Video Surveillance
16.1 The Company may conduct video surveillance for the purpose of protecting persons and property, in accordance with applicable regulations. Video surveillance shall not be conducted in premises where it could infringe upon the privacy of individuals.
17. Obligation to Report a Personal Data Breach
17.1 In the event of a personal data security breach, the controller is obliged to:
- report the breach to the Personal Data Protection Agency within 72 hours;
- notify the data subject without delay if the breach is likely to result in serious consequences for their rights and freedoms.
18. Amendments to the Privacy Policy
18.1 The Company may amend or supplement this Privacy Policy in accordance with legislative changes or business needs. The Policy is reviewed every 2 years.
19. Transitional and Final Provisions
19.1 This Policy enters into force on the eighth day from the date of publication on the Company’s notice board.
