Information on Processing of Personal Data by Social Infinity
The information below aims at giving you an overview of the manner in which we process your personal data and inform you about your rights related to the processing of personal data, all in accordance with the current regulations. At that, processing of personal data largely depends on which Company’s services you have agreed to and used. Information refers to clients, potential clients, and other private individuals whose personal data the Company gathers on whatever legal basis.
I WHO IS THE CONTROLLER OF PERSONAL DATA PROCESSING?
Social Infinity, with the head office at the address Prve muslimanske brigade bb, 77230 Velika Kladuša, Bosnia and Herzegovina (hereinafter: Company).
II WHAT IS PERSONAL DATA?
Personal data is any information that relates to a private individual, based on which their identity has been or can be established (hereinafter: Data Holder).
Personal data is every piece of data:
(a) the Data Holder communicates to the Company verbally or in writing, as follows:
(i) in any communication with the Company, irrespective of its purpose, which includes, without limitation, telephone communication, communication through Company’s digital channels, at Company’s branches, and at Company’s website;
(ii) agreeing new products and services of the Company;
(iii) in applications and forms for agreeing Company’s products and services;
(b) which the Company learns based on providing the Data Holder with Companying and financial services and services related to them, as well as the services of agreeing products and services of Company’s contracting partners, which includes, without limitation, data on transactions, personal spending and interests, as well as other financial data stemming from the use of any product of the Company or its contracting partners, as well as all the personal data the Company learned by providing Companying and financial services within previous business relations with a client;
(c) that originates from the processing of any previously specified personal data by the Company and has the character of personal data (hereinafter, jointly: Personal Data).
III HOW DOES THE Company GATHER PERSONAL DATA?
The Company gathers personal data directly from the Data Holder. The Company is required to check whether the Personal Data is authentic and accurate.
The Company is required to:
a) process Personal Data in a lawful and legal manner;
b) not to process Personal Data gathered for special, explicit, and legal purposes in any manner that is not in line with that purpose;
c) process Personal Data only to the extent and in the scope necessary for fulfilling certain purposes;
d) process only authentic and accurate Personal Data, and update it when needed;
e) erase or correct the Personal Data that is inaccurate and incomplete, given the purpose of its gathering or further processing;
f) process the Personal Data only in the time period that is necessary for fulfilling the purpose of data gathering;
g) keep the Personal Data in a form that allows identification of the Data Holder for no longer than is needed for the purpose of gathering or further processing the data;
h) ensure that the Personal Data gathered for different purposes is not consolidated or combined.
IV WHAT ARE THE PURPOSES OF PROCESSING PERSONAL DATA?
To be able to provide services to Data Holders, the Company processes Personal Data in accordance with the Personal Data Protection Law and the Law on Companys of the FBIH. Data Holder’s Personal Data is processed when one of the following conditions of processing legality is met:
a) Meeting of legal obligations of the Company or other purposes determined by law or other applicable regulations from the area of Companying, payment transactions, anti-money-laundering, etc., as well as acting in line with individual rules adopted by relevant institutions of Bosnia and Herzegovina or other bodies which orders, based on legal or other regulations, the Company must observe. Processing of such Personal Data is a legal obligation of the Company and the Company can reject entry into a contractual relationship or provision of an agreed service, i.e. terminate the existing business relationship in case the Data Holder fails to submit data prescribed by law.
b) Executing and implementing an agreement to which Data Holder is a party i.e. in order to take actions on Data Holder’s request before executing the agreement. Provision of Personal Data for the mentioned purpose is mandatory. If the Data Holder refuses to provide some of the data necessary for executing and implementing the agreement to which the Data Holder is a party, including Personal Data gathered for the purpose of risk management in a manner and within the scope prescribed by the relevant laws and by-laws, it is possible that the Company will not be able to provide certain services and, due to that, it can reject to enter into a contractual relationship.
c) Data Holder’s Consent
– For the purpose of conducting marketing activities within which the Company can send you offers and facilities related to new or already agreed products and services of the Company, and for the purpose of direct marketing for the development of the business relationship with the Company, within which the Company can send you tailored offers for executing new agreements on the use of Companying and financial services and related services of the Company and Group members based on the created profile.
– For the purpose of occasional research in relation to conducting its business activities.
– The Data Holder can, at any time, withdraw previously given consents (according to the BIH Personal Data Protection Law, such withdrawal is not possible if thus explicitly agreed by the Data Holder and the controller), and has the right to object to the processing of the Personal Data for the purpose of marketing and market research. In that case, Personal Data related to them shall not be processed for that purpose, which does not affect the legality of processing Personal Data until that moment. Provision of data for the mentioned purposes is voluntary and the Company will not reject execution or implementation of the agreement if the Data Holder refuses to give consent for the provision of Personal Data.
Withdrawal of the consent shall not affect the legality of the processing that was based on the consent in force before its withdrawal.
d) Legitimate interest of the Company, including, without limitation:
– the purpose of direct marketing, market research, and Data Holder’s opinion analysis to the extent they have not opposed to data processing for that purpose;
– taking measures for managing the Company’s operations and further development of products and services;
– taking measures for insuring people, premises, and property of the Company, which includes control and/or checking of access to them;
– processing of Personal Data for internal administrative purposes and protection of computer and electronic communication systems.
When processing Personal Data of the Data Holder based on a legitimate interest, the Company always pays attention to the Data Holder’s interest and basic rights and freedoms, with a special focus on ensuring that their interests are not stronger than Company’s, which is the basis for processing Personal Data, especially if the interviewee is a child.
The Company can process Personal Data also in other cases if it is necessary to protect legal rights and interests exercised by the Company or a third party, and if that processing of Personal Data is not in contravention of the Data Holder’s right to protect their private and personal life.
V HOW DOES THE Company PROCESS PERSONAL DATA?
The Company processes Personal Data in accordance with the regulations of Bosnia and Herzegovina and the Company’s by-laws related to the protection of Personal Data.
VI FOR HOW LONG DOES THE Company KEEP PERSONAL DATA?
The period of keeping Personal Data primarily depends on the category of Personal Data and the purpose of processing. In line with that, your Personal Data shall be stored during the period of the contractual relationship with the Company i.e. so long as there is Data Holder’s consent for the processing of Personal Data and for the period the Company is authorized (e.g. for the purpose of exercising legal requirements) and legally bound to keep that data (Law on Companys, Law on Anti Money-laundering and Counter-Terrorist Financing, for archive purposes).
VII IS THE PERSONAL DATA CEDED TO THIRD PARTIES?
The Personal Data of the Data Holder can be ceded to third parties based on:
a) Data Holder’s consent; and/or
b) implementation of the agreement to which Data Holder is a party; and/or
c) provisions of laws and by-laws.
Personal Data will be provided to certain third parties to which the Company is required to provide such data, for the purpose of fulfilling a task carried out in public interest, such as the Companying Agency of the FBIH, Ministry of Finance – Tax Administration Office, and others, as well as other parties to which the Company is authorized or obligated to provide Personal Data based on the Law on Companys and other relevant regulations that regulate Companying.
Additionally, the Company is required to act in line with the obligation of keeping the Companying secret, including Personal Data of the Company’s clients, and it can transfer and disclose such data to third parties i.e. recipients only in the manner and under the conditions prescribed by the Law on Companys and other regulations from this area.
We emphasize that all the persons who, due to the nature of their job performed with the Company or for the Company, have access to the Personal Data are equally obliged to keep that data as Companying secret consistent with the Law on Companys, Personal Data Protection Law and other regulations that regulate data secrecy.
In addition to the aforementioned, your Personal Data can also be accessible to service providers who have a business relationship with the Company (e.g. providers of IT services, providers of card transaction processing services, etc..) for the purpose of ensuring adequate operations of the Company i.e. provision of Companying services, who are also required to act in accordance with the applicable regulations from the area of personal data protection.
Details related to the purpose of the processing of Personal Data, to recipients or recipient categories, the legal basis for the processing of Personal Data, and giving Personal Data for use to other recipients are described in more detail in Company’s relevant documents, which are available to Company’s clients when they agree to products and services. The list of data processors is regularly updated and available for insight to Data Holders at the Company’s website, in the subsection “Data Protection”, as well as the content of the informative notice.
VIII TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
Data Holder’s Personal Data can be taken out of Bosnia and Herzegovina (hereinafter: Third Countries) only:
– to the extent prescribed by law or another binding legal basis; and/or
– to the extent necessary to execute Data Holder’s orders (e.g. payment orders);
IX DOES THE Company CONDUCT AUTOMATED DECISION-MAKING AND PROFILING?
Relative to a business relationship with the Data Holder, the Company does not conduct automated individual decision-making that would produce legal effects with negative consequences for the Data Holder. In some cases, the Company applies automated decision-making, including the creation of a profile for the purpose of assessing the realization of agreement between the interviewee and the Company; for example, when approving authorized current account overdraft, and in accordance with the Law on Anti Money-laundering and Counter-Terrorist Financing, when producing the model of money-laundering risk analysis. In the case of automated decision-making, the Data Holder has the right to be exempt from a decision that is based exclusively on automated processing i.e. they have the right to require human intervention from the Company in order to express their standpoint and contest the decision.
X HOW DOES THE Company PROTECT THE DATA?
As part of the internal security system and with a view to ensuring the security of your Personal Data, in line with the relevant regulations and defined obligations, the Company applies and undertakes adequate organizational and technical measures i.e. measures against unauthorized access to Personal Data, alteration, destruction or loss of data, unauthorized transfer and other forms of illegal processing and misuse of the Personal Data.
XI WHAT ARE THE DATA HOLDER’S RIGHTS?
In addition to the already mentioned Data Holder’s rights, every person whose Personal Data is processed by the Company has primarily, and most importantly, the right to access all the provided Personal Data, and to correct and erase the Personal Data (to the extent permitted by law), the right to limitation of the processing, all in the manner defined by current regulations.
XII HOW TO EXERCISE ONE’S RIGHTS?
Data Holders have at their disposal Company staff at all the Company branches as well as a Personal Data Protection Officer who can be contacted in writing at the address: Social Infinity, Personal Data Protection Officer, Prve muslimanske brigade bb, 77230 Velika Kladuša or via e-mail address: [email protected]
Besides, every Data Holder, as well as the person whose Personal Data is processed by the Company, is authorized to file an objection to the processing of their Personal Data by the Company as controller with the Personal Data Protection Agency in Bosnia and Herzegovina.