Privacy Policy • Merin Group Privacy Policy • Merin Group

Privacy Policy

MERIN ASSET MANAGEMENT DOO BEOGRAD – NOVI BEOGRAD with registered office in Belgrade, Milutina Milankovića 11v, MB: 21104396 (hereinafter: “Handler” or “Merin”) hereby informs the visitors of the website www.merin.rs, whose data is processed (hereinafter: “User”), in terms of the Personal Data Protection Act (“Official Gazette” , No. 87/2018, hereinafter: “Law”), on all essential aspects of personal data processing, which takes place in accordance with the applicable regulations.

The Handler retains all copyrights to the use of photographs, texts and other published materials, in terms of positive legal regulations in the Republic of Serbia. Photos, texts and other material may not be published, sold, publicly or privately made available or used in any other way without our consent. Failure to comply with the previous conditions entails responsibility and the obligation to compensate the Handler for material damages due to violations of positive law.

 

1. Introductory provisions

  • This Privacy Policy governs the collection and processing of data within the Handler’s website: www.merin.rs.
  • The definitions and expressions from this Privacy Policy correspond to the definitions and expressions contained in the Law. The Handler is committed to respecting the legislation of the Republic of Serbia that regulates the protection of personal data, as well as respecting the protection of basic human rights and freedoms, and above all the right to privacy of the person whose personal data the Handler processes.
  • Clicking on the “Accept cookies” button, or a differently marked button with the same function, in the pop-up window that is displayed to new users of the website www.merin.rs during their first visit to the website, will be considered an active, voluntarily performed action in order to establish lawful legal basis for the collection and processing of selected data in the manner and for the purposes described in this Privacy Policy, without any reservations. The Handler will be able to prove, through an electronic record (log), or in some other way, that the person to whom the data refers has made the aforementioned active, voluntary action confirming that he is aware of and agrees with this Privacy Policy. The mentioned electronic record (log) will be considered as legally valid and sufficient evidence of the given consent, in the sense of Article 15 paragraph 1 of the Law.
  • This Privacy Policy can be changed at any time, with the fact that the change will be displayed on the home page of www.merin.rs. In that case, the users to whom the data refer will be asked to give a new consent to the processing of personal data, in accordance with the changes made to this Privacy Policy.
  • The rules governing the collection of personal data through Cookies will be specified in the separate Cookie Policy. All the rules related to giving consent to the Privacy Policy within the provided pop-up window, as well as the storage of the evidence form – an electronic record (log), as well as the way of changing and notifying the user to which the data refers about the changes made, in will fully apply to the used Cookies.
  • For any additional questions related to the rules and provisions of this Privacy Policy, as well as to exercise your rights, you can contact us by sending an inquiry to the address: office@merin.rs.
  1. Application of the principles of personal data processing

Please keep in mind that Merin, at all times, when collecting, processing and storing your Personal Data, we act as follows:

  • Personal data will be processed legally, fairly and transparently in relation to the User to whom the data refers (“legality, fairness and transparency”);
  • Personal data will be collected for the purposes specifically determined by this Privacy Policy, which are explicit, justified and lawful and still cannot be processed in a way that is inconsistent with those purposes (“limitation in relation to the purpose of processing”);
  • Personal data will be adequate, essential and limited to what is necessary in relation to the purpose of processing (“data minimization”);
  • Personal data will be accurate and, if necessary, updated. In this regard, Merin will take all reasonable measures to ensure that inaccurate personal data is deleted or corrected without delay (“accuracy”), and we ask that you always notify us of changes to your Personal Data;
  • Personal data will be stored in a form that allows the identification of User only for the period necessary to achieve the purpose of the processing (“storage limitation”);
  • Personal data will be processed in a way that ensures adequate protection of personal data, including protection against unauthorized or illegal processing, as well as against accidental loss, destruction or damage by applying appropriate technical, organizational and personnel measures (“integrity and confidentiality”).
  1. Data processed by the Handler

A. The Handler may collect different categories of personal data, which are used for different purposes and with different legal bases. Usually, it is a set of data that enables the identification of the user whose data is being processed, entering into communication with the User whose data is being processed, or which is necessary to provide a specific service at the request of that user, i.e. to fulfill the legal obligations of the Handler, which include:

    • Data collected through cookies that the user has enabled, that is, the use of which he has agreed to, and which are described in a separate Cookie Policy.
    • Data collected electronically on visitor identification (IP address, etc.);
    • Name and surname, e-mail address and/or other data left by the user in the section “Contact us” in order to contact the Manager, and in the section “Send an inquiry” in order to inform the User;

B. Personal data is collected only to the extent that it is necessary to achieve a specific purpose.

C. On the Handler’s website there may be links to the Handler’s pages on social networks (Facebook, Instagram. LinkedIn). In addition to this Privacy Policy, the rules prescribed by the said platforms (Terms of Service/Terms of Use, Privacy Policy) apply to all data collected by the said platforms during your visit, as well as to all data you voluntarily leave on the said social networks, Cookie Policy). The Handler cannot be held responsible for any type of illegal use of personal data, made by the companies owned or controlled by the social networks. You can find the privacy policies of the mentioned platforms at the following links.

https://www.facebook.com/privacy/policy/

https://help.instagram.com/155833707900388

https://www.linkedin.com/legal/privacy-policy

 

  1. Legal basis of data processing
  • The legal basis for the processing of personal data is the free and informed consent of the users to whom the data refer, that is, their consent for the purposes specified in this Privacy Policy, in accordance with Article 12 paragraph 1 of the Law.
  • Your personal data obtained based on your consent will be processed and stored as long as your consent exists, that is, until your consent is revoked. You can revoke your consent to the collection, processing and use of your data at any time by sending an electronic request to the email address: office@merin.rs.
  • Revocation of consent does not affect the permissibility of processing Personal Data based on your consent prior to revocation.
  1. Purpose of data processing

The Handler uses the data for various purposes, which are always directly related to the legal basis of processing. For all purposes of processing for which the need arises, the user to whom the data refers will be informed of all the necessary information, before starting such processing actions, and the processing itself will be based on the appropriate legal basis, in accordance with the law. The purpose of processing with regard to cookies is defined in the separate Cookie Policy.

  1. Disclosure and Transfer of Personal Data

The data may be disclosed to other business partners, if necessary, to related parties of the Handler in the territory of the Republic of Serbia, employees of the Handler, property and persons, legal service providers, IT service providers, companies that perform security services, state authorities, persons who are in a contractual relationship with the Manager (Data Processors) and entrusted with certain data processing actions, in accordance with the conditions prescribed by law relating to information security, the obligation to maintain secrecy and the contractual arrangement of rights and obligations). All persons are obliged to act in accordance with all provisions of the Law regarding the security of personal data processing;

  1. Rights of users whose data is processed in connection with the processing of Personal Data

A. The user whose data is processed by the Handler may request the following:

    1. to request information on whether the Handler processes his/her Personal Data and to request access to that data

At the User’s request, the Manager will provide information about the User’s personal data processed by the Manager or its processors, in accordance with the Manager’s instructions, about the purpose of processing Personal Data, the legal basis and duration of processing, the name and address of the processor and its activities related to processing, circumstances and impact on the violation of personal data, as well as the measures taken to eliminate them, and, in the case of data transfer, information on the legal basis of such transfer and the recipient.

After your submission of the request, but no later than within 15 days from the date of receipt of the request, the Manager will provide you with a written statement, in an understandable language. A written statement will be provided free of charge, unless the request is manifestly unfounded or excessive, and especially if it is repeated frequently. In that case, we will charge the necessary administrative costs of providing a written statement or processing the request, or we may refuse to process the request.

We are obliged to provide the User to whom the Personal Data refers, upon his request, a copy of the Personal Data that we process. We may request compensation for the necessary costs for making additional copies requested by the User to whom the data relates. If the request for a copy is submitted electronically, the information is submitted in a commonly used electronic form, unless the User to whom the data relates has requested a different submission.

    1. to request the correction, addition or deletion of his/her Personal Data and the right to submit an objection to data processing

The user to whom the data relates has the right to have his/her inaccurate personal data corrected without delay. Depending on the purpose of the processing, the User to whom the data refers has the right to supplement his/her incomplete personal data, which includes providing an additional statement.

The User to whom the data refers has the right to request that his/her Personal Data be deleted by the Handler.

The manager is obliged to delete the personal data without undue delay if: 1) the user has revoked the consent on the basis of which the processing was carried out, and there is no other legal basis for the processing, 2) the personal data are no longer necessary to achieve the purpose for which they were collected 3) The user has filed an objection to the processing, 4) Personal data has been illegally processed, 5) Personal data must be deleted in order to fulfill legal obligations; 6) Personal data were collected in connection with the use of information society services in the sense of the Law.

    1. to submit a complaint to the Commissioner for Information of Public Importance and Personal Data Protection
    2. the right to portability of Personal Data

The User to whom the Personal Data refers has the right to receive from us the Personal Data previously provided to us in a structured, commonly used and electronically readable form and has the right to transfer this Personal Data to another Handler without interference from our side, if the following are jointly fulfilled conditions:

      • processing is based on consent or on the basis of a contract;
      • processing is done automatically.
    1. to limit the processing of Personal Data by the Handler, if one of the following cases is met
      • The user to whom the data refers disputes the accuracy of the Personal Data, within the time limit that allows us to check the accuracy of the Personal Data;
      • the processing is illegal, and the User to whom the data refers opposes the deletion of Personal Data and instead of deletion requests restriction of the use of Personal Data;
      • we no longer need the Personal Data to achieve the purpose of the processing, but the User to whom the data refers has requested it in order to submit, exercise or defend a legal claim;
      • The user to whom the data refers has filed an objection to the processing in accordance with Article 37, paragraph 1 of the Law, and an assessment is underway as to whether the legal basis for processing by the Handler outweighs the interests of the User;

Merin is obliged to inform all recipients to whom Personal Data has been disclosed about any correction or addition or deletion of Personal Data or restriction of their processing in accordance with the Law, unless this is impossible or requires an excessive expenditure of time and resources. Merin is obliged to inform the User to whom the data refer, at his request, about all recipients.

If he considers that it is justified in relation to the particular situation he is in, the User to whom the data refers has the right to submit an objection to us at any time to the processing of his/her personal data, in accordance with the Law.

The user to whom the data refers has the right not to apply to him/her a decision made solely on the basis of automated processing, including profiling, if that decision produces legal consequences for that user or that decision significantly affects his position.

B. Procedure in case of violation of Personal Data

If a violation of Personal Data can cause a high risk to the rights and freedoms of the User, the Manager is obliged to, without delay, inform the user of the violation to which the data refer, in accordance with the Law.

In the event of a violation of Personal Data that may cause a risk to the rights and freedoms of the User, the Manager is obliged to notify the Commissioner for Access to Information of Public Importance and Protection of Personal Data without undue delay, or if possible within 72 hours from knowledge of the injury. The notification submitted to the competent authority contains all information in accordance with the Law.

  1. Protection of personal data

A. The manager within his business organization strives to apply the highest possible standards in the area of ​​personal data protection, and applies all necessary organizational, technical and personnel measures.

B. In accordance with the above, the Manager’s policy is that, within the framework of technical measures, the creation, storage, processing and access to data, documents and information is carried out on the company’s document management systems (among others: Microsoft SharePoint portal, File Server, Archive Server, Microsoft NAV, Pantheon etc.). The manager takes care that Employees are obliged to create and process data, documents and information on company computers and associated storage devices, while storing confidential data and documents is prohibited on the same. Additionally, data on document management and ERP solutions are stored within predefined structures of locations, sites and document libraries that have predefined access rights. All company computers and external storage devices are protected by “BitLocker” encryption. Users access all IT services based on a multi-layer authentication system (“MFA”) controlled by the “Microsoft Active Directory” and “Network Access Protection (NAP)” systems. In addition to the above, the Manager ensures that employees do not use certain systems arbitrarily, and internal procedures prohibit the use of private, public and cloud computer resources and storage systems for the processes of creating, processing, saving and accessing data, documents and information. Finally, the Manager periodically conducts employee education regarding the security of using system applications.

C. All processors and/or other recipients of personal data are also obliged to apply all prescribed protection measures, in accordance with the signed contract with the Manager and standards and obligations prescribed by law.

  1. Period of storage of personal data

The Handler tries to keep the data for the period that is necessary for the specific, specific purpose of the processing to be realized, after which the data is deleted or made unrecognizable (anonymization measures).  The specific storage period, i.e. the criteria on the basis of which it is possible to determine it, depends on the purpose for which personal data is processed.

When Personal Data is processed by the Handler on the basis of consent, data collected for the purposes of establishing business contact, the Handler in that case stores the Personal Data in its databases until the consent is revoked.

Data collected through Internet browsers and cookies are stored within the terms provided for by the cookies accepted by the user to whom the data refers, as described in the Cookie Policy of the Handler.

Additional information on terms and methods of storage can be found in separate notices.

  1. 10. Additional information

A. Personal data collected via the website www.merin.rs are not transferred from the Republic of Serbia, except for the possible use of third-party cookies, for which the Handler cannot be held responsible. The servers used for data transfer are located within the EEA countries where an adequate level of protection of personal data is provided. If, in exceptional cases, the data transfer is performed via a server outside the EEA, such data transfer will be carried out with the application of appropriate protection measures, in accordance with the law.

B. In the event that personal data needs to be transferred to another country, i.e. outside the territory of the Republic of Serbia, the transfer will be made in accordance with all the rules prescribed by the current Law, with the application of standard contractual clauses prescribed by the Commissioner for Information of Public Importance and Protection personal data.

C. The provision of data by the user to which the data refers is not a legal or contractual obligation when using the opportunities provided by the website. Failure to provide the requested data can only lead to the impossibility of establishing the requested contact, necessary for further communication in this way, that is, the impossibility of using the services available through the website www.merin.rs.

D. When processing data collected through the website, the Handler does not use any automated decision-making, nor user profiling to which the data refers.

E. Your Personal Data will be treated as confidential information and Merin will take appropriate measures to protect it in accordance with the Law. Access to them will be granted only to persons who, considering the description of the work they perform, should be familiar with your Personal Data and only to the extent necessary for the performance of their work.

F. If we decide to change our Privacy Policy, the changes will be posted and published on the website www.merin.rs This Privacy Policy is available on the website www.merin.rs In case of publication and eventual disagreement between the Serbian and English versions of this Privacy Policy, the Privacy Policy in the Serbian language is valid.