PRIVACY POLICY

Introduction

CENTER FOR INVESTIGATIVE JOURNALISM OF SERBIA, with registered seat at Bulevar despota Stefana no 22, Belgrade-Vračar, CIN: 28825633, TIN: 107545738, legal representative Milica Šarić, manager (hereinafter: CINS, or Data Controller) takes the protection of the personal data serious and it is determined to strictly comply with all the applicable laws that regulate privacy issues, including but not limited to the Law on Personal Data Protection (“Official Gazette of the Republic of Serbia”, No 87/18, hereinafter: LPDP).

This Policy provides an extensive overview of the personal data processing activities organized by CINS, as well as all information relevant for such personal data processing.

GENERAL INFORMATION

CINS collects and process the personal data of its employees, but also personal data of other persons, job candidates, clients, and associates of CINS.

Besides that, CINS collects and process the personal data that may be contained in video surveillance footage and records of business premises.

In the following sections, CINS provides a detailed description of the types of personal data it processes, the categories of data subjects, the legal basis and purpose of the processing, as well as the rights of the persons to whom the data refer.

Definitions

For the purposes of this Policy the following terms shall have the following meaning:

  • Personal data means any information which makes the data subject identifiable as well as other data which is connected to such information;
  • Data Subject means the identifiable natural person, i.e. the individual that is the holder of the certain personal data;
  • Data Controller means CINS, which determines the purpose and organizes the processing of personal data;
  • Data Processor means any entity which performs certain personal data processing activities on behalf of Data Controller;
  • Data Processing means any operation performed on personal data, including collection, transmission, storage, and other use of personal data (hereinafter: processing);
  • Data Protection Authority means Commissioner for Information of Public Importance and Personal Data Protection.

All other definitions which are not explicitly mentioned in this section, but are used in this Policy, shall have the same meaning as in the LPDP. In case of any discrepancy between the definitions explained in this section and definitions explained in LPDP, the LPDP definitions shall prevail.

Principles of personal data processing

Data Controller is obliged to respect all the general principles set in LPDP, i.e:

  • Each data processing must be lawfully, fairly, and transparent (lawfulness, fairness, and transparency), which, inter alia, means that:
  • each personal data processing is based on adequate legal basis (depending on the purpose of each data processing and data subject category),
  • Data Controller collects and processes the personal data in fair manner, i.e. in the manner that it always respects the data subject rights, as well as its obligations prescribed by LPDP,
  • each data subject is properly informed by all the important aspects of the data processing, in clear and understandable manner and that this Policy is published and available to all data subjects. Data Controller is always ready to provide all the information relevant to the data subjects;
  • Personal data is collected and processed for specified purpose which is legitimate in a manner that is compatible to such purposes (purpose limitation);
  • Personal data processing is relevant and limited to what is necessary for particular purpose (data minimization);
  • The collected personal data that is processed is kept accurate (as provided by the data subject), and, where necessary, kept up to date (data accuracy);
  • The personal data is stored only for the period necessary for the fulfilment of particular purpose (storage limitation);
  • The processing is performed in a manner that adequately ensures security of the personal data, including the protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, by implementation of appropriate technical, organizational and personnel measures to ensure such protection (integrity and confidentiality).

Categories of Personal Data and Data Subjects

Data Controller, depending of the data subject categories, process the following types of data:

  • From the employees, it collects and processes the personal data that are prescribed by the Serbian employment legislation, including, but not limited to the Labour Law, Law on Employment Records, as well as the laws related to the mandatory social and health insurance. Such processing is necessary for compliance with a legal obligation to which Data Controller is subject, within the meaning of the Article 12 Paragraph 1 Point 3) of LPDP;
  • From the employment candidates, it collects and processes the CV data, name, and surname, as well as contact details such as phone, e-mail etc. The legal basis for such processing is the informed consent of the data subject within the meaning of the Article 12 Paragraph 1 Point 1) of the LPDP, or the request of the data subject prior to entering a contract within the meaning of the Article 12 Paragraph 1 Point 2) of the LPDP.
  • From the clients, CINS collects and processes the personal data that are necessary in order to take steps at the request of the data subject, prior to entering into a contract (pre-contractual stage), personal data that are necessary for the performance of a contract to which the data subject is party (contractual stage) as well as personal data which are necessary for compliance with a regulations to which Data Controller is subjected to. Such processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject, prior to entering into a contract within the meaning of the Article 12 Paragraph 1 Point 2) of LPDP or it is necessary for compliance with a legal obligation to which Data Controller is subjected within the meaning of the Article 12 Paragraph 1 Point 3) of LPDP;
  • From data subject that communicate with CINS, Data Controller collects name, surname, and other personal data which Data Subject shares with CINS. The legal basis for such processing is the informed consent of the data subject within the meaning of the Article 12 Paragraph 1 Point 1) of the LPDP;
  • From the person recorded by video surveillance, Data Controller collects and processes photos and videos based on which the person whose data is being processed can be identified. The legal basis for this type of processing is the legitimate interest of Data Controller in the sense of Article 12 paragraph 1 point 6) ZZPL.

Manner of personal data processing and data processing activities

The manner of the personal data collection, as well as other type of processing, depends on the particular purpose of such collecting.

Usually, the data is collected directly from the data subject. If the data is collected indirectly, the Article 24 of the LPDP applies.

CINS performs the following processing activities: collection, recording, structuring, storage, adaptation or alteration, use, erasure, as well as other processing activities, which are necessary for the fulfilment of the particular purpose.

Purpose of Personal Data Processing

CINS uses the personal data for following purposes:

  • Fulfilling of the legal obligations in the extent prescribed by the law (related to the employees of CINS);
  • Preparation, conclusion and enforcement of the contract (related to the candidates for employment, clients of CINS, as well as all other persons who conclude contracts with CINS);
  • For the purposes of physical protection of the business property, business premises and keeping of the safe environment for the employees, in a manner that the fundamental rights of data subjects are protected (video surveillance);
  • Communication with Data Subjects on their request (related to the data subject that communicate with CINS, by email, call etc.);

Legal Basis

CINS collects and processes the personal data, providing that such collection and processing is based on the appropriate legal basis. Depending on the purpose of the collection and category of data subjects, processing of the personal data should be performed based on:

  • Informed consent of the data subject (Article 12 Paragraph 1 Point 1) of the LPDP), prior notice of such subject on all relevant aspects of the personal data processing. The consent is freely given, specific, informed, and unambiguous, and could be withdraw at any time. Withdrawal leads to the cease of any further processing activity, considering that the data processing occurred before the withdrawal remains valid;
  • Compliance with legal obligation (Article 12 Paragraph 1 Point 3) of the LPDP). CINS processes personal data for the purpose of complying with a legal obligation, solely in the extent necessary for fulfilling such obligations, providing that all the necessary measures are taken in order that the access to the personal data is enabled only to the authorized persons and state bodies;
  • Performance of a contract, i.e. for the preparation of the conclusion of such contract (Article 12 Paragraph 1 Point 2) of the LPDP), only in the extent necessary for such purpose;
  • Protection of the legitimate interests of CINS or third parties (Article 12 Paragraph 1 Point 6) of the LPDP) CINS, as an exception, is processing the personal data in order to pursue the legitimate interest (i.e. physical protection of the business property, business premises and keeping of the safe environment for the employees, in a manner that the fundamental rights of data subjects are protected – video surveillance, identification etc.).

Data Processors, Data Recipients, Data Users and other parties

Personal data that Data Controller collects could be shared with the:

  • Relevant state authorities;
  • Contract partners;
  • Physical security companies;
  • Companies that make the software for the personal data processing;
  • Companies that are maintaining information systems;
  • Other natural person and legal entities that fall under category of the Data Processor, Data Recipient or Data User, pursuant to the applicable laws and regulations;

All the above mentioned parties are obliged to implement the data protection safeguards, pursuant to the applicable laws, this Policy, and other acts of CINS.

Some of the mentioned parties that might have access to the personal data, fall under the category of the Data Processors. Data Controller has contracts with all the Data Processors to comply with the LPDP. Data Controller remains responsible of any data processing activities performed by Data Processors.

The data processing activities are in most of the cases provided by the processors that performs their business activities at locations in Serbia. However, some of the data processing activities might be provided by the processors incorporated and active in EU or third countries.

The transfer to such countries is performed:

  • Based on adequacy decision for the EU/EEA countries pursuant to the Article 64 of the LPDP. The cross-border transfer to these countries is free (without pre-approval from the Data Protection Authority) pursuant to the Article 64 Paragraph 2 of the LPDP;
  • Based on adequate guarantees pursuant to the Article 65 Paragraph 2 Point 2 of the LPDP, i.e. based on the agreement (Data Transfer Agreement) that incorporates standard data protection clauses adopted by Data Protection Authority.

Personal data might be shared with the public bodies if that is necessary for fulfilment of the legal obligations of CINS, providing that the usage of the personal data by the public bodies is limited to the minimum necessary to comply with concrete legal requirement.

Data Subject’s Rights

Data subject may be entitled to a following rights:

  • Right to be informed about the personal data that is processed (Article 23 of the LPDP);
  • Right to access to the processed personal data, right of the data subject to request Data Controller to provide information whether his/her personal data are being processed, and what is the processing purpose. In case of such request, Data Controller is obliged to deliver the copy of the personal data which is processed to Data Subject in accordance with Article 26 of the LPDP;
  • Right to rectification, right of the data subject to obtain the rectification of his/her inaccurate personal data without delay (Article 29 of the LPDP);
  • Right to erasure (Right to be forgotten), right of data subject to request the erasure of the personal data if the conditions from the Article 30 of the LPDP are fulfilled;
  • Right to restriction of processing, right of the data subject to request the restriction of processing, if conditions from Article 31 of the LPDP are fulfilled;
  • Right to data portability, right of the data subject to receive his/her personal data, in a structured, commonly used and machine-readable format, as well as the right to transfer such data to another Data Controller (Article 36 of the LPDP);
  • Right to object, right of the data subject regarding the possibility to object at any time to the processing of his/her personal data, pursuant to the Article 37 of LPDP;
  • Rights in relation to the automated individual decision-making, including profiling, right of the data subject not to be subject to a decision based solely on automated processing, including profiling, pursuant to the Article 38 of the LDPD;
  • Right to be informed in case of data breach, right of the data subject to be informed about data breach if it is likely to result in a high risk to the rights and freedoms of natural persons pursuant to Article 53 of the LPDP;
  • Right to address to the Data Protection Authority;
  • Other rights prescribed by the LPDP.

Contact details of the Serbian Data Protection Authority:

Commissioner for Information of Public Importance and Personal Data Protection
Bulevar Kralja Aleksandra 11120, Belgrade, Serbia
office@poverenik.rs

Commissioner will provide the data subject with all relevant information considering their rights pursuant to the LPDP.

Personal Data Safeguards

Data Controller complies to the highest standards of the personal data protection, and therefore it implements all the necessary organizational, technical, and personal measures to ensure that the personal data is protected from the accidental, unlawful, or unauthorized destruction, loss, alliteration, access, publication, or usage, including but not limited to the following measures:

  • Technical protection measures;
  • Control of the physical access to the systems where the personal data are stored;
  • Control of the access to the data;
  • Control of the data transfer;
  • Control of the personal data entry;
  • Data availability control;
  • Other information security measures;
  • All other measures necessary to ensure the adequate level of data protection.

Third parties that have access, or in other manner process personal data, including Data Controllers, are also obliged to comply with the all the above-mentioned measures.

Data Retention Period

CINS process personal data within the timeframe that is adequate for fulfilment of the particular purpose:

  • In the event that personal data was collected on the basis of previously obtained consent, the data shall be deleted or anonymized without delay within a period of no longer than 10 days from the withdrawal of consent, if no other retention period is prescribed by law;
  • Records in the field of employment are kept permanently in accordance with the Law on Employment Records;
  • Records on employment candidates are kept until the end of the employee selection process and shall be deleted six months after it ends. After the end of the selection procedure, data about candidates is stored only if the candidate who has been informed about it agrees to, in the sense of Article 12 paragraph 1 point 1) LPDP that his data is stored for the purpose of establishing contact in the event of a future need for employment. Furthermore, data subject may withdraw his consent before the end of the selection process – in which case he will no longer be able to be selected for a specific workplace;
  • Video surveillance record is kept for 30 days, and after the expiration of that period, it shall be deleted automatically.

Important information regarding Data Processing

Data subject is authorized to contact the Data Protection Officer, for all questions related to the Data Processing, including the fulfilment of his/her rights as explained in this Policy, via e-mail: office@cins.rs and phone +381 11 42 36 216 and address Bulevar despota Stefana 22, 11000 Beograd.

Data Protection Officer will respond to the request of Data Subject as soon as possible, depending on the complexity, but within time that is no longer than 30 days from the date of receipt of such request.

Other

This Policy comes into force on November 29th, 2024. and is available in the business premises of CINS, as well as on the web site www.cins.rs.

This Policy may be amended and supplemented from time to time, therewith this must not in any way reduce the level of legal protection of Data Subject. Data Subject will be notified of any changes to this Policy by the usual means.

Follow us

Street Bulevar despota Stefana 22, 11000 Belgrade, Serbia

office@cins.rs

Landline phone: +381 11 42 36 216

Mobile: +381 62 10 39 472 (Signal, Telegram, Viber, WhatsApp)

© Copyright 2026 CINS