PRIVACY POLICY FOR THE ASSOCIATION’S COUNTER PARTIES WHO ARE NATURAL PERSONS AND EMPLOYEES/ASSOCIATES OF THE ASSOCIATION’S COUNTER PARTIES

02.07.2019

The protection of privacy is important to us. We make every effort to ensure that your personal information is adequately protected and that we provide you with a transparent account of how we use it.

As of 25 May 2018 new European data protection regulations will apply in the form of Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the European Association UE L 119 of 4.05.2016, p. 1) (“GDPR”) and the Act of 10 May 2018 on the personal data protection (Journal of Laws of 2018, item 1000).

Therefore, we would like to inform you about the processing of your personal data and the rules of processing of such date by the Association of Business Service Leaders as of 25 May 2018.

This policy (“Privacy Policy”) established by the employers’ association operating under the name the Association of Business Service Leaders in Bosnia and Herzegovina, ID number: 4202659220004 with its registered office in Maršala Tita 28 / 71000 Sarajevo / Bosnia & Herzegovina (hereinafter referred to as the “Controller” or “we”, “us”, “Association”) is addressed to the counter parties of the Association who are natural persons and to the employees/associates of the counter parties, members and partners of the Association (“Counter parties”).

The purpose of this Privacy Policy is to provide you with information on the terms, conditions and rules applicable to the processing of personal data of Association’s Counter parties who are natural persons and personal data of employees/associates of the Association’s Counter parties.

1. Who is responsible for your personal data? (Controller)
The Controller of your personal data is the employers’ association operating under the name the Association of Business Service Leaders in Bosnia and Herzegovina, ID number: 4202659220004 with its registered office in Maršala Tita 28 / 71000 Sarajevo / Bosnia & Herzegovina.

2. How to contact the Controller?
If you have any questions regarding the processing of your personal data by the Controller, please contact us by e-mail at info@absl.ba.

3. On what basis we process your personal data and for what purpose?
We may process your personal data for the following purposes:
a. to conclude and to perform the obligations under the contract we have with you, in particular, to verify the correct representation of the contracting party, make operational arrangements, settle   remuneration, conduct a complaint procedure, communicate for the purposes of the contract performance (based on Art. 6(1) point b) and f) of GDPR);
b. to conduct negotiations concerning the terms and conditions of cooperation, to conduct tender procedures, to submit bids for the provision of services, to sell the Association’s own products, to conduct marketing activities (based on Art. 6(1) point b) and f) of GDPR, where the legitimate interest of the Association is to carry out its statutory activities, including business activities, and to offer its own products and services);
c. to comply with the legal obligations arising out of tax and accounting regulations, and in particular with respect to the proper documentation of transactions for the purposes of tax settlements and the preparation of the Association’s financial statements (based on Art. 6(1) point c) of GDPR);
d. to collect receivables, conduct litigation, arbitration or mediation (based on Art. 6(1) point b) and f) of GDPR, where the legitimate interest of the Association is to assert or to defend claims);
e. to conduct administrative proceedings to which the Association is a party (based on Art. 6(1) point c) and f) of GDPR, in connection with the exercise by the Association of its rights as a party to the proceedings).

The legitimate interest (Art. 6(1) point f) of GDPR) of the ABSL shall be understood to mean making operational arrangements and communication in connection with the performance of the contract, marketing activities, performing statutory activities of the ABSL, asserting claims or enforcing rights of the ABSL.

On the grounds of and only upon your consent (Art. 6(1) point a) of GDPR), the Association processes your personal data within the scope of your image, voice, speeches recorded during conferences, events and webinars organized by the ABSL for the marketing, public relations and promotional purposes of the ABSL.

The ABSL has the right to process your personal data for marketing purposes also after the relationship between you and the ABSL has ended. The ABSL will not process your personal data if you revoke your prior consent. Processing carried out prior to the withdrawal of consent continues to be lawful.

4. Recipients and categories of recipients of personal data
Your personal data may be shared with the following recipients:
a) entities cooperating with the Association to organize and hold conferences, events and webinars organized by the Association;
b) an entity to which the Association has entrusted activities related to the settlement of transactions related to the fees for the participation in conferences, events and webinars organized by the Association,
c) an IT entity that develops an application for use at conferences and other events organized by the Association,
d) an entity with which the Association cooperates in the scope of accounting services,
e) members of the Association and strategic partners.

If such an obligation results from mandatory legal regulations, the Controller may also provide your personal data to the third parties, in particular to the authorized governmental authorities.

5. What are your rights with regard to personal data?
Pursuant to GDPR, you have a number of rights with regard to your personal data. The following is a general description of your rights:
a) Access to personal data. You can exercise your right of access to your data at any time.

b) Rectification and supplementation of data. You have the right to request the Controller to rectify your personal data which are inaccurate without delay as well as to request that incomplete personal data be supplemented.

c) Right to erasure of data. You have the right to request the Controller to erase your personal data without delay in any of the following cases:
• if the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
• if the data subject has withdrawn the consent on which the processing is based and there is no other legal basis for the processing;
• if you object to the data processing as referred to in point e) below and there are no overriding legitimate grounds for the processing of data;
• if the personal data are processed unlawfully;
• if the personal data must be erased in order to comply with a legal obligation provided for in the European Association law or in Bosnian law.
• if the personal data have been collected in connection with the provision of information society services.
However, the Controller will not be able to erase your personal data to the extent that their processing is necessary (i) to exercise the right to freedom of expression and information, (ii) to comply with a legal obligation requiring processing under the European Union or Polish law, (iii) to establish, pursue or defend claims.

d) The right to restriction of data processing. You have the right to request the Controller to restrict the processing in the following cases:
• you question the accuracy of personal data – for a period enabling the Controller to verify the accuracy of such data;
• the processing is unlawful and you object to the erasure of personal data by requesting that the use of the data be restricted instead;
• the Controller no longer needs your personal data for the purpose of processing, but they are necessary for you to establish, pursue or defend your claims;
• you objected to the data processing as referred to in point e) below– until such time as it is determined whether legitimate grounds on the part of the Controller override your grounds for objection.

e) Right to object. You have the right to object to the processing of your personal data in the event that the Controller processes such data in the performance of a legitimate interest, including for the purpose of direct marketing. To the extent that the data are processed for a purpose other than direct marketing, the Controller may reject the objection if the Controller shows that there exist legitimate grounds for processing that override your interests, rights and freedoms or the grounds for establishing, asserting or defending claims.

f) Right to withdraw consent. To the extent that your personal data are processed on the grounds of your consent, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of the processing carried out on the basis of the consent prior to its withdrawal.

g) Right to data portability. To the extent that your data are processed for the purpose of concluding and performing a contract or are processed on the basis of your consent and data processing is automated, you have the right to receive from the Controller your personal data which you have provided to the Association in a structured, generally used and machine-readable format. You also have the right to transfer such personal data to another controller.

h) Right to complain. You have the right to lodge a complaint against the processing of personal data by the Controller with a supervisory authority, namely the President of the Office for the Protection of Personal Data in the case of Poland.

The rights referred to in points a) to g) above may be exercised by contacting the Controller in the manner specified in section 2 above, i.e. by contacting info@absl.ba

In order to exercise the right to complain referred to in point h) above, you should contact the supervisory authority directly.

6. Provision of personal data
When contacting us in the course of your business activities, you provide your data on a voluntary basis and failure to provide your data may result in the inability to conclude or perform a contract or the inability to exercise the rights you may have.
We may also obtain your personal data, including: name, surname, position and place of work, business contact details, from your employer or the entity with which you cooperate on the basis of a civil law contract, as well as from publicly available sources (website).
We may also obtain your personal data, including the categories of data contained in public registers (in the Register of Business Operators of the National Court Register and in CEIDG), from those public sources.

7. Transfers of personal data to the third countries
In the event that your personal data are transferred to the third countries, i.e. to the recipients located outside the European Economic Area or Switzerland, the Controller will transfer your personal data using measures that are consistent with applicable law, including, but not limited to, (1) EU Standard Contractual Clauses, (2) third-party certification of compliance with the Privacy Shield (in the event it is located in the United States), (3) where the data transfer occurs to a third country for which the European Commission issued the adequacy decision. More information about the existing security measures implemented by the Controller to ensure the processing of personal data in accordance with the relevant regulations and about the possibilities of obtaining a copy of data or about the place where the data are made available can be obtained by contacting us in the manner indicated in section 2 above.

8. How long do we retain your personal information? (Data retention period)
The Controller makes every effort to process your personal data in an adequate manner and for as long as it is necessary for the purposes for which they were collected. In this context, the Association will retain your personal data for no longer than it is necessary for the purpose for which the data were collected or, where necessary, for the purpose of compliance with the applicable law, in particular, the throughout the period of performance of the contract and the limitation period for claims.

9. Automated decision-making
The Controller does not make automated decisions, including profiling, based on personal data provided by you.

10. Amendments to the Privacy Policy
This Privacy Policy may be subject to amendments, in particular, if the need or obligation to introduce such amendments results from changes in applicable laws, including changes in the recipients of data.
Individuals whose data are processed in accordance with this Privacy Policy will be duly informed of any amendments to this Privacy Policy in a reasonable time before the amendments to this Privacy Policy are made.