Datenschutzerklärung

GENERAL INFORMATION ON PERSONAL DATA PROTECTION

GENERAL PROVISIONS

1.1. Purpose of the Act

This document, General Information on Personal Data Protection of Shark Global d.o.o. Bijeljina (hereinafter: "General Information"), defines relevant information related to the processing of personal data of data subjects.

The goal of the General Information of Shark Global d.o.o. Bijeljina (hereinafter: "Company") is to apply the principles of lawful, fair, and transparent processing of personal data, enabling data subjects to obtain all relevant/necessary information related to the processing of their personal data.

1.2. Definitions and Terms

Personal Data - any information relating to an identified or identifiable natural person;
Data Subject - a natural person who can be identified, directly or indirectly, particularly by reference to an identification number or one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity;
Special Categories of Data - all personal data revealing:
- racial, national, or ethnic origin, political opinions, party affiliation, or trade union membership, religious, philosophical, or other beliefs, health status, genetic code, and sexual life,
- criminal convictions,
- biometric data;
Collection of Personal Data - any structured set of personal data accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis;
Processing of Personal Data - any operation or set of operations performed on data, whether automated or not, such as collecting, recording, organizing, storing, adapting, or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, blocking, erasing, or destroying;
Anonymous Data - data that in its original form or after processing cannot be linked to the data subject in terms of their identification;
Controller - any public authority, natural or legal person, agency, or other body that alone or jointly with others determines the purposes and means of the processing of personal data based on laws or regulations;
Processor - a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller;
Third Party - any natural or legal person, public authority, agency, or other body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process the data;
Consent of the Data Subject - any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they signify their agreement to the processing of personal data relating to them;
Recipient - a natural or legal person, public authority, agency, or other body to whom the data are disclosed, whether or not a third party; bodies which may receive data in the framework of a particular inquiry shall not be regarded as recipients.
Personal Data Protection Agency in BiH (hereinafter: "Agency") - an independent administrative organization whose competencies and scope of work are prescribed by the Law on Personal Data Protection of Bosnia and Herzegovina (hereinafter: "Law");
Personal Data Protection Officer - an employee appointed by the decision of the Company Director, to whom the data subjects and Company employees can address questions and requests related to the processing of personal data.

GENERAL INFORMATION

2.1. Information on the Controller

The controller of personal data is Shark Global d.o.o. Bijeljina, Ul. Nikole Tesle no. 10, Bijeljina, JIB no. 4404645570004, phone number: +38766254437, email: office@sharkglobal.net, website: www.sharkglobal.net.

2.2. Contact Information for Personal Data Protection

The Data Protection Officer (DPO) is available via email:
office@sharkglobal.net and address: Nikole Tesle no. 10, Bijeljina.

2.3. Types of Personal Data Processed by the Company

In the course of its lawful activities, the Company collects and processes personal data, which are maintained in the Record of Personal Data Collections (hereinafter: "Record"). The Record shows the categories of personal data, the purpose of their processing, and all other necessary information, completed in accordance with the Regulation on the Method of Keeping and Form of the Record of Personal Data Collections of Bosnia and Herzegovina. These Records are publicly available and can be found in the Main Register on the website of the Personal Data Protection Agency of Bosnia and Herzegovina, accessible via the following link: http://azlprea.azlp.ba/.

2.4. Processing of Personal Data

The Company processes personal data respecting the principles of legality, fairness, and transparency.

The Company ensures adherence to the principle of purpose limitation in the processing of personal data, meaning it processes personal data for specifically defined, explicit, justified, and lawful purposes, and does not process personal data in a manner incompatible with those purposes.

The Company processes collected personal data of its clients for the purpose of providing individual business services or products and conducting pre-contractual measures.

The Company may process personal data if the data subject has given consent for data processing or if the processing is based on a specific law, subordinate act, contractual relationship, or for the preparation of contract conclusion or for the realization of a legitimate interest.

Consent, i.e., valid consent for data processing, can be given by the data subject:
- in the form of a written statement;
- by signing a contract, application form, or other document containing an appropriate clause of consent.

The Company applies the principle of data minimization, meaning it collects and processes only the personal data necessary for the execution of legal provisions, contractual obligations, purposes defined in the consent, and the legitimate interest of the Company. Providing personal data is a legal or contractual obligation of the data subject, necessary for entering into a business relationship or executing a specific service. If the data subject does not wish to provide the requested data and/or does not wish to give consent for data processing, the Company will terminate or not enter into such a business relationship.

2.5. Rights of the Data Subject

The data subject has the following rights concerning the processing of their personal data:

- Right of access;
- Right to rectification and supplementation;
- Right to erasure of personal data;
- Right to restriction of processing;
- Right to data portability;
- Right to object;
- Right to withdraw consent for processing;
- Right not to be subject to a decision based solely on automated processing.

Right of access - The data subject has the right to request information from the Company on whether their personal data are being processed, and if so, has the right to access the personal data and obtain relevant information (purpose of processing, types of personal data, etc.). Upon the data subject's request, the Company issues a copy of the personal data being processed.

Right to rectification and supplementation - The data subject has the right to request correction and supplementation of personal data if the Company processes inaccurate or incomplete personal data.

Right to erasure of personal data - The data subject has the right to have their personal data erased without unnecessary delay, under certain conditions.

Right to restriction of processing - The data subject has the right, under certain conditions, to restrict the processing, meaning the Company will not delete their personal data but will continue to process them in a limited manner.

Right to data portability - The data subject, in certain situations, can request the Company to transfer their personal data directly to another controller if it is technically feasible.

Right to object - The data subject, if justified by a specific situation, has the right to object at any time to the Company’s processing of their personal data. Also, the data subject has the right to object at any time to the processing of their personal data for direct marketing purposes, upon which the Company will cease processing personal data for such purposes.

Right to withdraw consent for processing - The data subject is informed that consent is given on a voluntary basis and can be withdrawn at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal. After the withdrawal of consent, the Company will no longer use the personal data of the data subject for the purposes covered by the withdrawal.

Right not to be subject to a decision based solely on automated processing - The data subject has the right to request the Company not to be subject to a decision based solely on automated processing, including profiling.

The Company ensures data subjects can exercise their rights. The data subject can submit a Request for the Exercise of Data Subject Rights (hereinafter: "Request"), available at the Company’s headquarters and on the Company’s website. The Company will respond to received Requests within 30 days of receiving the Request.

2.6. Recipients of Personal Data

Recipients of personal data are employees in the Company and processors for the Company, who are obliged to respect and protect the confidential data of the data subject based on legal regulations, personal data processing contracts in accordance with regulations, or contractual or professional obligations to maintain business secrecy. Data on data subjects represent business secrets of the Company in accordance with applicable regulations governing this area, and information about clients represents information in accordance with positive legal regulations.

2.7. Data Retention Periods

The Company ensures adherence to the principle of data retention limitation.
Personal data are stored within legally prescribed retention periods and within periods necessary to achieve the purpose for which they were collected or processed.

2.8. Automated Decision-Making

The Company uses certain automated processes, including profiling, in which decisions about the data subject may be made, having legal effects or significantly affecting them. The Company also respects the provisions of the Law and other regulations related to automated decision-making.

2.9. Right to File a Complaint with the Agency

If the data subject believes that the processing of personal data has been carried out contrary to the provisions of the Law, they have the right to file a complaint with the competent regulatory authority (Personal Data Protection Agency of Bosnia and Herzegovina) in accordance with the provisions of the Law.

2.10. Protection Measures

Considering the level of technological advancements and

available security measures, their implementation costs, the nature, scope, context, and purpose of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of data subjects, the Company implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, where appropriate:
- pseudonymization and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing.

2.11. Data Protection by Design and Default

The Company implements, both at the time of the determination of the means for processing and at the time of the processing itself, appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing to meet the requirements of the Law and protect the rights of data subjects.

The Company also implements appropriate technical and organizational measures for ensuring that, by default, only personal data necessary for each specific purpose of the processing are processed. This obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage, and their accessibility. In particular, such measures ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.

The Company’s systems, policies, and practices are designed to ensure compliance with these principles and protect the data subject’s rights.