Foundation Propulsion Fund, with registered seat in Belgrade, Palmotićeva 25/6/20, registration number: 28827725, organizer and responsible entity for the processing of the certain personal data, as well as the entity that uses certain types of cookies, hereby inform the data subjects on all important aspects of personal data processing and on using of the cookies, all pursuant to the requirements of the Law on Personal Data Protection (“Official Gazette of the Republic of Serbia”, No 87/18, hereinafter: LPDP), and if applicable Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: GDPR), and all other personal data protection regulation (if applicable).
1 – BASIC INFORMATION ON RVI
The Propulsion Foundation Propulsion Fund (Data Controller), Commission for International Justice and Accountability (CIJA) based in US and the Balkan Investigative Reporting Network (BIRN), launched the RVI in the Western Balkans in early 2017, networking journalists, activists, and community leaders who challenge dangerous messages online, mapping online radicalization trends, and providing training, mentoring, and technical support to counternarrative campaigns. RVI is funded by the European Union’s Internal Security Fund – Police.
The RVI wants to empower a diverse group of civil society actors – artists, activists, journalists, bloggers, educators and other online (and offline) influencers – from the Western Balkan diaspora communities living in the EU to engage in online and offline communication campaigns, utilizing technology, together with a deep understanding of the community, to produce compelling content that effectively pushes back against polarizing, inflammatory and radicalizing discourse.
RVI organizes gatherings in Zagreb, Vienna and Berlin in the beginning of June 2019 (hereinafter: meet-ups). The goal of these meetings is to foster creativity and challenge us to think outside the box; to propose exciting ideas that have never been considered possible and to reimagine the existing public discourse towards topics at the intersection of identity, migration, democracy, human rights, radicalization and violent extremism. During the meeting, we want to discuss your ideas that have a strong potential to be implemented as online (and offline) campaigns, exploring different platforms (social media, blogs and other networking platforms) and formats (photo, video, performance, written content and many others) as well as offline activities which can generate online content and produce impact).
After the meetups, interested participants will have the opportunity to join the RVI. They will receive mentoring, technical and creative support from our team to turn the ideas discussed in the meetups into reality. The interested participants in RVI will co-produce creative content addressing issues at the intersection of identity, migration, democracy, human rights, radicalization and violent extremism, as they play out in the Western Balkan diaspora communities.
More information on RVI: https://resonantvoices.info/
2 – DATA SUBJECT CATEGORIES AND CATEGORIES OF PERSONAL DATA SUBJECTS
Data Controller is collecting and processing the personal data of the potential participants of meet-ups (hereinafter: data subjects).
Data Controller collects and process the personal data from the data subjects:
- – name and surname;
- – contact data (e-mail and phone);
- – affiliation;
- – data related to the motivation for the meet-up participation and link to current activities performed by the data subjects (Why the data-subject is interested in challenging extremist narratives? How is this related to his/her current activities?);
- – opinion concerning the focus of the RVI in local communities (What does data subject think RVI campaign should focus on in his/her local community?)
- – other personal data that data subject share with Data Controller.
Hereinafter together marked as “personal data”.
3 – MANNER OF THE PERSONAL DATA COLLECTION AND THE PROCESSING ACTIVITIES
The Data Controller collects the personal data through the online registration form for specific event. The example of the form could be found at: https://resonantvoices.info/meetup_zagreb/.
The registration form is created by usage of the Google Form service that is provided by the Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. More information on the usage of the Google Form service visit: https://www.google.com/forms/about/.
The Data Controller is performing the following processing activities:
- – collection;
- – recording;
- – structuring;
- – storage in electronic data bases;
- – adaptation or alteration;
- – use;
- – erasure;
- – other processing activities which are necessary for the purpose defined by this Privacy Notice.
4 – PURPOSE OF THE PERSONAL DATA PROCESSING
Data Controller collects and process the personal data for the purpose of the selection of data subjects for participation in the meet-ups.
5 – LEGAL BASIS
Data Controller collects and process the personal data based on the informed consent made by the data subject, with prior notification on all relevant aspects of the personal data processing (as described in this notice), all pursuant to the Article 12 Paragraph 1 Point 1) and Article 15 of the LPDP, i.e. Article 6.1 (a) and Article 7 of GDPR.
The consent is freely given, specific, informed and unambiguous, and could be withdraw at any time, which leads to the cease of any further processing activity but does not affect the processing performed before the withdrawal.
The withdrawal of the consent before completion of selection process means that the data subject will not be longer considered as candidate for the meet-ups. In such case, the data subject is obliged to reimburse the justified costs and damages that Data Controller suffer due to unjustified and untimely withdrawal.
6 – ENTITIES THAT HAVE ACCESS TO THE PERSONAL DATA
The Data Controller implements the RVI with its partners, which is also related to the data subject’s selection process.
Therefore, the access to the data is granted to the following partners:
- – UDRUZENJE BALKANSKA ISTRAZIVACKA REGIONALNA MREZA U BOSNI i HERCEGOVINI (BIRN Hub), with registered seat UL BRANILACA SARAJEVA 14/2, SARAJEVO 71000, BOSNIA AND HERZEGOVINA;
- – Commission for International Justice and Accountability (CIJA), with registered seat in LAAN VAN MEERDERVOORT 70, DEN HAAG 2517 AG;
- – Partners engaged for the purposes of the realization of the meet-ups.
Hereinafter together marked as: Partners.
Partners performs the personal data processing on behalf of Data Controller. The processing activities performed by the Partners are related to the access to the personal data for the selection process purposes pursuant to the Point 4 of this Agreement.
Beside Partners, the following categories of subjects might have access to personal data:
- – Companies that make the software for the personal data processing;
- – Companies that maintains the ICT systems of Data Controller;
- – Hosting Companies;
- – Other companies that fall under category of the Data Processor, Data Recipient or Data User, pursuant to the applicable laws and regulations.
The above-mentioned subjects are obliged to implement the data protection standards and requirements, all pursuant to the LPDP and GDPR, as well as pursuant to other applicable legislation.
The Data Processor remain responsible of any data processing activities performed by Partners and other entities.
7 – DATA SUBJECT’S RIGHTS
The data subject is entitled to the following rights:
- – Right to be informed about the personal data that is processed (Article 23 of the LPDP and Article 13 of GDPR);
- – Right to access to the personal data processed, right of the data subject to request the Data Controller to provide information whether his/her personal data are being processed, and what is the processing purpose. In case of such request, Data Controller is obliged to deliver the copy of the personal data which is processed in electronic form and free of charge (Article 26 of the LPDP and Article 15 of GDPR);
- – Right to rectification, right of the data subject to obtain the rectification of his/her inaccurate personal data without undue delay (Article 29 of the LPDP and Article 16 of GDPR);
- – Right to erasure (Right to be forgotten), right of data subject to request the erasure of the personal data if the conditions from the Article 30 of the LPDP, i.e. Article 17 of GDPR, are fulfilled;
- – Right to restriction of processing, right of the data subject to request the restriction of processing, if conditions from Article 31 of the LPDP, i.e. Article 18 of GDPR, are fulfilled;
- – Right on data portability, right of the data subject to receive his/her personal data, in a structured, commonly used and machine-readable format, as well as the right to transfer such data to another Data Controller (Article 36 of the LPDP and Article 19 of GDPR);
- – Right to object, right of the data subject to object at any time to the processing of his/her personal data, pursuant to the Article 37 of LPDP, i.e. Article 21 of GDPR;
- – Rights in relation to the automated individual decision-making, including profiling, pursuant to the Article 38 of the LDPD, i.e. Article 22 of GDPR;
- – Right to be informed in case of data breach pursuant to the conditions set in Article 53 of the LPDP, i.e. Article 34 of GDPR;
- – Right to address to the data protection authority;
- – Other rights prescribed by the LPDP, GDPR, and/or any applicable law.
Contact details of the Serbian Data Protection Authority (DPA):
Commissioner for Information of Public Importance and Personal Data Protection
Bulevar Kralja Aleksandra 11120, Belgrade, Serbia
The Data Controller will provide the data subject all relevant information considering the manner and conditions for excursing their right pursuant to the applicable legislation.
8 – PERSONAL DATA PROTECTION MEASURES
Within its business organization, Data Controller is trying to comply with the highest industry standards of the personal data protection, and therefore it implements all the necessary organizational, technical and personnel measures in order to ensure that the personal data is protected from the accidental, unlawful, or unauthorized destruction, loss, alliteration, access, publication, or usage, including but not limited to the following measures: Technical protection measures; Control of the physical access to the systems where the personal data are stored; Control of the access to the data; Control of the data transfer; Control of the personal data entry; other information security measures; all other measures necessary to ensure the adequate level of data protection.
The third parties that have access or in other manner process the personal data, including the Partners, are also obliged to comply with the all the above-mentioned measures.
9 – STORAGE TIME
Data Controller process the personal data exclusively for the purposes of the meet-ups selection process, and therefore the data is erased after the selection process is finished.
The erasure or anonymization is performed within 5 working days from the day of the conclusion of selection process. In case of the consent withdrawal before the completion of the selection process, the data is deleted or anonymized within the 10 days following the withdrawal of the consent.
The processing of the personal data of the selected candidates is performed during the RVI. After the conclusion of RVI, the personal data of participants could be kept, only if such data subject gives the new consent for the data processing. Otherwise the personal data shall be also deleted or anonymized.
10 – CROSS-BORDER TRANSFER OF PERSONAL DATA
Some of the Partners will have seat in member countries of European Union (for example Croatia and Germany). The cross-border transfer to these countries is free pursuant to the Article 64 Paragraph 2 of the LPDP. Such partners are also obliged to perform the personal data protections standards as Data Controller.
12 – TYPES OF COOKIES
Data Controller is using the following types of Cookies:
- – Necessary Cookies, which are essential for the proper operation of the Web Page, removal of such type of Cookies disable the usage of the web page or certain parts of such web page;
- – Functional Cookies, which enables Data Controller to achieve better functionality of the Web Page and the personalized information which it sends to the user. Such Cookies could be placed by Data Controller or by third parties and could be removed in the manner prescribed above. Removal of such type of Cookie could disable the Web Page to function properly;
- – Performance Cookies, that enables the Data Controller to find out the information of the users (Web Page visitors) and the manner of the Web Page usage, for example the number of visits, information concerning the visit of the particular Web Page etc. Such information doesn’t reveal identity of the user, and it helps the Data Controller to improve the user’s web page visit experience;
- – Marketing Cookies, which are placed by Data Controller or advertisers, and could be used for the purposes of the targeted marketing, and which doesn’t reveal the identity of the user, but it identifies the web browser and device used for the Internet access (such as PC, tablet, smart phone etc.).