PRIVACY NOTICE

Foundation Propulsion Fund, with registered seat in Belgrade, Palmotićeva 25/6/20, registration number: 28827725, organizer and responsible entity for the processing of the certain personal data, as well as the entity that uses certain types of cookies, hereby inform the data subjects on all important aspects of personal data processing  and on using of the cookies, all pursuant to the requirements of the Law on Personal Data Protection (“Official Gazette of the Republic of Serbia”, No 87/18, hereinafter: LPDP), and if applicable Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: GDPR), and all other personal data protection regulation (if applicable).

1 – BASIC INFORMATION ON RVI

The Propulsion Foundation Propulsion Fund (Data Controller), Commission for International Justice and Accountability (CIJA) based in US and the Balkan Investigative Reporting Network (BIRN), launched the RVI in the Western Balkans in early 2017, networking journalists, activists, and community leaders who challenge dangerous messages online, mapping online radicalization trends, and providing training, mentoring, and technical support to counternarrative campaigns. RVI is funded by the European Union’s Internal Security Fund – Police.

The RVI wants to empower a diverse group of civil society actors – artists, activists, journalists, bloggers, educators and other online (and offline) influencers – from the Western Balkan diaspora communities living in the EU to engage in online and offline communication campaigns, utilizing technology, together with a deep understanding of the community, to produce compelling content that effectively pushes back against polarizing, inflammatory and radicalizing discourse.

RVI organizes gatherings in Zagreb, Vienna and Berlin in the beginning of June 2019 (hereinafter: meet-ups). The goal of these meetings is to foster creativity and challenge us to think outside the box; to propose exciting ideas that have never been considered possible and to reimagine the existing public discourse towards topics at the intersection of identity, migration, democracy, human rights, radicalization and violent extremism. During the meeting, we want to discuss your ideas that have a strong potential to be implemented as online (and offline) campaigns, exploring different platforms (social media, blogs and other networking platforms) and formats (photo, video, performance, written content and many others) as well as offline activities which can generate online content and produce impact).

After the meetups, interested participants will have the opportunity to join the RVI. They will receive mentoring, technical and creative support from our team to turn the ideas discussed in the meetups into reality. The interested participants in RVI will co-produce creative content addressing issues at the intersection of identity, migration, democracy, human rights, radicalization and violent extremism, as they play out in the Western Balkan diaspora communities.

More information on RVI: https://resonantvoices.info/

2 – DATA SUBJECT CATEGORIES AND CATEGORIES OF PERSONAL DATA SUBJECTS

Data Controller is collecting and processing the personal data of the potential participants of meet-ups (hereinafter: data subjects).

Data Controller collects and process the personal data from the data subjects:

  • – name and surname;
  • – contact data (e-mail and phone);
  • – affiliation;
  • – data related to the motivation for the meet-up participation and link to current activities performed by the data subjects (Why the data-subject is interested in challenging extremist narratives? How is this related to his/her current activities?);
  • – opinion concerning the focus of the RVI in local communities (What does data subject think RVI campaign should focus on in his/her local community?)
  • – other personal data that data subject share with Data Controller.

Hereinafter together marked as “personal data”.

3 – MANNER OF THE PERSONAL DATA COLLECTION AND THE PROCESSING ACTIVITIES

The Data Controller collects the personal data through the online registration form for specific event. The example of the form could be found at: https://resonantvoices.info/meetup_zagreb/.

The registration form is created by usage of the Google Form service that is provided by the Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. More information on the usage of the Google Form service visit: https://www.google.com/forms/about/.

The Data Controller is performing the following processing activities:

  • – collection;
  • – recording;
  • – structuring;
  • – storage in electronic data bases;
  • – adaptation or alteration;
  • – use;
  • – erasure;
  • – other processing activities which are necessary for the purpose defined by this Privacy Notice.
4 – PURPOSE OF THE PERSONAL DATA PROCESSING 

Data Controller collects and process the personal data for the purpose of the selection of data subjects for participation in the meet-ups.

5 – LEGAL BASIS

Data Controller collects and process the personal data based on the informed consent made by the data subject, with prior notification on all relevant aspects of the personal data processing (as described in this notice), all pursuant to the Article 12 Paragraph 1 Point 1) and Article 15 of the LPDP, i.e. Article 6.1 (a) and Article 7 of GDPR.

The consent is freely given, specific, informed and unambiguous, and could be withdraw at any time, which leads to the cease of any further processing activity but does not affect the processing performed before the withdrawal.

The withdrawal of the consent before completion of selection process means that the data subject will not be longer considered as candidate for the meet-ups. In such case, the data subject is obliged to reimburse the justified costs and damages that Data Controller suffer due to unjustified and untimely withdrawal.

6 – ENTITIES THAT HAVE ACCESS TO THE PERSONAL DATA

The Data Controller implements the RVI with its partners, which is also related to the data subject’s selection process.

Therefore, the access to the data is granted to the following partners:

  • – UDRUZENJE BALKANSKA ISTRAZIVACKA REGIONALNA MREZA U BOSNI i HERCEGOVINI (BIRN Hub), with registered seat UL BRANILACA SARAJEVA 14/2, SARAJEVO 71000, BOSNIA AND HERZEGOVINA;
  • – Commission for International Justice and Accountability (CIJA), with registered seat in LAAN VAN MEERDERVOORT 70, DEN HAAG 2517 AG;
  • – Partners engaged for the purposes of the realization of the meet-ups.

Hereinafter together marked as: Partners.

Partners performs the personal data processing on behalf of Data Controller. The processing activities performed by the Partners are related to the access to the personal data for the selection process purposes pursuant to the Point 4 of this Agreement.

Beside Partners, the following categories of subjects might have access to personal data:

  • – Companies that make the software for the personal data processing;
  • – Companies that maintains the ICT systems of Data Controller;
  • – Hosting Companies;
  • – Other companies that fall under category of the Data Processor, Data Recipient or Data User, pursuant to the applicable laws and regulations. 

The above-mentioned subjects are obliged to implement the data protection standards and requirements, all pursuant to the LPDP and GDPR, as well as pursuant to other applicable legislation.

The Data Processor remain responsible of any data processing activities performed by Partners and other entities.

7 – DATA SUBJECT’S RIGHTS

The data subject is entitled to the following rights:

  • – Right to be informed about the personal data that is processed (Article 23 of the LPDP and Article 13 of GDPR);
  • – Right to access to the personal data processed, right of the data subject to request the Data Controller to provide information whether his/her personal data are being processed, and what is the processing purpose. In case of such request, Data Controller is obliged to deliver the copy of the personal data which is processed in electronic form and free of charge (Article 26 of the LPDP and Article 15 of GDPR);
  • – Right to rectification, right of the data subject to obtain the rectification of his/her inaccurate personal data without undue delay (Article 29 of the LPDP and Article 16 of GDPR);
  • – Right to erasure (Right to be forgotten), right of data subject to request the erasure of the personal data if the conditions from the Article 30 of the LPDP, i.e. Article 17 of GDPR, are fulfilled;
  • – Right to restriction of processing, right of the data subject to request the restriction of processing, if conditions from Article 31 of the LPDP, i.e. Article 18 of GDPR, are fulfilled;
  • – Right on data portability, right of the data subject to receive his/her personal data, in a structured, commonly used and machine-readable format, as well as the right to transfer such data to another Data Controller (Article 36 of the LPDP and Article 19 of GDPR);
  • – Right to object, right of the data subject to object at any time to the processing of his/her personal data, pursuant to the Article 37 of LPDP, i.e. Article 21 of GDPR;
  • – Rights in relation to the automated individual decision-making, including profiling, pursuant to the Article 38 of the LDPD, i.e. Article 22 of GDPR;
  • – Right to be informed in case of data breach pursuant to the conditions set in Article 53 of the LPDP, i.e. Article 34 of GDPR;
  • – Right to address to the data protection authority;
  • – Other rights prescribed by the LPDP, GDPR, and/or any applicable law.

Contact details of the Serbian Data Protection Authority (DPA):

Commissioner for Information of Public Importance and Personal Data Protection

Bulevar Kralja Aleksandra 11120, Belgrade, Serbia

office@poverenik.rs

The Data Controller will provide the data subject all relevant information considering the manner and conditions for excursing their right pursuant to the applicable legislation.

8 – PERSONAL DATA PROTECTION MEASURES

Within its business organization, Data Controller is trying to comply with the highest industry  standards of the personal data protection, and therefore it implements all the necessary organizational, technical and personnel measures in order to ensure that the personal data is protected from the accidental, unlawful, or unauthorized destruction, loss, alliteration, access, publication, or usage, including but not limited to the following measures: Technical protection measures; Control of the physical access to the systems where the personal data are stored; Control of the access to the data; Control of the data transfer; Control of the personal data entry; other information security measures; all other measures necessary to ensure the adequate level of data protection.

The third parties that have access or in other manner process the personal data, including the Partners, are also obliged to comply with the all the above-mentioned measures.

9 – STORAGE TIME

Data Controller process the personal data exclusively for the purposes of the meet-ups selection process, and therefore the data is erased after the selection process is finished.

The erasure or anonymization is performed within 5 working days from the day of the conclusion of selection process. In case of the consent withdrawal before the completion of the selection process, the data is deleted or anonymized within the 10 days following the withdrawal of the consent.

The processing of the personal data of the selected candidates is performed during the RVI. After the conclusion of RVI, the personal data of participants could be kept, only if such data subject gives the new consent for the data processing. Otherwise the personal data shall be also deleted or anonymized.

10 – CROSS-BORDER TRANSFER OF PERSONAL DATA

Some of the Partners will have seat in member countries of European Union (for example Croatia and Germany). The cross-border transfer to these countries is free pursuant to the Article 64 Paragraph 2 of the LPDP. Such partners are also obliged to perform the personal data protections standards as Data Controller.

11 – COOKIES

Data Controller is using the Cookies. Cookies are the data stored on the personal computer (or other device) that belongs to the user and which enables the tracking and analyses of the user behavior on the internet. Since the personal data is gathered through Data Controller web page online form, the cookie policy is also relevant for the data subjects.

Cookies usually don’t reveal the user’s identity. In case that Cookie enables the user’s identity, Cookies will be treated as any other personal data, and therefore all the points of this Notice that regulate the personal data processing shall be applicable accordingly.

Laws of the Republic of Serbia enables the usage of the Cookies, under the condition that the user is in clear and complete notified about the purpose of the Cookies collection and processing, and that user had an opportunity to refuse such processing.

The removal of the Cookies is possible by the changing of the settings in your Internet Browser (Internet Explorer, Firefox, Chrome, Opera etc.). Stored Cookies could be removed, but depending of the type of cookie, such removal could reduce the functionality of the Web Page.

12 – TYPES OF COOKIES

Data Controller is using the following types of Cookies:

  • – Necessary Cookies, which are essential for the proper operation of the Web Page, removal of such type of Cookies disable the usage of the web page or certain parts of such web page;
  • – Functional Cookies, which enables Data Controller to achieve better functionality of the Web Page and the personalized information which it sends to the user. Such Cookies could be placed by Data Controller or by third parties and could be removed in the manner prescribed above. Removal of such type of Cookie could disable the Web Page to function properly;
  • – Performance Cookies, that enables the Data Controller to find out the information of the users (Web Page visitors) and the manner of the Web Page usage, for example the number of visits, information concerning the visit of the particular Web Page etc. Such information doesn’t reveal identity of the user, and it helps the Data Controller to improve the user’s web page visit experience;
  • – Marketing Cookies, which are placed by Data Controller or advertisers, and could be used for the purposes of the targeted marketing, and which doesn’t reveal the identity of the user, but it identifies the web browser and device used for the Internet access (such as PC, tablet, smart phone etc.).

Data Controller’s Web Page uses the Google Analytics services (provided by Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA), which are also based on the Cookie technology, and which are stored in the visitor’s device, all in order to perform the qualitative analyses of the Web Page itself. More information in the Google Privacy Policy, available at goo.gl/f1oVC8.

* Important Notice: Until the Serbian DPA adopts the standard contractual clauses, the Data Controller shall use the standard contractual clauses prescribed by the European Commission by the Commission in accordance with the examination procedure referred to in Article 93(2) of the GDPR.
** The content of the Resonant Voices Campaigns call represents the views of the author only and is the author’s sole responsibility. The European Commission does not accept any responsibility for use that may be made of the information it contains.