Privacy Policy

PRIVACY POLICY

This Privacy policy governs the protection of natural persons with regard to the processing of personal data, the purpose of processing, the application of the Privacy policy, the meaning of terms also known as definition of the used terms, the principles of processing, the consent to processing, the conditions for giving consent, the rules on the use of “HTTP cookies – Cookies”, rights of data subjects, controller’s obligations and responsibilities of a controller, obligations and responsibilities of processors, cooperation with public authorities, internal procedure for the protection of the data subject rights, transfer of personal data, transfer and disclosure of personal data by decision of public authorities, remedies and amending the Privacy policy.

This Privacy policy has been adopted in accordance with the Law of personal data protection (Hereinafter: the Law) ("RS Official Gazette of RS", No. 87/2018) and may be amended by amendments in accordance to the bylaws to be adopted to compilate the Law, as well as with the provisions of other laws in accordance to the processing of personal data, which will be harmonized with the provisions of the Law by the end of 2020 in accordance with the provisions of the Articles 99 and Article 100 of the Law.

The natural person who enters into the legal relationship with Wikimedia Serbia is obliged to be informed herself/himself/itself about amendments to this Privacy policy. Amendments to this Privacy policy shall be made available on the Wikimedia Serbia official website.

This is the latest version of the Privacy Policy from December 8, 2019. Should the Privacy policy be amended in accordance to the paragraph 2 of the Preamble, the date of the latest and enforceable Privacy policy shall be published in the Preamble to the Privacy policy.

This Privacy policy governs the application of the Privacy policy, the meaning of the terms used, the principles of processing, the lawfulness of processing, the consent to the processing, the conditions for giving consent, the rules on the use of “http cookies”, the rights of the data subject, the controller’s obligations, the obligations of the processor, cooperation with public authorities, internal procedure for the protection of the data subject rights, data transfer, transfer and disclosure of personal data based on a decision of public authorities, procedure for the exercise of the rights of the data subjects and amending the Privacy policy, all of above mentioned shall be in accordance to the protection of the rights of the data subjects.

This Policy had been adopted in order to protect the fundamental rights and freedoms of natural persons, and in particular their right to the protection of personal data.

All legal actions and legal relations arising in accordance to the personal data shall be compilate to the provisions of this Privacy policy.

This Privacy policy applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

The manner of the processing of personal data by the Wikimedia Serbia shall be determined in advance, and the data subject shall be informed accordingly in accordance to the principle of transparency.

This Privacy policy shall apply to the processing of personal data of the data subject who is domiciled or have residence in the territory of the Republic of Serbia and is identified in a clear and unambiguous way by a personal name or identification number or by other means enabling unambiguous identification of the natural person.

The data subject is obliged to conscientiously, lawfully and responsibly use every means to identify herself/himself/itself and should be held responsible for damages and crimes or other statutory liabilities if se/he/it uses a third party identification or presents herself/himself/itself as a third party for the purpose of exercising the rights protected by this Privacy policy and the Law.

In order to exercise the rights stipulated in this Privacy policy, the data subject is obliged to identify himself according to the provision of paragraph 1 of this Article otherwise the controller is not obliged to retain, obtain or process additional information for the purpose of identifying data subject for the purpose of the application of this Privacy policy.

In the referred cased of the paragraph 1 of this Article, and if the controller is able to demonstrate that controller is not able to identify the data subject, the controller shall inform the data subject accordingly, if possible.

Terms in this Privacy policy shall have the following meaning:

1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. ‘data subject’ is a natural person whose data is being processing;
3. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
4. ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
5. ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;
6. ‘pseudonymization’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
7. ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;
8. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by The Law;
9. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
10. ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with applicable laws of the Republic of Serbia shall not be regarded as recipients; the processing of those personal data by abovementioned public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
11. ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who are under the direct control of the controller or processor, who are not authorized to process personal data;
12. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which she/he/it, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
13. ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
14. ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
15. ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopy data;
16. ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
17. ‘main establishment’ is a real or legal person which is registered to trade regardless of the legal form which includes but not limited to limited-liability partnership, limited partnership, solo partnership, solo proprietorship.
18. ‘Association or Citizens Association’ is a voluntary and non-governmental non-profit organization based on the freedom of association of one or many natural or legal persons, established for the purpose of pursuing and promoting a certain common or general purpose, interest and/or goal, which are not prohibited by the Constitution or the laws of the Republic of Serbia;
19. ‘The commissioner for Information of Public Importance and Personal Data Protection (Hereinafter: The Commissioner)’ means supervisory authority established by the Law as an independent public authority aimed to control, supervise and consult on the application of the data protection laws in the Republic of Serbia;
20. ‘information society service’ means any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services;
21. ‘Public authority’ means public authority with the national, regional, state or local jurisdiction as well as governmental agency, board, bureau, public corporation, instrumentality or regulatory body with public authorities established by the applicable laws in the Republic of Serbia;
22. ‘User’ is any natural or legal person accessing a service via a specific IP address or a person whose personal information is processed through information society;
23. ‘Service’ means any text, image, video, comment, visual material, combination of text, video, image, name, contact information or personal information that may be available through the information society services;
24. ‘Website, Blog, Information Service Provider, Service Provider, ISP (Information Service Provider, Information Society Service Provider, Online Service Provider or Intermediary)’ means certain and fixed content that may be subject to copyright or related rights, emanation of spirit, a newspaper article that may be composed of other content edited by users of the service provider or available through the use of a service that may express freedom of thought, journalistic expression or the views of the author, which is determined by the editorial policy of the service provider or is due to the technical characteristics of the service;
25. ‘Communication for advertising and commercial purposes’ means any form of communication designed to promote, directly or indirectly, certain goods or services, services, companies, organizations or individuals engaged in certain economic or other registered activities within their legal and personal capacity;
26. ‘Technology measures’ means any technology, device or part of a device normally used to prevent or disable activities that could endanger service and users. This term may also be used in a negative way when it describes a technology, device, or part of a device used to endanger or destroy all or part of the contents of a service or technical feature of a network, device, computer, or computer data that is used contrary to the applicable laws and/or nature of the service;
27. ‘Applicable Rules’ - the rules of the Wikimedia Serbia and this Privacy policy (Hereinafter: the rules), as well as any other rules to which the rules refer to for the purposes of using all or part of this service or any other rules according to the processing of personal data;
28. ‘Making it available’ means any action that makes the content available to recipients, third parties, the general public or public authority;
29. ’Security measures’ means any process or measure that is part of a service and that is designed to protect users and the content of the service, which by nature may be different technological solutions that protect, safeguard and prevent unlawful use of the service or content, as well as to prevent unlawful access, use, alteration, destruction, publication of content contrary to its purpose, which may result in data breach or of confidentiality breach, or endanger legal protection or purpose of the content;
30. ‘Legal capacity’ means the ability of the natural or legal person to lawfully express its will and rights in accordance with the laws of the Republic of Serbia;
31. ‘The owner’ means Wikimedia Serbia, company registration number: 17672126, VAT number: 104765157, email: privatnost@vikimedija.org.
32. ‘Competent authority’ means:

a) authorities responsible for preventing, investigating and detecting criminal offenses, as well as prosecuting or committing criminal offenses, including the protection and prevention of threats to public and national security;

b) a legal entity authorized to perform the tasks by law, referred to in the sub-item a) of this item.

The owner when processing personal data as a data controller or a data processor shall apply the following principles relating to processing of personal data are:

1. ‘lawfulness, fairness and transparency’ means personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. Lawful processing shall be processing according to the data protection laws of the Republic of Serbia;
2. ‘purpose limitation’ means personal data shall be process for specified, explicit and legitimate purposes and shall not further be processed in any other way;
3. ‘data minimization’ means personal data shall be adequate, relevant and limited to what is necessary according to the purposes for which they are being process;
4. ‘accuracy’ means personal data shall be accurate and where necessary, kept up to date; every reasonable action shall be taken to ensure that personal data that are being inaccurate, having regard to the purposes for which they are being process, otherwise personal data shall be erased or rectified without delay;
5. ‘storage limitation’ means personal data shall be kept in a form which enables identification of data subjects for no longer time than it is necessary for the purposes for which the personal data are being process; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with the Data Protection Law subject to implementation of the appropriate technical and organizational measures required by this Privacy policy or the Law in order to safeguard the rights and freedoms of the data subject;
6. ‘integrity and confidentiality’ means personal data shall be processed in a way that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and in a way that prevents accidental loss, destruction or damage, using appropriate technical or organizational measures.

The controller shall be responsible for and be able to demonstrate compliance with, paragraph 1 of this Article.

Wikimedia Serbia shall process personal data in according to the rules laid down in this Privacy policy.

Processing shall be lawful if necessary for the performance of a contract to which the data subject is a party or in order to take actions at the request of the data subject prior to entering into a contract or is necessary for compliance with a legal obligation to which the controller is subject or is necessary in order to protect the fundamental rights of the data subject or of another natural person or is necessary for the performance of a task carried out in the public interest or in the exercise of official authorities vested in the controller or is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a minor.

Processing performed in accordance with the provisions of paragraph 2 of this Article shall be performed in accordance with the provisions of Article 12 of the law.

Consent for processing may be given in the form of a written statement or electronic document in such a way that the user can be unambiguously identified in accordance with the provisions of Article 4 of this Privacy policy.

If the data subject’s consent is given as a part of a written statement which also concerns other matters, the request for consent shall be separated in clearly distinguish form which is user-friendly and easily accessible and composed by using clear and plain language.

The data subject shall have the right to withdraw the consent at any time.

The withdrawal of the consent shall not affect the lawfulness of processing based on consent given prior to the withdrawal.

The processing of the personal data of a minor shall be lawful where a minor is at least 15 years old and giving the consent for the purpose of using the information society service.

When the minor is younger than 15 years old, or when the data subject has the same legal status as minor below 15 years old, processing determined in the paragraph 1 of this Article shall be lawful only if and to the extent to, the consent given or authorized by the guardian or the parent responsible for the minor.

A user younger than 16 years old shall not use the information society service provided by the owner.

User younger than 18 years old whose personal data is being process shall be obliged, prior to engaging to Wikimedia Serbia, to present the authorized consent of his/hers/its parent or guardian, otherwise Wikimedia Serbia retains the rights to decline request for the processing of personal data of the data subject who fails to meet conditions set in this paragraph.

An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server.

Wikimedia Serbia may use cookies to save the user's session and to carry out other activities that are strictly necessary for the operation of Wikimedia Serbia’s service, for example in relation to the distribution of traffic.

Cookies helps us keep track of how many times you view an ad we distribute or which articles on the service are more popular. Likewise, the cookie can help us improve Wikimedia Serbia’s service content and features based on user’s actual usage of the service – thus enhancing your online Web viewing experience.

By accepting the cookies, you are giving consent to Wikimedia Serbia to use and process information relating to you, in particular all information collected by Wikimedia Serbia’s service cookies.

If you refuse a cookie, you can still use Wikimedia Serbia’s service but your experience may differ from those individuals using cookies.

If you want to disable or to delete cookies on your computer, you could follow the following instructions for the most used web browsers:

Explanation on how to delete or enable cookies: -{R|https://www.aboutcookies.org/how-to-delete-cookies/}-

Depending on your browser, you can disable cookies following these steps:

Internet Explorer: -{R|https://support.microsoft.com/help/17442/windows-internet-explorer-delete-manage-cookies}-

Google Chrome: -{R|https://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95647}-

Mozilla Firefox: -{R|https://support.mozilla.com/en-US/kb/Cookies}-

Safari: -{R|https://support.apple.com/kb/PH5042}-

Opera: -{R|https://help.opera.com/en/latest/security-and-privacy/}-

Adobe (flash cookies): -{R|https://www.adobe.com/privacy/policies/flash-player.html}-

Wikimedia Serbia may use cookies in order to provide services or information society service. Cookies are being used to optimize the use of the service or information society service according to the preferences of the user of certain IP address. Cookies may be used in order to determine the way how certain commercial service or other service is being offered, or in order to determine the visibility of certain web pages or services. These data is being used in order to improve service or information society service offered by Wikimedia Serbia.

When you access service or information society service of Wikimedia Serbia you are giving the consent for the processing of above-mentioned data, expect in the case determined according to the provision of the paragraph 3 of this Article. For processing of these kind of data is not necessary to obtain a consent of the user due to the technical difficulties disabling provider to identify the user on the unambiguous way.

If the user is able to identify her/him/itself on the unambiguous way according to the Article 4 and article 20 of the Privacy policy she/he/it may exercise rights guaranteed in this Privacy policy.

When Wikimedia Serbia processes personal data as a controller or processor, the data subject has the right to be informed about the way personal data is being process as well as how to access the personal data, the right to rectification and amendment, the right to delete personal data (right to be forgotten), the right to a restriction of processing, the right to correction or deletion of data and the restriction of processing, the right of data transmission, the right to object, the right to object the automatic decision making and the profiling and right and about the restriction of the right.

When Wikimedia Serbia processes personal data in the capacity of a controller or processor, It shall provide the data subject an assistance in exercising the right of access to personal data, the right of rectification and amendment, the right of deletion of personal data, the right to be notified regarding the correction or deletion of data and the limitation of processing, the right of data transmission and right to object and rights to object the automated decision making and profiling.

When Wikimedia Serbia processes personal data as controller or processor pursuant, and it is not able to identify data subject according to the provisions of Article 4 of this Privacy policy, or when it is not obliged to identify the data subject according to provisions of Article 20. Paragraph 1 of the Law, Wikimedia Serbia is not obliged to retain, obtain or process additional information for the purpose of identification of data subject solely for the purpose of application of this Privacy policy and the Law, but it shall be obliged data subject accordingly, if possible. In that case, the provisions of Article 26, paragraph 1 to 4, Article 29, Article 30 paragraph 1 to 5, Article 31, paragraph 1 to 3, Article 33 paragraph 1 and 2 and Article 36 paragraph 1 to 4 of the Law are not applicable, unless data subject provides additional information which enables hers/his/its identification. When Wikimedia Serbia processes personal as controller or processor, It shall inform the data subject about the procedure for exercising the right to access personal data, right to rectification and amendment, right to delete personal data, right to be informed of the correction or deletion of personal data and the restriction of processing, right to transmit data, right to object and right to object to automatic decision-making and profiling without delay, within 30 days from the date of receipt of the request. The abovementioned deadline may be extended for additional 60 days if necessary, taking into account the complexity and number of data subject requests. In case of the extension of the deadline to the additional 60 days controller has to inform the data subject within 30 days from the day of receipt of the request.

When the data subject has submitted a request electronically, the information shall be provided electronically if possible, unless data subject has requested otherwise. When Wikimedia Serbia processes data as a controller and reject the request of data subject, the controller shall inform the data subject about its decision without delay, and not later than 30 days from the date of the receipt of the request.

The right determined in the Section VIII of this Privacy policy shall be exercised without charges unless the request of data subject is manifestly ill-founded or excessive, and in particular if the same request is repeatedly frequent in which case the necessary administrative costs shall be charged, or request may be rejected.

If the controller reasonably doubts in the identity of data subject which is requesting the rights determined in the paragraph 1 of this Article, controller may require from data subject to provide additional information necessary to confirm the identity of data subject. Wikimedia Serbia shall provide rights determined in the Section VIII of this Privacy policy in accordance to its role pursuant to the provisions of Article 5 of this Privacy policy.

Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:

1. The identity and the contact details of the controller and where applicable, of the controller’s representative; 2. The contact details of the data protection officer, where applicable; 3. The purposes of the processing for which the personal data are intended as well as the legal basis for the processing; 4. The legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a minor; 5. The recipients or categories of recipients of the personal data, if any; 6. The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; 7. The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability; 8. The existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; 9. The right to lodge a complaint with The Commissioner; 10. Whether the obligation to provide personal data is a statutory or contractual requirement, or a requirement needed to enter into a contract, as well as whether the data subject is obliged to provide the personal data and what might be consequences if data subject reject to do so; 11. The existence of automated decision-making, including profiling and reasonable information about the methodology used for such processes, as well as reasonable consequences of such processing to data subject.

When data subject is already informed about data subject rights pursuant this Article, data controller shall not have obligation to provide above mentioned information.

When personal data are not collected from the data subject, the controller is obliged to provide the data subject with information on data subject rights determined in the provision of Article 13 of this Privacy policy within a reasonable time after the personal data are collected, but in time not longer than 30 days, taking into account any special processing circumstances, or at the latest when establishing the first communication with data subject, if the personal data is being used for communicate with data subject to which personal data are being related, or at the latest at the first disclosure of the personal data, if disclosure of the personal data is being disclosed to another recipient.

When a controller intends to process personal data for the purpose different from the purpose on which personal had been collected, controller is obliged, prior to such processing, to informed data subject about purpose of the processing, as well as to inform data subject about all information determined in this Article.

Paragraphs 1 and 2 of this Article shall not apply where and insofar as:

1. The data subject already has the information;
2. Providing information would impossible or would involve a disproportionate effort, in particular in case of processing personal data for the purpose of archiving in the public interest, for the purpose of scientific or historical research or statistical purposes, in case the requirements referred to in the article 92 paragraph 1 of the Law can be applied, or when obligation would significantly aggravate the purpose of processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making information publicly available;
3. Obtaining or disclosure is expressly laid down by Republic of Serbia laws to which the controller is subject, and which provides appropriate measures to protect the data subject’s legitimate interests; or
4. Where the personal data must retain confidentiality according to an obligation to protect the professional secrecy according to the laws of Republic of Serbia.

The data subject shall have the right to obtain from Wikimedia Serbia confirmation as to whether or not personal data concerning him or her are being processed, and where that is the case, access to the personal data and the following information:

1. The purposes of the processing;
2. The categories of personal data concerned;
3. The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
4. Where possible, the envisaged period for which the personal data will be stored, or if not possible, the criteria used to determine that period;
5. The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
6. The right to lodge a complaint with a supervisory authority;
7. Where the personal data are not collected from the data subject, any available information as to their source;
8. The existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

The request for the exercise of the rights shall be submitted by filing the request as follows: In a written form, directly to Wikimedia Serbia’s address mentioned on the organization’s website, with a note: „data protection“ or electronically by email: privatnost@vikimedija.org.

The form of a request and following documents to prove a request shall meet requirements determined in this Privacy policy.

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

The data subject shall exercise the right guaranteed by paragraph 1 of this Article in the procedure determined in this Privacy policy.

The data subject has the right to obtain from Wikimedia Serbia the erasure of personal data concerning him or her without undue delay and Wikimedia Serbia have the obligation to erase personal data without undue delay where one of the following grounds applies:

1. The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
2. The data subject withdraws consent;
3. The data subject objects to the processing in accordance to:

a) right to lodge the complaint against automated individual decision-making, and there is no other ground for the processing which override over legitimate interest, or right or freedom of the data subject to which personal data is related;

b) right of data subject to lodge the complaint against processing for the purpose of direct advertising, including profiling, to the extent to which the processing is related to direct advertising;

1. The personal data have been unlawfully processed;
2. The personal data have to be erased for compliance with a legal obligation in the Republic of Serbia to which the controller is subject;
3. Personal data have been collected in relation to information society service or in relation to the consent of the minor in accordance to information society service.

If a controller has made personal data publicly available, it shall have obligation to erase personal data in accordance to the paragraph 1 of this Article, as well as to undertake all reasonable and technically feasible measures in accordance to the appropriate technology development, with aim to inform other controllers that data subject has requested erasure of personal data and all copies of it therefore as well as all links to such personal data.

The request determined in the paragraph 1 of this Article shall be submitted by the data subject through the procedure determined in this Privacy policy.

Paragraphs 1 to 3 of this Article shall not apply to the extent that processing is necessary:

1. For exercising the right of freedom of expression and information;
2. For compliance with a legal obligation by a controller in accordance to the laws of the Republic of Serbia to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
3. For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance to the Article 92 paragraph 1 of the Law, so far as the right referred to in paragraph 1 to 2 is likely to render impossible or seriously impair the achievement of the objectives of that processing;
4. For the submitting, exercise or defense of legal claims.

The data subject shall have the right to obtain from the controller restriction of processing where one of the followings applies:

1. The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
2. The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
3. The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
4. The data subject has objected to the automatic decision making of individual decisions, and it is ongoing to assess whether the legal basis for processing by the controller outweighs that person's interests.

Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for exercise of public interest.

A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

The controller shall inform data subject about any rectification or erasure of personal data or restriction of processing, unless this proves impossible or involves disproportionate effort.

The controller shall inform the data subject upon its request about recipients in accordance to the paragraph 1 of this Article.

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: 1. Processing is based on the consent of the data subject to the processing of his or her personal data for one or more specific purposes, or a specific type of personal data is processed and the data subject has given explicit consent to the processing for one or more purposes, unless the law stipulates that processing is not being carried on the basis of consent or on the basis of a contract, and processing is necessary for the performance of a contract concluded with the data subject or for taking actions, at the request of the data subject, before the conclusion of the contract; 2. The processing is carried out by automated means.

In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to request personal data to be transmitted directly from one controller to another, where technically feasible.

The exercise of the rights referred to in paragraph 1 of this Article shall not affect the exercise of the right to erasure (‘right to be forgotten’).

The right referred to in the paragraph 1 of this Article shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The right referred to in paragraph 1 shall not affect the rights and freedoms of others.

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time the processing of personal data concerning him or her. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims, or data subject is minor, including profiling based on that.

A controller is obliged to stop with the processing of personal data of the data subject complainant, unless a controller is able to prove that controller has a legal base for processing which override interest, rights and freedom of the data subject complaint or controller has right to continue processing in order to establishment, exercise or defense of legal claims.

Where personal data are processed for direct advertising purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such advertising, which includes profiling to the extent that it is related to such direct advertising.

Where the data subject objects processing for direct advertising purposes, the personal data shall no longer be processed for such purposes. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought by a controller to the attention of the data subject and shall be presented in clear way and separately from any other information.

In the context of the use of information society services, the data subject may exercise hers/his/its right to object automated individual decision-making to the extent of the technical specification of the such service.

Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject, on grounds relating to hers/his/its particular situation, shall have the right to object processing of personal data concerning her/him/it, unless the processing is necessary for the performance of a task carried out for public interest.

The complaint shall be submitted to the controller in the manner stipulated by this Privacy policy, in the form that the Wikimedia Serbia will provide to the interested data subject.

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning her/him/it or similarly significantly affects her/him/it.

Paragraph 1 shall not apply if the decision:

1. Is necessary for entering into, or performance of a contract between the data subject and a data controller;
2. Is based on the laws of the Republic of Serbia, which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
3. Is based on the data subject’s explicit consent.

In the cases referred to in points 1 and 3 of paragraph 2 of this Article, a controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the participation of a real person on the behalf of a controller when such processing is carried on, right of data subject to express opinion on decision based on such processing, and right of data subject to object the decision based on such processions in front of the controller’s authorized personnel.

The right referred to in this Article shall be exercised in the procedure determined in this Privacy policy. The decisions referred to in paragraph 2 of this Article shall not be based on special categories of personal data, unless the data subject has given explicit consent to the processing for one or more purposes of processing, unless it is provided by the law that processing is not carried out on the basis of consent or the processing of personal data is based on the publicly available personal data which had been made publicly available by data subject and if the adequate measures are in place to protect the rights, freedoms and legitimate interests of the data subject.

If a personal data breach can create a high risk to the rights and freedoms of real persons, in case of personal data breach controller shall notify the data subject without undue delay.

In the notification referred to in paragraph 1 of this Article, the controller shall describe in a clear and understandable way the nature of the data breach and provide the following information:

1. Explanation of the nature of the personal data breach;
2. Explanation of the likely consequences of the personal data breach;
3. Explanation of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

For the purpose of exercising the rights determined in this Article, the procedure for requesting information about data breach has been set up in accordance with the provisions of Article 29 and CHAPTER XI of this Privacy policy, which determined the internal procedure for exercising the rights of data subject.

The following rights and obligations:

1. Transparent information, information and procedures of exercising the rights of the data subject;
2. Information provided when personal data are collected from persons to whom they relate;
3. Information provided when personal data are not collected from persons to whom they relate;
4. Right of access by the data subject to which personal data relate;
5. Right to rectification and amendment;
6. Right to erasure (right to be forgotten);
7. Right to restriction of processing;
8. Right to be informed of the rectification, erasure or restriction of personal data;
9. Right to data portability;
10. Right to object;
11. Automated individual decision-making, including profiling;
12. Notification of a personal data breach to a data subject;
13. Principles relating to processing of personal data.

If they relate to the exercise of rights and obligations in accordance with:

1. Transparency, information and procedures of exercising the rights of the data subject;
2. Information provided when personal data are collected from persons to whom they relate;
3. Information provided when personal data are not collected from persons to whom they relate;
4. Right of access by the data subject to which personal data relate;
5. Right to rectification and amendment;
6. Right to erasure (right to be forgotten);
7. Right to restriction of processing;
8. Right to be informed of the rectification, erasure or restriction of personal data;
9. Right to data portability;
10. Right to object;
11. Automated individual decision-making, including profiling;
12. Notification of a personal data breach to a data subject;
13. Principles relating to processing of personal data.

Might be restricted if these restrictions do not affect the fundamental rights and freedoms and if it is necessary and proportionate in to safeguard following:

1. National security;
2. Defense;
3. Public security;
4. The prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against public security and the prevention of threats to public security;
5. Other important objectives of general public interest of the Republic of Serbia, in particular an important economic or financial interest of the Republic of Serbia, including monetary, budgetary and taxation matters, public health and social security;
6. The protection of judicial independence and judicial proceedings;
7. The prevention, investigation, detection and prosecution of breaches of ethics of regulated professions;
8. A monitoring, inspection or regulatory function in accordance, even occasionally, or constantly to the exercise of official authority in the cases referred to in points 1 to 5 and point 7 of this sub-paragraph;
9. The protection of the data subject or the rights and freedoms of others;
10. The enforcement of civil law claims.

In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:

1. The purposes of the processing or categories of processing;
2. The categories of personal data;
3. The scope of the restrictions introduced;
4. The safeguards to prevent abuse or unlawful access or transfer;
5. The specification of the controller or categories of controllers;
6. The storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
7. The risks to the rights and freedoms of data subjects;
8. The right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.

The controller is not obliged to notify the real person referred to in Article 23 of this Privacy policy if:

1. Appropriate technical, organizational and personnel protection measures have been undertaken with respect to personal data whose security has been compromised, especially if it has prevented the cryptographic protection or other measures from making the data understandable to all persons who are not authorized to access this data;
2. Measures to ensure that the breach of the high-risk personality data for the rights and freedoms of the data subject have been undertook and can no longer produce consequences for data subject;
3. Informing data subjects would be a disproportionate waste of time and resources. In such a case, the controller is obliged to public announced undertaken measures or otherwise inform data subject.

The provisions of Section V to IX, Section XII and Article 32, paragraphs 2 and 3 of this Privacy policy, shall not apply to processing carried out for the purpose of journalistic research and publication of information in the media, as well as for the purposes of scientific, artistic or literary expression, if in the particular case these restrictions are necessary in order to protect freedom of expression and information.

When Wikimedia Serbia is in the role of the controller, it will implement the appropriate technical, organizational and personnel measures to ensure that the processing is carried out in accordance with the Law and this Privacy policy, by making this Privacy policy available to the user, while taking into account nature, the extent, circumstances and purpose of the processing, as well as the likelihood of risk occurrence and the level of risk to the rights and freedoms of natural persons.

When the Wikimedia Serbia acts in the role of the controller, it will ensure that without the participation of a real person, personal data cannot be made available to the public.

For the purpose of exercising of the rights of data subject, Wikimedia Serbia, when acting in the role of the controller, shall make available a special channel of communication to protect the rights of data subject.

Any data subject who submits a claim for exercising rights pursuant to this Privacy policy and the Law may file the claim by sending an email to the following e-mail address: privatnost@vikimedija.org.

When processing is carried out on behalf of the controller, the controller will designate as the processor only the real or natural person or authority that fully guarantees the application of the rules determined in this Privacy policy and in the Law, in order to ensure that processing is carried out processing of personal data in accordance with the provisions of the Law and that provides protection of the rights of data subjects as determined herein.

If the Commissioner adopts standard contractual clauses relating to the obligations of the controller referred to in paragraph 1 of this Article, especially taking into account the European practice in the standard contractual clauses, the Wikimedia Serbia shall apply the such contractual clauses in relation to the processor and may amend this Privacy policy accordingly.

Wikimedia Serbia shall ensure that the processor or other person authorized by the controller or processor to access personal data cannot process that data without the controller's authorization, unless such processing is required by law.

In order to exercise the rights determined in this Privacy policy and the Law, the controller, processor and their representatives, if determined, will cooperate with the Commissioner in the exercise of its authorities in order to protect rights and freedoms of data subjects.

When Wikimedia Serbia acts in the role of controller or processor and when it is subject to the provisions of this Privacy policy and the Law, in order to exercise the rights of the persons whose rights are being protected in this Privacy policy and the Law, all requests shall be filed by instituting proceedings before the issuer of this Privacy policy on the following way:

In a written form, directly to Wikimedia Serbia’s address mentioned on the organization’s website, with a note: „data protection“ or electronically by email: privatnost@vikimedija.org.

When Wikimedia Serbia is acting in the role of controller or processor and when transferring personal data for further processing to another country or international organization, shall inform the data subject thereof.

The data subject shall be informed about the obligations of a controller and processors, as well as the rights of data subject when personal data is being transfer for further processing to another country or international organization, all in accordance with the provisions of Title V of the Law, which determined data transfer rules about transfers of personal data to third countries or international organizations.

Wikimedia Serbia shall provide appropriate safeguards, as well as the application of the rules determined in this Privacy policy and the Law and the exercise of the rights of data subjects when, in the role of controller or processor, it transfers personal data to another country, or to part of its territory or to one or more sectors of specified activities in that country or an international organization for which a list of countries, parts of their territories or one or more sectors of certain activities in those countries and international organizations where it is considered that an adequate level of protection is provided. When the Government determines that no adequate level of protection has been provided in another State or international organization, Wikimedia Serbia shall in that case ensure by contractual clauses compliance with the rules determined in this Privacy policy and the Law.

If Wikimedia Serbia transmits personal data to public authorities for the purpose of exercising of the rights of data subjects for which the personal data have been collected, the processing of personal data by competent authorities for specific purposes will be lawful only if such processing is necessary for the performance of the authorities of the competent authorities and if it is determined by law. Such law shall determine at least the purposes of processing, the categories of personal data which is being process and the purposes of processing, in accordance with Articles 13 and 100 of the Law.

For the processing of the processing unique master citizen number the provisions of the law governing the unique master citizen number, or another law, shall apply, together with the provisions of this Privacy policy and the Law relating to the protection of the rights and freedoms of the data subjects.

When processing is being carried on in the field of labor employment the provisions of the laws governing labor and employment and collective agreements, together with the provisions of the law and this Privacy policy, shall apply to such processing.

The data subject has the right to complain to the Commissioner if data subjects considers that the processing of hers/his/its personal data has been performed contrary to the provisions of the Law. In order to simplify the submission of a complaint, the Commissioner shall determine a complaint form which may be submitted electronically, which doesn’t exclude other way of submitting a complaint. Wikimedia Serbia shall provide the complaint form to data subjects.

The Commissioner is obliged to inform the complainant about the course of the proceedings he is conducting, the results of the proceedings, as well as the right of the complainant to initiate court proceedings in order to protect real person rights.

The data subject is entitled to judicial protection if data subjects believe that, contrary to the Law, the right stipulated by the Law has been violated by the controller or processor by the processing of data subject personal data.

A person who has suffered material or non-pecuniary damage as a result of a violation of the provisions of the Law is entitled to financial compensation of these damages from the controller or processor who caused the damage.

Wikimedia Serbia reserves the right to amend the Privacy policy in accordance to the opinion of the Commissioner and in accordance with the provisions of Article 100 of the Law, which stipulates that the provisions of other laws relating to the processing of personal data will be harmonized with the provisions of the Law by the end of 2020.