Privacy Policy
Introduction
This Privacy Policy governs all key personal data processing issues pursuant to the Serbian Personal Data Protection Law (Official Gazette of the Republic of Serbia No. 87/2018, ‘PDPL’).
Lotse is the entity formally responsible for applying the PDPL and this Privacy Policy.
Lotse provides business development and organisational support services, primarily advising companies in strategy, business transformations, improving human resources management and organisational culture, developing leadership, and identifying and nurturing talent. So that we are able to provide those services, our partners can ask to assess staff they select or investigate the performance of their organisation in areas we provide advice in.
Even though Lotse is in some cases the ‘controller’ for purposes of data processing, given the nature of our services, our role is more commonly that of ‘processor’. As such, this Privacy Policy seeks to govern our relationship with our business partners with regard to personal data processing and to inform our partners and ‘data subjects’ about how their data is processed.
Definitions
For the purposes of this Privacy Policy:
'Controller' is the person which determines the purposes and means of the processing of personal data. This will generally be a business partner of Lotse that has requested us to provide a particular service that entails personal data processing;
'Processor' is the person which processes personal data on behalf of the controller. Given the nature of our services, Lotse will commonly be the processor;
'Data Subject' is a staff member or person otherwise employed by the controller whose data is processed;
'Assesment' is, with regard to human resources management, the assessment of the capabilities, knowledge, potentials, or performance of staff. This assessment may be done for a variety of purposes, from selection to continuing professional development and training, to succession and advancement planning. Assessment may also mean the assessment of the overall state of an entire organisation or a part of such organisation;
'Instructions' are the written instructions issued by the controller to Lotse in connection with personal data pursuant to Article 45(4)1) of the PDPL. Lotse will process personal data only on behalf of the controller and based on the instructions.
Types of Data Processed
Even though Lotse is in some cases the controller, our role is more commonly that of processor. We process two types of data:
1) Our business partners can share the personal data of their staff with us for purposes of business development and organisational assessments.
Personal data is processed pursuant to contracts we enter into with our business partners. Here, our business partners are the controllers, since they determine the types of personal data we will process and the purpose and means of such processing, whereas Lotse is the processor, because we process data on behalf of the controller and as set out in the controller’s instructions. This personal data generally comprises:
• first and last name;
• educational attainment / qualification level and sub-level;
• ability to perform particular work (skills, knowledge, and abilities; knowledge of foreign languages; previous training; professional experience; driving licence);
• current job title and description;
• place of work;
• business e-mail address;
• mobile phone number; and
• if required and instructed by the controller, other data necessary for us to provide services.
Once an assessment is complete, we present our business partner with a complete report about a particular staff member, as requested in their instructions. The staff members whose data we process will have previously been notified by their employer about the purpose of this processing and the type of data being processed, as well as made aware that the results of this processing will be communicated to their employer.
2) Photographs and/or video recordings of participants in training organised by Lotse
We may organise a variety of corporate events to network with our business partners and provide our services, as well as offer training to our business partners. During these events, we may have photographs taken and/or video recorded of participants or activities organised for our business partners.
Whenever photographs are taken and/or video is recorded, we will ask participants in advance whether they consent to having their photographs taken or video recorded and for those photographs and/or video recordings to be used.
Throughout this Privacy Policy, paragraphs marked 1) refer to personal data described under Item 1) of this Section, whereas paragraphs marked 2) refer to personal data described under Item 2) of this Section.
How We Collect Data
Our business partners may ask us to produce assessments for individual staff members, broader teams in their organisations, or their organisations as a whole. Our business partners share data under 1) above in writing by e-mail.
Data under 2) above is collected by us or by people we engage to collect such data.
Purposes of Processing
1) Our business partners, as controllers, are exclusively responsible for determining the purpose of the processing of the personal data of their staff for assessment. The purposes of the processing of such data may be:
• assessing staff potential;
• producing personal growth plans;
• producing career path proposals;
• any other purpose for which the controller has requested processing and obtained the necessary consent or for which other legal grounds exist.
2) The purpose of the processing of photographs and/or video recordings referred to under Item 2) of the Types of data processed section above is the promotion of our work and services. These photographs and/or video recordings can be used on our website, on social media such as LinkedIn, and in corporate presentations used to advertise our services to prospective clients, with the goal of presenting Lotse, raising awareness of corporate events and parties we may organise, and the like.
Legal Grounds for Processing
1) Contracts we sign with controllers constitute grounds for the processing of personal data for the purpose of our assessments.
We will always enter into contracts with controllers in writing, which may include contracts in electronic form, that govern the scope and duration of data processing, nature and purpose of data processing, type of personal data processed, technical and organisational measures, and the rights and obligations of both the controller and Lotse.
The controller is required to provide instructions and guidance to Lotse, which Lotse is required to adhere to except where Lotse believes this infringes on the PDPL.
2) Consent from natural persons constitutes grounds for processing personal data in photographs and/or video recordings.
Whenever an event is organised by Lotse, we will always advise all participants and guests if photography and/or video recording is planned and seek their consent for their photographs to be taken and/or video recordings of them and used for the designated purposes. Anyone may give consent by signing a consent form or withhold consent. If we do not receive consent from someone, we will endeavour not to take photographs and/or make video recordings of that person, or, if that person appears in a group photograph and/or recording, such materials will either not be used for the purposes outlined above or the face of the person that withheld consent will be appropriately concealed.
Sharing Data With Third Parties
Access to data we process will be limited to Lotse employees who require such access for the purposes for which the data is processed and any other instructions we may receive from controllers. We will advise our employees of the requirement to protect personal data they process. This protection and non-disclosure requirement will remain in force even after an employee leaves Lotse.
In some cases, we may share the data we process with other processors (‘subprocessors’). Where this necessary, we will always enter into contracts with these subprocessors that include personal data protection clauses and require them to appropriately process and protect the data during their processing and appropriately delete it immediately after the completion of such processing.
Once the purpose of the processing has been achieved, we will deliver the data to the controller, which will then manage it, determine how and how long it is retained, and comply with other requirements of the PDPL.
Data Security And Retention Period
We will take any and all technical and organisational steps to protect your data from loss, alteration, and unauthorised access, pursuant to Article 50 of the PDPL.
We will retain any data we process only for as long as is necessary for the purposes of the processing and for the data to be provided to the controller as instructed by the controller.
1) Once any contracted processing activities have been completed, as decided and instructed by the controller, we will either erase or return to the controller any and all personal data and erase any and all copies of such data, except where the PDPL requires such data to be retained. If we do not receive any instructions from the controller to the contrary, the maximum retention period for data we process is 6 (six) months from the completion of the last processing activity involving such data.
2) We will retain photographs and/or video recordings until consent is revoked. You can withdraw your consent at any time by notifying Lotse in writing. If you withdraw your consent, we undertake to remove photographs and/or video recording in which you appear or to conceal your face appropriately.
Using Of Cookies And Similar Technologies
Cookies are small text files that may help enhance your experience when browsing a website and make it easier to interact with us. They can do so by storing your location or language preferences, so you do not have to input this information again every time you visit the website.
We use only analytics cookies. Our website uses Google Analytics, provided by Google, Inc. (‘Google’). Google Analytics uses cookies to collect information about your use of the website, IP address, device characteristics (type of device, operating system, hardware model), browser characteristics (type, version, settings), interaction information (website visits, time spent on the website, clicks on links), demographics (age, gender, interests), and source of traffic (search engines, social media, direct hits). This information is used to analyse website usage, monitor performance and enhance the user experience, and optimise marketing strategies. All data is aggregated and anonymised, ensuring no user can be identified personally. You can manage your cookie preferences in your browser settings or opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.
We do not use any user account cookies (as the website does not offer user accounts), advertising cookies, or third-party cookies for services that resell website visitor data.
Rights Of Data Subjects
You have a legal right to access your data, right to have your data rectified and erased, right to restriction of processing, right to data portability, and right to object (including the right to lodge a complaint with a supervisory authority and the right to judicial remedy). Lotse’s role is to help the controller comply with these obligations and the requirements in connection with data subjects' requests for exercising these rights (Chapter III of the PDPL), as well as to help the controller comply with the requirements of Articles 50 and 52 of the PDPL in view of the nature of the processing and the data available. Lotse will comply with these requirements in cases where Lotse is the controller.
In Serbia, the supervisory authority for personal data protection is the Office of the Commissioner for Freedom of Information and Personal Data Protection, an independent and autonomous authority established under the PDPL and responsible for applying the PDPL and performing other duties as set out by legislation.
Website of Office of the Commissioner for Freedom of Information and Personal Data Protection is at: je: https://www.poverenik.rs , or email: office@poverenik.rs
You can always contact the controller with any questions or complaints, or to get clarification or access any other right. Controllers should regulate the procedure for communicating with data subjects.
To ensure appropriate protection of personal data and impartiality in responding to any queries or complaints, Lotse has appointed Marina Matić as its Data Protection Officer. Please address any questions about data processing and protection or this Privacy Policy to the Data Protection Officer by e-mail at marina.matic@lotse.rs. Marinu Matić. Za sva pitanja i informacije u vezi sa obradom i zaštitom podataka o ličnosti ili u vezi sa ovom Politikom privatnosti možete se obratiti licu zaduženom za zaštitu podataka putem email adrese: marina.matic@lotse.rs
Final Provisions
This Privacy Policy is effective from 15 November 2024.
This Privacy Policy may be amended depending on the needs of Lotse or alterations to its business processes, changes to legislation, or requests by competent bodies (Commissioner for Freedom of Information and Personal Data Protection).
Please visit this page regularly to learn about any amendments to this Privacy Policy.
Belgrade, 15 November 2024
LOTSE
CONSULTING