Pursuant to the Law on Personal Data Protection (“Službeni glasnik RS”, No. 87/2018) and Article 198, paragraph 4 of the Law on Companies (“Službeni glasnik RS”, Nos. 36/2011, 99/2011, 83/2014 – other law, 5/2015, and 44/2018), the company Champions Travel Doo Belgrade, registration number 21007412 (hereinafter: the Travel Agency), on August 1st, 2022, hereby issues:
Personal Data Protection
PURPOSE AND OBJECTIVE OF THE POLICY
Article 1
The Personal Data Protection Policy (hereinafter: the Policy) is a general act and the primary document adopted for the purpose of further regulating the protection of personal data of individuals who are within the organization of the Travel Agency or are in a specific relation to it (primarily employees, associates, consultants, and other individuals engaged by the Travel Agency in various capacities, as well as individuals with whom the Travel Agency has established certain business cooperation, whose data the Travel Agency processes, such as users and clients), in accordance with the Law on Personal Data Protection of the Republic of Serbia (“Sl. glasnik RS”, No. 87/2018).
The company Champions Travel LLC Belgrade (hereinafter: the Controller) undertakes to ensure the confidentiality of personal data within the scope of providing travel organization and related tourism services, in compliance with the Law on Personal Data Protection (hereinafter: the Law). The Controller also guarantees security and privacy on the online platform it uses.
The purpose of this Policy is to ensure legal certainty and transparency regarding the processing of personal data of individuals referred to in paragraph 1 of this Article, and to define the legal basis, purpose of processing, types of data processed, rights of data subjects, data protection measures, and more.
This Policy also defines the obligations of employees concerning the protection of personal data, in accordance with the Law.
The term “employee” includes not only individuals employed under the Labor Law but also those engaged under service contracts, copyright contracts, consultancy service agreements, and similar, provided these contracts contain a clause obligating the engaged individual, on behalf of the Travel Agency, to comply with the provisions of this Policy, which is attached as an integral part of each individual contract.
TERMS AND ABBREVIATIONS
Article 2
Law on Personal Data Protection (“Službeni glasnik RS”, No. 87/2018; hereinafter: “Law on Personal Data Protection”, “ZZPL”);
Labour Law of the Republic of Serbia (“Službeni glasnik RS”, Nos. 24/2005, 61/2005, 54/2009, 32/2013, 5/2014, 13/2017 – decision of the Constitutional Court, and 113/2017) (hereinafter: “Labour Law” / “ZoR”);
Commissioner for Information of Public Importance and Personal Data Protection of the Republic of Serbia (hereinafter: “Commissioner”);
Personal data means any information relating to an identified or identifiable natural person, directly or indirectly, particularly by reference to an identifier such as name, ID number, location data, identifiers in electronic communication networks, or one or more features specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person;
Special categories of personal data include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation;
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated or non-automated means, such as collection, recording, classification, grouping or structuring, storage, adaptation or alteration, disclosure, access, use, transfer or delivery, duplication, dissemination or otherwise making available, comparison, restriction, erasure, or destruction;
Controller is the Travel Agency as a legal entity that, within the meaning of the Law on Personal Data Protection (ZZPL), determines the purpose and manner of processing personal data;
Processor is a natural or legal person who processes personal data on behalf of the controller;
Recipient is a natural or legal person, or public authority, to whom personal data are disclosed, whether or not it is a third party, except in cases where public authorities receive data in accordance with the law within the framework of a specific investigation and process them according to the data protection rules applicable to the purpose of processing;
Third party is a natural or legal person or public authority who is not the data subject, the controller, or the processor, nor a person who is authorized to process personal data under the direct authority of the controller or processor;
Consent of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes, by which they, by a statement or a clear affirmative action, signify agreement to the processing of personal data relating to them;
Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed;
Representative is a natural or legal person with residence or seat in the territory of the Republic of Serbia, who is authorized, in accordance with Article 44 of the Law, to represent the controller or the processor in relation to their obligations under this Law.
PERSONAL DATA PROCESSED BY THE CONTROLLER
Article 3
The Travel Agency may process the following personal data of employees:
Identification data: full name, address, date and place of birth, gender, marital status, unique citizen ID number (JMBG), ID card number, nationality, and health insurance number (LBO);
Academic and professional qualifications: education level, academic titles, information about skills, foreign language proficiency, trainings, employment history, CV;
Financial data: bank account number, salary details, and additional compensation;
Work performance data: job position, performance evaluations by supervisors, business email address, IP address, access credentials (e.g., username and password);
Communication data: email, phone number, emergency contact person, and other information necessary to fulfill legal employer obligations and to execute the employment contract or another contractual relationship between the employee and the Travel Agency.
The Travel Agency may also process certain categories of special personal data, such as data concerning health or religious beliefs, in accordance with Article 17 of the Law on Personal Data Protection (ZZPL), when such processing is necessary for the fulfillment of obligations or exercise of rights in the field of labor, social security, and social protection.
The Travel Agency does not process more or different categories of personal data than those required to fulfill the specified purpose. If the processing of special categories of personal data is carried out based on the individual’s consent (e.g., to tailor training conditions to the participant’s health condition), such consent must be given in written form, and must include detailed information about the type of data being processed, the purpose of the processing, and the manner in which the data will be used.
The Travel Agency may process the following personal data of users/clients:
Full name, date of birth, place of birth, residential address, passport number, unique citizen ID number (JMBG), contact email address, and phone number.
The Travel Agency may process the following personal data of job candidates:
Full name, date and place of birth;
Academic and professional qualifications included in the CV and cover letter (education level, titles, information about skills, foreign language knowledge, trainings, list of previous employers; Communication data: email address and phone number.)
When announcing a job vacancy, the Travel Agency does not define the format of the CV, leaving it to the candidate’s discretion. Therefore, the Travel Agency may, at the candidate’s own initiative, come into possession of a greater volume of personal data than those listed above. All collected data are retained for a period of up to 1 year for the purpose of potential future engagement of the job candidate.
SOURCES OF PERSONAL DATA
Article 4
The Travel Agency collects personal data (electronically, in writing, or verbally) directly from the data subject: the employee, user, or client.
The Travel Agency may also collect personal data of employees and job candidates from other sources, primarily former employers, provided that the data are relevant for employment. All data that are not necessary for processing for the stated purposes will be permanently deleted.
PURPOSE OF DATA PROCESSING
Article 5
The Travel Agency processes personal data for the purposes outlined in Articles 6–9 of this Policy.
No more data, or a broader set of data, is processed than what is necessary to achieve the stated purposes.
EMPLOYMENT AND HUMAN RESOURCE MANAGEMENT
Article 6
The Travel Agency processes personal data for the purpose of establishing and executing employment relationships, including other contractual relationships through which the Travel Agency engages collaborators and consultants.
This includes data necessary to assess the suitability and qualifications of candidates for specific positions, manage working hours and absences, calculate salaries, travel expenses, and per diems, determine compensation for sick leave and other types of leave, evaluate employee advancement, provide additional training and education, conduct disciplinary procedures.
BUSINESS ACTIVITIES
Article 7
The Travel Agency is engaged in the organization of seminars and congresses in both Serbia and abroad, as well as in organizing travel arrangements for its clients domestically and internationally. The Travel Agency processes personal data for the purpose of organizing travel arrangements, including accommodation, transportation, and associated travel documentation. Data is collected directly from clients by reviewing their documents (passport or ID card). In rare cases, when clients are from another city or country, data is obtained via email.
For the purpose of accommodation booking, the following data is used: full name, unique citizen ID number (JMBG), date of birth, passport number, residential address, passport validity, contact phone number, contact email address.
Passport number is also used for transportation bookings.
Other information, such as email and mobile phone number, is used for communicating with clients and for sending notifications about travel departure times, updates on offers, etc.
The data is stored in our internal database and agency reservation system.
When issuing travel insurance policies, the data is entered into the insurance company’s system, where all the mentioned information is recorded and the policy is generated from that system.
In accordance with the Law on Tourism, all documentation related to sold travel arrangements, including contracts with individuals and their personal data, is stored in our reservation system for two years, after which the data is deleted.
The data is not used for other purposes, nor is it shared with third parties.
COMMUNICATIONS, INFORMATION TECHNOLOGY, AND INFORMATION SECURITY
Article 8
The Travel Agency processes personal data for the purpose of managing and maintaining the functionality of its communication and IT networks, as well as ensuring information security.
COMPLIANCE WITH RELEVANT REGULATIONS
Article 9
The Travel Agency processes personal data in order to fulfill legal obligations and to ensure compliance with applicable legal regulations, particularly those in the areas of labor and tax law.
ACCESS TO AND DISCLOSURE OF PERSONAL DATA
Article 10
Access to personal data is granted only to the Controller and the employees of the Controller.
Personal data may be disclosed to third parties outside the Controller only in the following cases:
The Travel Agency will disclose personal data to third parties solely for the purposes specified below, and will take all necessary measures to ensure that the personal data is processed and protected in accordance with applicable laws.
The Travel Agency may engage third-party service providers to perform specific data processing activities on behalf of and for the account of the Travel Agency, in which case the Travel Agency acts as the controller, and the service providers as processors of personal data. In such cases, only data necessary for fulfilling the agreed processing purpose is provided to the processor, who may not use the data for other purposes. The terms of processing and responsibility for data protection shall be defined in a contract between the Travel Agency and the processor.
Personal data will be disclosed to public authorities only when required by law.
Data may be forwarded when necessary for the performance of the Contract.
Processors of personal data do not have the right to process the data provided to them for purposes other than performing the tasks assigned by the Controller under the Contract. They must adhere strictly to all written instructions of the Controller. The Controller shall take all necessary steps to ensure that engaged processors fully comply with the Law on Personal Data Protection, follow the Controller’s written instructions, and implement appropriate technical, organizational, and personnel measures to safeguard personal data.
The authorized person collects personal data from travelers or clients from other countries for the purpose of executing the Travel Agreement.
The authorized person may transfer personal data to other countries and international organizations for the purpose of executing the Travel Agreement.
The authorized person processes personal data within the Republic of Serbia.
DATA RETENTION PERIODS
Article 11
Personal data will not be retained longer than necessary to fulfill the purpose for which it was processed. If a retention period is prescribed by law, the Travel Agency will retain the data for the legally defined duration. Upon fulfilling the purpose or upon expiration of the legally prescribed period, the data will be permanently deleted.
In accordance with the Law on Tourism, all documentation related to sold travel arrangements, including Travel Agreements with individuals and their personal data, is stored in our reservation system for two years, after which the data is deleted from the system.
The data is not used for other purposes, nor is it shared with third parties.
In specific cases, personal data may be retained for a longer period to fulfill legal obligations or for the establishment, exercise, or defense of legal claims, in accordance with applicable laws.
Personal data of employees and former employees are retained in the personnel records of the Travel Agency permanently, in accordance with the Law on Records in the Field of Labor.
RIGHTS OF DATA SUBJECTS REGARDING PERSONAL DATA PROTECTION
Article 12
Right to Information
Employees and other data subjects have the right to be informed about their rights, obligations, and matters related to the processing of their personal data, as per the Law on Personal Data Protection (ZZPL), even before data processing begins.
Right of Access
Employees and other data subjects have the right to request that the Travel Agency provide access to their personal data—that is, to determine the subject, method, purpose, and scope of the data processing, and to ask questions regarding the processing.
Right to Rectification and Supplementation
After gaining access, the data subject has the right to request rectification, supplementation, or updating of the processed personal data.
Right to Erasure
The data subject may request the deletion of their personal data in accordance with ZZPL, as well as the termination or temporary suspension of processing.
Right to Withdraw Consent for Processing
When the legal basis for processing personal data is the subject’s consent, the subject has the right to withdraw that consent at any time, in written form.
Right to Restrict Processing
According to ZZPL, the data subject has the right to request the controller to restrict the processing of their personal data.
Right to Data Portability
The data subject may request the transfer of their personal data to another controller, when technically feasible—i.e., when the data is in a structured and machine-readable format.
Right to Object and Automated Individual Decision-Making
If deemed justified due to their particular situation, the data subject has the right to object at any time to the processing of their personal data, and to not be subject to a decision made solely on the basis of automated processing—including profiling—if such a decision produces legal effects or significantly affects their status.
The data subject also has the right to object to the processing of their personal data for the purpose of direct marketing and may request the restriction of processing in other cases.
If the data subject is dissatisfied with the Controller’s response to a request for the exercise of rights regarding personal data protection, they have the right to file a complaint with the Commissioner for Information of Public Importance and Personal Data Protection: https://www.poverenik.rs/sr/.
EMPLOYEE OBLIGATIONS
Article 13
Employees are required to provide their personal data that is necessary for the Travel Agency to fulfill its legal obligations, as well as to carry out ongoing business operations.
Employees are obliged to respect and protect personal data they process during their work, in accordance with the personnel, technical, and organizational measures prescribed by the Authorized Person or employer, with the aim of safeguarding the integrity of personal data and the rights of the data subjects.
Employees may process only the data to which they have authorized access, in line with the tasks they perform.
CONTROLLER AND DATA PROTECTION OFFICER
Article 14
Controller: Contact details of the Controller: Name of the controller: Champions Travel doo Address: Dubljanska 50, Belgrade – Vračar Company registration number: 211007412, Tax ID: 108477222 Phone: +381 63 306356 Email: boban@championstravel.rs
Data Protection Officer: Slobodan Šćepanović Phone: +381 63 306995
The Controller, in accordance with Article 56 of the Law on Personal Data Protection, is not obliged to appoint a Data Protection Officer.
TRANSITIONAL AND FINAL PROVISIONS
Article 15
This Rulebook shall apply as of August 1, 2022, i.e., from the date of entry into force of the Law on Personal Data Protection.
