NOTICE ON PRIVACY AND PROTECTION OF PERSONAL DATA FOR THE PURPOSE OF PARTICIPATING IN THE BANK'S INNOVATION ECOSYSTEM ..

Based on the provisions of the Law on the Protection of Personal Data of the Republic of Serbia ( hereinafter : "the Law") and other regulations, OTP banka Srbija a.d. Novi Sad, as a data handler (hereinafter : " Bank") processes:

·         data on natural persons, entrepreneurs, representatives of legal persons, that is, authorized persons and real owners (in

  2. Groups of data that are processed

The bank processes the following basic groups of personal data of natural persons, entrepreneurs, founders, representatives and selected members of the legal entity's team when participating in the bank's innovation ecosystem :

1)            personal data - name and surname;

2)            contact information - email and phone number ;

3)            Work position

4)    Profile on the LI social network

  3. Purpose of data processing

The data subject has the right to withdraw consent at any time . _ Revocation of consent does not affect the admissibility of processing that was carried out on the basis of consent before the revocation.

  6. Rights of Persons to whom the data refer

Lica na koje se datai odkoso mogu od Banke :

a)        Provision of information on whether the Bank processes his personal data as well as access to that data in accordance with Article 26 of the Law (right of access);

h)       To challenge the decision before an authorized person of the Bank;

i)         To submit a complaint regarding the processing of personal data to the Commissioner for Information of Public Importance and Protection of Personal Data (in

hereinafter : "Trustee"), as well as to exercise their rights based on the Law.

Before approving the request of the Person to whom the data refer , the Bank may ask that person to provide additional information in order to specify the request.

The Bank informs the Persons to whom the data refer about the measures taken regarding the request or objection as soon as possible, but not later than 30 (thirty) days from the submission of the request (objection). If necessary , the specified deadline can be extended by an additional 60 (sixty) days, taking into account the complexity and number of requests.

In case of doubt on the part of the Bank regarding the identity of the party submitting the request from this point, the Bank may request additional information to confirm the identity of the Person to whom the data refer , while leaving an additional deadline for processing the request for supplementing the documentation, but not longer than 5 working days .

If all the necessary data for the identification of the Person to whom the data refer is not received , i.e. the request is not completed, the Bank makes a decision to reject the request as incomplete and, if possible (if the Person to whom the data refer has left contact information ), informs the Person to whom the data refer that his request will not be considered, with an explanation.

The Bank may charge the necessary administrative costs of providing information, i.e. acting upon the request, and refuse to act upon the request of the Person to whom the data refer , in the event that the request of the Person to whom the data refer is clearly unfounded or excessive, and especially if the same request is frequently repeated , in accordance with the Law.

7. Right of access

Unless otherwise stated by the Law , the Person to whom the data refers has the right to be informed about the processing of all personal data that the Bank processes regarding his personality .

On Lica's request regarding data , the Bank is obliged to confirm that it is processing its personal data , and to enable access to this data, as well as the following information :

a)        on the purpose of data processing ;

b)       on the types of personal data that are processed ;

       c ) about the recipient or types of recipients to whom personal data has been disclosed or will be disclosed to them , especially recipients in other countries or international organizations;

      d ) on the planned dark house outside of the data of such a person , or if this is not possible , on _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ cr i t e r i j in mime for o get out of the house ; _ _ _ _ _ _ _

e)       on the existence of the right to request from the controller the correction or deletion of his personal data , the right to limit processing and the right to object to processing ;

f)        on the right to file a complaint with the Commissioner;

g)         available information on the source of personal data , if the personal data were not collected from the Person to whom the data refer ;

about the existence of an automated decision- making procedure , including profiling, and, at least in those cases, relevant information about the logic used in it , as well as about the significance and expected consequences of that processing for the Person to whom the data refer.

The Bank may request reimbursement of the necessary costs for the production of additional copies requested by the Person to whom the data refer.

In the event that the right of the Data Subject to obtain information ( right of access ) based on this point negatively affects the rights and freedoms of others , in particular business secrets or intellectual property _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ i n u , the Bank will be able to obtain the request from the L i c e on which it is submitted . _ _ _ _ _ _ _ _ _ _ _ _

8.           Right to rectification

The data subject has the right to have inaccurate personal data corrected without undue delay. Depending on the purpose of the processing, the Person to whom the data refers has the right to supplement his/her incomplete personal data, which includes providing an additional statement. The Bank is obliged to inform all recipients to whom personal data has been disclosed about any correction of personal data, unless this is impossible or requires an excessive expenditure of time and resources. The Bank is obliged to inform the Person to whom the data refer, at his request, about all recipients. on the Bank's platform .

9.           Right to erasure

The data subject has the right to initiate the deletion of his personal data in the following cases:

a)         personal data are no longer necessary to achieve the purpose for which they were collected or otherwise processed;

b)        The person to whom the data refers has revoked the consent on the basis of which the processing was carried out, and there is no other legal basis for the processing;

c)         The person to whom the data refer has submitted an objection to the processing, and there is no other legal basis for the processing that prevails over the legitimate interest, right or freedom of the person to whom the data refers;

d)        personal data were illegally processed;

e)         personal data must be deleted in order to fulfill the operator's obligations prescribed by the Law;

f)         personal data is collected in connection with the use of information society services.

If the Bank has previously publicly published the personal data of the Person to whom the data relates and is obliged to delete them, the Bank undertakes all reasonable measures , including the implementation of technical measures, necessary to inform those data handlers who obtained the personal data of the Person to whom the data relates relations, on the mandatory deletion of that personal data. In its notification, the Bank is obliged to notify all remaining data controllers of the Data Subject's request to delete all links to his personal data, or copies or copies of such personal data.

After approving the Data Subject's request to exercise the right to deletion, the Bank is obliged to inform all recipients to whom personal data has been disclosed of any deletion of personal data , unless this is impossible or requires an excessive expenditure of time and resources. The Bank is obliged to inform the Person to whom the data refer , at his request, about all recipients.

The Bank is not obliged to delete personal data to the extent that processing is necessary due to:

a)        exercising freedom of expression and information;

b)       due to compliance with the legal obligation of the Bank , which requires the processing or execution of tasks in the public interest or the execution of official duties of the operator;

c)        for the achievement of public interest in the field of public health;

d)       for the purpose of archiving in the public interest, the purpose of scientific or historical research as well as statistical purposes, and it is reasonably expected that the exercise of this right could make it impossible or significantly threaten the achievement of the goals of that purpose;

e)       for submission, implementation or defense of legal claims.

10.          Right to restriction of processing

The person to whom the data refers has the right to limit processing by the Bank in the event that:

a)         The person to whom the data refers contests the accuracy of the personal data, within the time limit that allows the Bank to check the accuracy of the personal data;

b)        the processing is illegal, and the Person to whom the data refers opposes the deletion of personal data and instead of deletion requests restriction of the use of the data;

c)         The Bank no longer needs personal data to achieve the purpose of processing, but the Person to whom the data refers has requested it in order to submit, implement or defend a legal claim;

d)        The person to whom the data refers has submitted an objection to the processing, and an assessment is underway as to whether the legal basis for processing by the Bank outweighs the interests of that person.

If the processing is limited, these data can be further processed only on the basis of the consent of the person to whom the data refer, unless it is about their storage or for the purpose of submitting, realizing or defending a legal claim or for the protection of the rights of other natural or legal persons or due to the achievement of significant public interests..

The Bank informs the Persons to whom the data refer before the removal of processing restrictions.

After approving the request of the Data Subject, the Bank is obliged to inform all recipients to whom personal data has been disclosed about the limitation of their processing, unless this is impossible or requires an excessive expenditure of time and resources. The Bank is obliged to inform the Person to whom the data refer, at his request, about all recipients.

11.           Right to object

If, in accordance with the provisions of this Notice, data processing is necessary for the legitimate interests of the Bank or a third party, the Person to whom the data refers has the right to file an objection to the processing of his personal data for these purposes. The bank is obliged to stop processing data about the person who submitted the complaint, unless it has presented that there are legal reasons for processing that prevail over the interests, rights or freedoms of the person to whom the data refer or are related to the submission, realization or defense of legal demands.

12.          The right to data portability

The person to whom the data refers has the right to receive his personal data that he previously submitted to the Bank in a structured, commonly used and electronically readable form and has the right to transfer this data to another operator without interference from the Bank if the following conditions are met together :

a)         processing is based on landing;

b)        processing is done automatically.

The right from paragraph 1 of this point also includes the right of a person to have his personal data directly transferred to another operator by the operator to whom this data was previously delivered, if this is technically feasible. The right to data portability from the previous point does not impose any obligation on the Bank or other operators to implement or maintain mutually technically compatible systems. In the event that the right to data portability of the Data Subject negatively affects the freedoms and rights of others, especially trade secrets or intellectual property, the Bank may reject the Data Subject's request.

13.          Existence of automated decision-making 

There is no automated decision-making for the processing purpose in question

14.          Legal remedies

The person to whom the data refers has the right to file a complaint with the Commissioner if he believes that the processing of his personal data has been carried out contrary to the provisions of the Law.

Contact details of the Commissioner:

Website: https://www.poverenik.rs Address: Bulevar kralja Aleksandra 15, 11120 Belgrade Postal code: 11120 Belgrade

Phone: +38111 3408 900

Fax: +38111 3343 379

E-mail: office@poverenik.rs

Data subjects also have the right to judicial protection of their rights. Civil proceedings are conducted by the competent court.

The person to whom the data refers, in connection with the protection of personal data, has the right to authorize the representative of the association that deals with the protection of the rights and freedoms of the person to whom the data refers to, in accordance with the Law, represent him in the procedures referred to in Art. 82 to 84 and Article 86 of the Law.

15.          Contact details of the Bank as Data Controller and Personal Data Protection Officer

Contact details of the Bank as Data Controller and Personal Data Protection Officer:

Name of operator: OTP banka Srbija ad Novi Sad Headquarters: 21101 Novi Sad, Trg slobode 5

Address: 21101 Novi Sad, Trg slobode 7 Internet site: www.otpbanka.rs

Details of the Person for Personal Data Protection at the Bank: Name: Sonja Carević

Address: 21000 Novi Sad, Trg Slobode 5 E-mail: zastita_podataka@otpbanka.rs