GENERAL NOTICE ON PROCESSING OF USER PERSONAL DATA
Propulsion d.o.o., with registered seat at Kneza Mihaila 3, Urban Office, 5th floor, 11102 Belgrade, Serbia, Registration No. 21348104, VAT No. 110418418, e-mail: beograd.doo@propulsion.one, telephone: +381 11 405 9619, which has the capacity of a Data Controller pursuant to Article 2, paragraph 1, point 8 of the Law on Personal Data Protection (Official Gazette of the RS, No. 87/2018, hereinafter: LPDP), strictly complies with applicable legislation and ensures that personal data are collected and processed for specific purposes, respects the principle of data minimization, and ensures that personal data are only stored for the period of time necessary to achieve the purpose for which they were collected, respecting that personal data are processed solely for legitimate purposes, that they are accurate and current, that they are processed in accordance with an appropriate legal basis, and that they are protected from any unauthorized or illegal access by internal or external persons.
Taking this into consideration, the Data Controller hereby informs users of its programs, projects, campaigns, events and services, employees and otherwise engaged persons, business partners, job candidates, as well as other persons whose data may be collected, about all important aspects of collecting and processing their personal data.
1. What is personal data?
Personal data is any information that relates to an individual and identifies that person, directly or indirectly, especially based on an identity tag, such as name and identification number, location data, identifiers in electronic communications networks or one or more characteristics of their physical, physiological, genetic, mental, economic, cultural and social identity.
Specific categories of personal data are data that reveal racial or ethnic origin, political opinion, religious or philosophical beliefs or union membership, as well as genetic data, biometric data for the sole identification of a person, health-related information, or data on sexual life or sexual orientation of the individual.
2. From whom do we collect personal data?
The Data Controller collects and processes personal data concerning:
1) Employed persons, persons who are engaged without employment status or employed under a different legal basis, as well as former employees (hereinafter: Employees);
2) Job candidates;
3) Persons representing contacts in companies, institutions, organizations or other entities that are business partners, clients, suppliers, contractors, donors, project partners or other collaborators of the Data Controller (hereinafter: Business Partners);
4) Users, participants, applicants, beneficiaries or other persons involved in programs, projects, campaigns, events, services or other activities organized, implemented or supported by the Data Controller (hereinafter: Users).
Hereinafter all are collectively referred to as data subjects.
3. What personal data do we collect and process?
The Data Controller processes personal data only to the extent necessary for the performance of its business activity, or to the extent necessary for the specific purpose of processing.
The Data Controller collects personal data directly from the data subject, or through their employers, co-contractors, business partners, legal representatives, parents or guardians, or, where applicable, other third parties, only to the extent necessary to accomplish a specific purpose, and depending on the specific category of data subject.
Typically, this is a minimal set of data necessary to accomplish a specific purpose, namely:
From Employees, the Data Controller collects and processes data prescribed by applicable laws regulating work, employment records, social insurance, health insurance, tax obligations and other relevant legal obligations. Such processing is necessary in order to respect the legal obligations of the Data Controller pursuant to Article 12, paragraph 1, point 3) of the LPDP.
From Job Candidates, in addition to basic contact information, including name and surname, contact telephone and e-mail address, the Data Controller collects data on educational background, professional experience, qualifications, skills, references, portfolio materials, as well as other information that the person shares about themselves. Such processing is necessary for undertaking actions, at the request of the data subject, prior to the conclusion of a contract, in order to assess the application and contact the candidate in case of need for work engagement, pursuant to Article 12, paragraph 1, point 2) of the LPDP. After the expiry of a specific call or recruitment process, this category of persons may opt to keep their data available in the electronic records of the Data Controller. From the expiry of the specific call or recruitment process, the processing of personal data is performed on the basis of informed consent pursuant to Article 12, paragraph 1, point 1) of the LPDP. In case the job candidate is hired or otherwise engaged, further processing of their data is done as for the category “Employees” or otherwise engaged persons.
From Business Partners, the Data Controller collects basic contact information, including first and last name, contact telephone number, e-mail address, name of the legal entity or organization they represent, position or function within that entity, and other business communication data necessary for cooperation, contracting, project implementation, service delivery, reporting, invoicing and other legitimate business communication. Depending on the specific purpose, such processing may be carried out on the basis of informed consent of the data subject pursuant to Article 12, paragraph 1, point 1) of the LPDP, for the purpose of executing a contract or undertaking actions prior to the conclusion of a contract pursuant to Article 12, paragraph 1, point 2) of the LPDP, for the fulfillment of legal obligations pursuant to Article 12, paragraph 1, point 3) of the LPDP, or on another applicable legal basis under the LPDP.
From Users, the Data Controller may collect and process the following data, depending on the specific program, project, campaign, event, service or activity:
– basic identification information, such as name and surname;
– contact information, such as e-mail address, telephone number and, where necessary, address;
– information relevant to participation in a specific program, project, campaign, event or service, such as organization, institution, position, professional background, field of interest, application answers, attendance information, preferences or other data provided through registration or application forms;
– information necessary for travel, accommodation, reimbursement, contracting, payment or reporting, where applicable, such as ID or passport number, bank account information, tax-related data or other legally required data;
– information on social network accounts, where relevant for communication, campaigns, public participation, influencer engagement or similar activities;
– photo, video, audio or other media materials, where applicable and where the data subject has been informed about such processing;
– other information that the data subject voluntarily provides in relation to a specific activity.
Such processing is carried out on the basis of informed consent of the data subject pursuant to Article 12, paragraph 1, point 1) of the LPDP, for the purpose of executing a contract or undertaking actions prior to the conclusion of a contract pursuant to Article 12, paragraph 1, point 2) of the LPDP, for the fulfillment of legal obligations pursuant to Article 12, paragraph 1, point 3) of the LPDP, or on another applicable legal basis under the LPDP, depending on the specific purpose of processing.
4. How are personal data collected?
The Data Controller collects personal data either directly from the data subject or through their employers, co-contractors, business partners, legal representatives, parents or guardians, or, where applicable, other third parties.
When the Data Controller does not obtain data directly from the data subject, the person or entity providing the data shall be responsible for ensuring that they are authorized to forward the data to the Data Controller. Such person or entity shall also be obliged to inform the data subjects of all relevant aspects of processing in accordance with Article 24 of the LPDP, including by referring them to this Notice.
Where necessary and legally justified, data from an identity card, passport or other identification document may be verified by the Data Controller by accessing the relevant identity document.
5. What is the legal basis for collection?
The Data Controller processes personal data based on:
– informed consent of the data subject pursuant to Article 12, paragraph 1, point 1) and Article 15 of the LPDP. In the case of processing based on informed consent, the data subject is authorized to revoke that consent at any time. The revocation shall entail the termination of any further processing, without prejudice to the processing carried out up to that point, in accordance with point 11 of this Notice;
– the purpose of executing a contract concluded with the data subject or taking measures at the request of the data subject prior to the conclusion of a contract, pursuant to Article 12, paragraph 1, point 2) of the LPDP;
– the fulfillment of legal obligations pursuant to Article 12, paragraph 1, point 3) of the LPDP;
– another applicable legal basis under the LPDP, depending on the category of data subject and the specific purpose of processing.
The processing of special categories of data shall be carried out only where there is an appropriate legal basis and only to the extent necessary for the specific purpose of processing.
6. What is the purpose of processing personal data?
The Data Controller, depending on the type of data and the category of the person whose data are processed, collects and processes personal data for the following purposes:
– creation and management of databases of users, participants, applicants, beneficiaries or other persons involved in projects, programs, campaigns, events, services or other activities;
– registration, selection, participation and communication related to specific events, projects, programs, campaigns, trainings, workshops, conferences, public calls or other activities organized, implemented or supported by the Data Controller;
– informing persons whose data are processed about current programs, projects, campaigns, events, services or activities, including through e-mail, newsletters, social media, media posts or other communication channels;
– informing persons whose data are processed about planned projects, programs, calls, events, opportunities or activities;
– implementation, monitoring, reporting, evaluation and promotion of projects, programs, campaigns, events and services;
– preparation and publication of communication materials, including photo, video, audio, written and digital materials, where applicable and in accordance with the relevant legal basis;
– communication with business partners, clients, donors, suppliers, contractors, consultants, media, institutions, organizations and other collaborators;
– concluding and executing contracts or undertaking preparatory actions for the conclusion of contracts at the request of the data subject;
– recruitment, selection and engagement of employees, consultants, contractors, interns or other collaborators;
– financial, administrative, accounting, tax, audit and legal purposes;
– fulfillment of legal obligations of the Data Controller;
– protection of the rights, property, safety and legitimate interests of the Data Controller, data subjects or third parties, where applicable and legally justified.
7. How are personal data stored and what precautionary measures are in place?
The Data Controller stores and archives personal data in its internal electronic and, where necessary, physical records. The Data Controller applies all necessary organizational, technical and personnel protection measures in accordance with the requirements of the applicable LPDP, including:
– control of physical access to systems and premises where personal data are stored;
– control of access to data;
– control of data transmission;
– control of data entry;
– control of data availability;
– internal authorization procedures;
– confidentiality obligations for employees and otherwise engaged persons;
– use of appropriate technical protection measures;
– other information security measures necessary to protect personal data.
The Data Controller takes reasonable measures to protect personal data from unauthorized access, disclosure, alteration, loss, destruction, misuse or any other form of unlawful processing.
8. What rights do the data subjects have?
In relation to personal data, the person whose data have been collected has the following rights:
– the right to request from the Data Controller access to personal data and information concerning processing, pursuant to Article 26 of the LPDP;
– the right to request the correction of incorrectly entered data and the supplementation of incomplete data, pursuant to Article 29 of the LPDP;
– the right to request deletion of data, pursuant to Article 30 of the LPDP;
– the right to request restriction of processing, pursuant to Article 31 of the LPDP;
– the right to data portability, pursuant to Article 36 of the LPDP;
– the right not to be subject to a decision taken solely on the basis of automated processing, including profiling, pursuant to Article 38 of the LPDP;
– the right to be informed of personal data breaches if such breaches can create a high risk to the rights and freedoms of natural persons, pursuant to Article 53 of the LPDP;
– the right to file a complaint with the Commissioner for Information of Public Importance and Personal Data Protection, Bulevar kralja Aleksandra 15, 11120 Belgrade, telephone: +381 11 3408 900, e-mail: office@poverenik.rs, pursuant to Article 82 of the LPDP;
– the right to judicial protection if the data subject considers that their rights under the LPDP have been violated, pursuant to Article 84 of the LPDP;
– other rights guaranteed by the applicable LPDP.
In relation to the exercise of their rights, the Data Controller shall provide to the data subject all necessary assistance, in accordance with the conditions and in the manner prescribed by the applicable LPDP.
9. Who can have access to the data besides the Data Controller?
The Data Controller may provide personal data to third parties, some of which are processors and some of which are recipients of the data.
A processor, pursuant to Article 4, paragraph 1, point 9) of the LPDP, is a natural or legal person, or a body of authority, that processes personal data on behalf of the Data Controller. A recipient of data is a natural or legal person or body of authority to which personal data have been disclosed, whether or not it is a third party.
Categories of persons or entities who may have access to personal data include:
– employees and otherwise engaged persons at the Data Controller;
– donors, clients or contracting authorities funding or commissioning programs, projects, campaigns, events, services or other activities implemented by the Data Controller;
– partner organizations, subcontractors, consultants, contributors or collaborators involved in individual programs, projects, campaigns, events, services or other activities;
– IT companies and digital service providers that maintain information systems, websites, platforms, databases or communication tools used by the Data Controller;
– bookkeeping, accounting, audit, legal, tax, banking, travel, logistics, event management or similar service providers;
– media, production, design, research, communication, marketing or other professional service providers, where applicable and necessary for a specific purpose;
– competent state bodies, courts, public authorities or other institutions, where this is a legal obligation of the Data Controller or where there is another valid legal basis.
Some processors or recipients that may access personal data may be based in foreign countries, primarily in Bosnia and Herzegovina, EU / EEA Member States, and exceptionally in other countries, including the United States of America.
The disclosure of data to Bosnia and Herzegovina and EU / EEA countries is done on the basis of the default level of adequate protection of personal data in those countries, since according to Article 64, paragraph 2 of the LPDP, it is considered that an adequate level of protection of personal data is provided in countries and international organizations that are parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, or in countries, parts of their territories, or in one or more sectors of certain industries in those countries or international organizations designated by the European Union as providing an adequate level of protection.
Where personal data are transferred to countries that do not provide an adequate level of protection, the Data Controller shall apply appropriate safeguards or rely on another valid legal basis for transfer in accordance with the LPDP.
All processors conclude separate contracts or are otherwise bound by appropriate legal acts that regulate relevant aspects of personal data processing and security measures. In any case, the Data Controller remains responsible for implementing appropriate precautionary measures.
Exceptionally, personal data may also be provided to competent state bodies, if this is a legal obligation of the Data Controller, and only to the extent necessary for the fulfillment of a specific legal obligation.
10. What is the deadline for storing personal data?
Personal data are stored for the period necessary to carry out the specific purpose of processing, unless a longer storage period is prescribed or permitted by law.
In relation to specific categories of persons whose data are processed:
– data on employees are kept in accordance with applicable laws regulating records in the field of work, employment, social insurance, tax obligations and other relevant legal obligations;
– data collected for the execution of a concluded contract are kept for a period of 10 years, corresponding to the general limitation period for claims in accordance with the law regulating obligations, or longer if a longer period is prescribed by law;
– data processed on the basis of informed consent are kept until the specific purpose has been exhausted, or until consent is revoked in accordance with Article 15, paragraph 3 of the LPDP, which also signifies the termination of further processing of personal data based on that consent;
– data collected for participation in events, programs, campaigns, projects or services are kept for the period necessary for implementation, reporting, audit, donor, contractual or legal obligations, or until the specific purpose has been exhausted;
– data of job candidates are kept for the duration of the specific recruitment process, unless the candidate has consented to longer retention for future opportunities or unless another legal basis applies.
After expiry of the prescribed or necessary deadlines, personal data are deleted, anonymized or otherwise made unrecognizable.
11. Cookies
The Data Controller, through its website, may process and use so-called cookies.
Cookies represent data stored on a computer or other device of a website user or visitor and enable the monitoring and analysis of user behavior on the website.
Cookies do not usually lead to the disclosure of the identity of a particular user. In the event that they identify a user, cookies represent personally identifiable information, and therefore all points of this Notice regulating the processing of personal data apply to them.
Pursuant to Article 126, paragraph 3 of the Law on Electronic Communications, the use of cookies is allowed, provided that the user is given a clear and complete notice of the purpose of collecting and processing the data in accordance with the law regulating the protection of personal data, and provided that they are given the opportunity to reject such processing.
Cookies can be removed by changing the settings on the user’s internet browser, including Internet Explorer, Firefox, Chrome, Opera, Safari or other browsers. The user may delete stored cookies from their internet browser. However, removing individual cookies may impair the functionality of the website.
The Data Controller may use the following types of cookies:
Necessary cookies are cookies necessary for the operation of the website. The removal of such cookies may make it impossible to use the website or some of its parts.
Functional cookies enable the Data Controller to provide better website functionality and personalize information that is presented to the user. Such cookies may be set by the Data Controller or by third parties and may be removed as described above. Removing this type of cookies may cause some services on the website not to function properly.
Performance cookies provide information about visitors and how users use the website, such as the number of visits, frequency of visits to a particular page and similar information. This information does not usually identify the user who visits the website and helps the Data Controller improve the performance of its website and provide a better user experience.
The Data Controller’s website may use Google Analytics services, provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, which are also based on cookie-using technology stored on a visitor’s device, for the purpose of qualitative analysis of the use of the website. For more information, see the Google Privacy Policy, available on Google’s official website.
12. Special Processing Notices
Based on the specificity of the purpose that the data collection and processing should accomplish and in relation to the legal basis, the Data Controller shall, as appropriate, inform the data subjects of all specific aspects of such processing through a separate or special notice.
This Notice and any Special Notice will apply to such processing.
13. Additional information on the processing of personal data
Any additional questions regarding the processing of personal data, including how to exercise the rights of the data subject, can be sent to the following e-mail address: beograd.doo@propulsion.one.
The Data Controller will respond to all inquiries within 5 working days at the latest.
14. Entry into force and amendment of the Notice
This Notice shall enter into force on the day of its publication on the website of the Data Controller.
This Notice may be updated from time to time, but the level of privacy protection attained will not be diminished. Any changes will take effect on the day they are posted on the website of the Data Controller.
Hereby, the persons whose data are processed confirm that they have read, understood and accepted the processing of personal data described above.
This document was last updated on May 13, 2026.
“`