Privacy Policy

GENERAL DATA PROTECTION RULES
VESCON DOO BEOGRAD (STARI GRAD)

The legal basis for adopting these General Data Protection Rules (hereinafter referred to as the “Rules”) is the Law on Personal Data Protection (“Official Gazette of RS” No. 87/2018, hereinafter referred to as “LPDP”).

These Rules establish the binding procedures for the collection and processing of personal data of natural persons by VESCON DOO BEOGRAD (STARI GRAD) in the course of its activities – providing services related to digital assets –  in accordance with the Law on Digital Assets (“Official Gazette of RS” No. 153/2020, hereinafter referred to as “LDA”) and the Law on the Prevention of Money Laundering and the Financing of Terrorism (“Official Gazette of RS” No. 113/2017, 91/2019, 153/2020, 92/2023, 94/2024, and 19/2025, hereinafter referred to as “AML/CFT Law”).

In the course of its business, the Controller processes personal data of various categories of natural persons, including users, employees, and other individuals who come into contact with the Controller. Such processing may take place, inter alia, through video surveillance systems on business premises, during visits to and use of the Controller’s website and mobile application, and via modern communication channels, including social networks, as further specified below.

1. Definition of Terms

      1.1. For the purposes of these Rules, the following terms have the meanings set out below:

      “Controller” means VESCON DOO BEOGRAD (STARI GRAD), Company Registration Number: 21281565, Tax Identification Number: 109993864, having its registered office at Carice Milice 2/3/1, 11000 Stari Grad.

      “Personal Data” means any data relating to a natural person whose identity is determined or can be determined, directly or indirectly, in particular based on an identifier such as a name and identification number, location data, an identifier in electronic communications networks, or one or more characteristics of their physical, physiological, genetic, mental, economic, cultural, or social identity;

      “Processing of Personal Data” means any operation or set of operations performed, whether automated or not, on personal data or on sets of personal data, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission or otherwise making available, dissemination, alignment or combination, restriction, erasure, or destruction (hereinafter referred to as “Processing”);

      “Profiling” means any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that person’s work performance, economic situation, personal preferences, interests, reliability, behavior, location, or movements.

      “Biometric Data” means personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or fingerprint data;

      1.2. All other terms not expressly defined in this section and used in these Rules have the same meaning as assigned to them under the LPDP. In the event of any discrepancy between the meanings of terms as defined in these Rules and in the LPDP, the definitions set forth in the LPDP prevail.

      2. Principles of Personal Data Processing by the Controller

      2.1. The Controller processes personal data lawfully, fairly, and transparently, for purposes that are specific, explicit, legitimate, and lawful, and in a manner that is adequate, relevant, and limited to what is necessary in relation to the purposes of processing.

        2.2. The data collected must be accurate and kept up to date; at the request of the data subject, they must be completed and corrected, and, where permitted by mandatory legal provisions, erased.

        2.3. During the collection, processing, and storage of data, appropriate organizational, personnel, and technical safeguards must be implemented in accordance with these Rules.

        3. Purpose of Personal Data Processing

        3.1. The Controller uses personal data for the following purposes:

          • To comply with legal obligations to the extent prescribed by applicable law (in relation to employees and other individuals whose data is processed within the scope provided by law);
          • For the preparation, conclusion, and performance of contracts (including contracts relating to job candidates, service users, and other parties);
          • For the physical protection of business assets and premises, as well as to ensure a safe environment for employees, while respecting the fundamental rights and freedoms of data subjects (e.g., video surveillance, identification procedures, and similar measures);
          • To facilitate communication with the data subject at their request, including questions, inquiries, and responses related to the individual, whether communicated to the Controller directly or via email, telephone, or other channels;
          • For data analysis, including profiling of individuals through the use of the Controller’s website or social media pages;
          • For the purpose of improving the Controller’s activities and operations, based on feedback from users (concerning data subjects, excluding employees and job candidates);
          • To send information about the Controller’s activities and new offers (including newsletters and other similar promotional materials to users, newsletter subscribers, and other individuals who have given their informed consent for this purpose).

          4. Legal Basis for Data Collection

          4.1. All data collected by the Controller is based on applicable law, informed consent, or the legitimate business interest of the Controller.

          4.2. The processing of collected data in accordance with these Rules is primarily necessary for the performance of a contract and compliance with the Controller’s legal obligations, and to a lesser extent for the pursuit of the Controller’s legitimate business interests, such as marketing activities and security purposes. 

            4.3. Depending on the purpose of data collection and the category of data subjects, the processing of personal data is carried out on the basis of the following legal grounds:

              • Informed consent of the data subject (Article 12, paragraph 1, item 1 of LPDP), following prior notification of the data subject of all essential aspects of the processing. The consent of the data subject is given voluntarily, explicitly, in an informed and unambiguous manner, and may be withdrawn at any time. Withdrawal of consent results in the cessation of any further processing, without affecting the lawfulness of processing carried out prior to the withdrawal.
              • Compliance with the legal obligations of the Controller (Article 12, paragraph 1, item 3 of LPDP). As a provider of services related to digital assets, the Controller is required to comply with regulations governing such activities. The Controller processes personal data for this purpose exclusively to the extent necessary to fulfill such obligations, provided that all appropriate measures are taken to ensure that access to personal data is granted only to authorized persons and competent government authorities. 
              • Performance of a contract, or the taking of steps prior to concluding a contract (Article 12, paragraph 1, item 2 of LPDP), exclusively to the extent necessary for those purposes;
              • Protection of the legitimate interests of the Controller or the legitimate interests of third parties (Article 12, paragraph 1, item 6 of LPDP).The Controller exceptionally processes personal data to pursue a legitimate interest, such as the physical protection of business assets, business premises, and the maintenance of a safe environment for employees, in a manner that safeguards the fundamental rights of the data subjects (e.g., video surveillance, identification, etc.).

              5. Collected and Processed Data

              5.1. The Controller collects and processes personal data of its users, employees, and other natural persons in accordance with the LPDP and other applicable regulations.

              5.2. Personal data of users is collected during the registration and verification of user accounts, as well as during visits to and use of the Controller’s website and mobile application. In the process of registering and verifying a user account, the Controller collects the following personal data from the user, in accordance with Article 12, paragraph 1, item 3 of LPDP:

              1. Address(es) of digital assets;
              2. email address;
              3. name and surname;
              4. date and place of birth;
              5. mobile phone number;
              6. permanent or temporary residence;
              7. unique personal number of the natural person;
              8. type and number of the personal document, name of the issuer, date and place of issue; 
              9. purpose and intended nature of a business relationship;
              10. IP address;
              11. information on the type of user’s line of business and business activities;
              12. data and information on the source of assets that are or that will be the subject of a business relationship;
              13. a declaration as to whether the user is a public official, a member of the immediate family of a public official, or a close associate of a public official; first and last name, date and place of birth, residence or domicile, and unique personal identification number, of the public official with whom the business relationship is established or the transaction is conducted, or for whom the business relationship is established or the transaction is conducted, as well as the type and number of identity document, name of the issuing authority, date and place of issuance; information on whether the individual is a public official who currently holds or has held a high public office in the state, another country, or an international organization within the last four years, whether they are a family member of a public official, or a close associate of a public official; information on the period of holding such office; information on the type of public office held or previously held in the last four years; information on family relationship if the client is a member of the immediate family of a public official; information on the type of business relationship if the client is a close associate of a public official; 
              14. name and surname, date and place of birth and permanent or temporary residence of the user’s beneficial owner;
              15. video recordings of the user and accompanying persons, capturing biometric data – facial image, during the user’s visit to the Controller’s premises;
              16. Audio recordings of the user’s voice during telephone calls to customer support, capturing a biometric data – voice of the individual;
              17. Biometric data of the user from an identity document: photograph, as well as fingerprint and/or signature – obtained by acquiring a copy of the identity document in accordance with the AML/CFT Law and applicable secondary legislation;
              18. with the user’s explicit and recorded consent, biometric data (facial image and voice) processed for the purpose of uniquely identifying the user, specifically during video identification conducted via audio-video recording;

              5.3. Personal data of employees and other engaged personnel is collected and processed in accordance with applicable labor law regulations, including, in particular, the Labor Law, Law on Records in the Field of Labor  and the Law on Mandatory Social Insurance, as well as, where applicable, regulations governing the operations of providers of services related to digital assets. Such processing is necessary for the fulfillment of the Controller’s legal obligations, pursuant to Article 12, paragraph 1, item 3 of LPDP.

              5.4. Personal data of job candidates, as contained in their curriculum vitae (CV), is collected and processed, including their name and surname, photograph, and contact information (phone number and email address). Such processing is carried out either based on the informed consent of the data subject, pursuant to Article 12, paragraph 1, item 1 of the LPDP, or at the request of the data subject for the purpose of taking steps prior to entering into an employment contract, pursuant to Article 12, paragraph 1, item 2 of LPDP .

              5.5. Personal data of individuals who communicate or come into contact with the Controller is collected and processed, including their name and surname, email address, and any other information voluntarily provided by the data subject. The legal basis for this processing is the informed consent of the data subject, pursuant to Article 12, paragraph 1, item 1 of the LPDP.

              5.6. Cookies collected through the Controller’s website and mobile application are governed in detail by the Cookie Policy. The processing of data through cookies is based on the user’s consent, which is obtained in a clear, transparent, and unambiguous manner, without any form of coercion or suggestion.

              6. Persons with Access to Personal Data

              6.1. The internal organization of work, scope of authority, and responsibilities of employees in specific positions within the Controller are regulated by the Rulebook on Job Classification and Internal Organization. Access to personal data of users and other natural persons is granted exclusively to employees of the Controller who, in accordance with their job responsibilities, are authorized and trained to process personal data, and only to the extent necessary to achieve the purposes of processing. In this regard, access to personal data may be granted to employees engaged in the following organizational units of the Controller: (i) Business Development Department; (ii) Legal Department; (iii) Marketing and Public Relations Department; (iv) Trading Department; (v) Anti-Money Laundering and Counter-Terrorism Financing Department; (vi) ICT Department; (vii) Customer Support Department; and (viii) Accounting and Bookkeeping Department. 

              6.2. Employees from the aforementioned departments process personal data solely in accordance with the Controller’s internal regulations, the principle of need-to-know access, and the implementation of appropriate technical and organizational measures for data protection.

              6.3. Externally engaged legal and/or natural persons: (i) the Controller’s contractual partners, (ii) providers of physical security services, (iii) software developers for the processing of personal data (BLINK.ING DOO BEOGRAD, TIN: 110297552; CRN: 21332755), (iv) personnel maintaining the Controller’s information systems; and (v) specialized hosting service providers enabling the online presence of the website, may have limited access to personal data, but only to the extent strictly necessary for the performance of the service. In the relevant engagement contracts, the Controller ensures that these parties are informed of their obligations under the LPDP and these Rules.

              6.4. Some of the aforementioned persons who may have access to personal data qualify as processors. The Controller has concluded agreements with all such processors to ensure compliance with the LPDP. The Controller remains fully responsible for all data processing activities carried out by these processors.

              6.5. Most data processing activities are carried out by processors whose operations are conducted within the territory of the Republic of Serbia. However, certain data processing activities may also be performed by processors incorporated and operating in the EU or in third countries. 

              6.6. Transfers to such countries are carried out:

              • Based on a decision of adequacy for EU/EEA countries in accordance with Article 64 of LPDP. Cross-border transfers to these countries are permitted freely, without prior approval from the Commissioner, pursuant to Article 64, paragraph 2 of LPDP;
              • Based on appropriate safeguards in accordance with Article 65, paragraph 2, item 2 of LPDP, i.e., through agreements (Personal Data Transfer Agreements) that include standard data protection clauses issued by the Commissioner.

              6.7. Personal data may be shared with public authorities, banks, and other financial institutions where this is necessary for the fulfilment of the Controller’s legal obligations, provided that the use of such personal data is limited to the minimum necessary to comply with the specific legal requirements.

              7. Consent

              7.1. User consent for the collection and processing of personal data is provided either in the form of a written statement, accompanied by a clear presentation of the user’s rights and obligations, in a manner that is understandable, easily accessible, and expressed in clear and simple language. The Controller is specifically obliged to clearly inform the user that withholding certain data may result in an inability to provide the requested service.

              7.2. The user has the right to withdraw their consent at any time, provided that such withdrawal does not affect the lawfulness of processing carried out on the basis of consent prior to its withdrawal.

              7.3. Before giving consent, the data subject must be informed of their right to withdraw consent, as well as the consequences of such withdrawal. The withdrawal of consent must be as straightforward as giving consent.

              7.4. The rules concerning withdrawal of consent do not apply to data that the Controller is required to collect, process, and store in accordance with mandatory provisions of specific laws, for the period and in the manner prescribed by those laws.

              8. Data Retention

              8.1. Pursuant to Article 84 of LDA, the Controller is obliged to maintain and retain in electronic form all data related to transactions with digital assets executed either on its own account or on behalf of a digital asset user, for a period of at least ten years. Where transactions are executed on behalf of a user, these records must include all data regarding the identity of the user, as well as any information required under the law regulating the prevention of money laundering and terrorist financing.

              8.2. Data collected through the Controller’s website and mobile application via the use of cookies are retained for the period specified in the applicable Cookie Policy at the time the data is collected.

              9. Competent Authorities and Legal Entities to Which Data Are Provided

              9.1. As a licensed provider of services related to digital assets, the Controller is, in addition to LDA, subject to the AML/CFT Law and all subordinate regulations adopted thereunder. Compliance with these regulations entails continuous regulatory supervision by the Administration for the Prevention of Money Laundering, the Securities Commission, and the National Bank of Serbia, which includes the periodic provision of user data collected in accordance with the law and these Rules.

              9.2. Additionally, the Controller is obliged to comply with requests from competent authorities (administrative bodies, public prosecutor’s office, and courts) and provide data requested in accordance with the law, for the purpose of identifying perpetrators of criminal offenses.

              9.3. In the course of providing its services, the Controller cooperates with commercial banks where it holds funds on behalf of users in omnibus and designated accounts, which are necessary for the execution of certain services, and also provides data to these banks in accordance with the law and obligations assumed under agreements with the banks.

              9.4. For the avoidance of any doubt, although continuous video surveillance is maintained on the Controller’s business premises, which captures biometric data of users and employees, the company that installed the video surveillance system, Manicom CcTv d.o.o., Belgrade, does not have access to personal data, nor the technical ability to obtain it, as the cameras are connected to the storage and access passwords are set exclusively by the Controller’s employees.

              10. Data Protection Officer

              10.1. In order to implement the personal data protection standards prescribed by the LPDP the Controller has appointed a Data Protection Officer. Individuals may contact the DPO regarding any matters related to personal data protection or the exercise of rights prescribed by the LPDP, using one of the following methods:

                • By sending an e-mail to: [email protected];
                • By sending a letter to the Controller’s registered office at Carice Milice 2/3/1, 11102 Stari Grad, marked “for the Data Protection Officer”;
                • By delivering a letter in person to the Controller’s registered office at Carice Milice 2/3/1, 11102 Stari Grad, marked “for the Data Protection Officer”.

                10.2. The Controller is obliged to involve the Data Protection Officer in a timely and appropriate manner in all matters related to personal data protection and to provide them with the necessary resources to carry out their duties, including access to personal data and processing activities, as well as opportunities for professional development.

                10.3. The Controller is obliged to ensure the independence of the Data Protection Officer in performing their duties.

                10.4. The Controller or any data processor may not penalize the Data Protection Officer, nor terminate their employment or contract, for performing the duties prescribed by these Rules.

                10.5. Users may contact the Data Protection Officer regarding any matters related to the processing of their personal data, for the exercise of their rights prescribed by the Law.

                10.6. The Data Protection Officer is obliged to maintain the confidentiality of all data obtained in the course of performing their duties.

                10.7. The Data Protection Officer has at least the following obligations:

                  1. To inform and advise the Controller, as well as employees involved in processing activities, of their obligations under the law and other applicable regulations relating to the protection of personal data;
                  2. To monitor compliance with the provisions of the law, other applicable laws, and the internal acts of the Controller or processor relating to personal data protection, including raising awareness and providing training to employees involved in processing activities, as well as carrying out related control activities;
                  3. To provide opinions, upon request, with regard to data protection impact assessments and to monitor compliance with such assessments;

                  To cooperate with the Commissioner, act as the contact point for cooperation with the Commissioner and consult with the Commissioner on matters relating to the processing of personal data.

                  11. Right of Access

                  11.1. A User has the right to request from the Controller information on whether their personal data is being processed, access to such data, as well as the following information:

                    1. the purposes of the processing;
                    2. the categories of personal data being processed;
                    3. the recipient or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in other countries or international organizations;
                    4. the envisaged period for which the personal data will be stored, or, where this is not possible, the criteria used to determine that period;
                    5. the existence of the right to request from the Controller the rectification or erasure of personal data, the right to restriction of processing, and the right to object to processing;
                    6. the right to lodge a complaint with the Commissioner;
                    7. available information about the source of personal data, where the personal data was not collected directly from the User;
                    8. the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and expected consequences of such processing for the data subject.

                    11.2. Upon the User’s request, the Controller must provide the User with a copy of the personal data undergoing processing.

                    11.3. Where the request for a copy is submitted electronically, the information must be provided in a commonly used electronic format, unless the User requests a different method of delivery.

                    11.4. The right to access may be restricted, in whole or in part, only to the extent and for the duration necessary, as a proportionate measure in a democratic society, while respecting the fundamental rights and legitimate interests of the user, in order to: 

                    • protect the rights and freedoms of other individuals.
                    • prevent interference with official or legally regulated information-gathering, investigations, or proceedings.
                    • enable the prevention, investigation, and detection of criminal offenses, the prosecution of offenders, or the enforcement of criminal sanctions.
                    • protect public safety.
                    • protect national security and defense.

                    11.5. The Controller is obliged to notify the user in writing, without undue delay and no later than within 15 days, that access to their personal data has been refused or restricted, as well as of the reasons for such refusal or restriction.

                    11.6. The Controller is not required to comply with the preceding paragraph if doing so would jeopardize the purpose for which access was denied or restricted.

                    11.7. In the case referred to in the preceding paragraph, as well as where it is determined during the access request procedure that the user’s personal data are not being processed, the Controller is obliged, without undue delay and no later than within 15 days, to inform the requester in writing that the verification has established that no personal data exist in relation to which the rights provided by the law may be exercised, and that the requester may submit a complaint to the Commissioner or file a lawsuit with the court.

                    12. Correction or Deletion of Personal Data

                    12.1. The user has the right to have their inaccurate personal data corrected without undue delay. Depending on the purpose of processing, the data subject has the right to complete their incomplete personal data, which includes providing additional statements.

                    12.2. The User also has the right to have their personal data deleted by the Controller.

                    12.3. The Controller is obliged to delete personal data without undue delay in the following cases:

                    • The personal data is no longer necessary for the purpose for which it was collected or otherwise processed;
                    • The user has withdrawn consent on which the processing was based, and there is no other legal basis for processing;
                    • The personal data has been processed unlawfully;
                    • The deletion of personal data is necessary to fulfill the legal obligations of the Controller;
                    • If the Controller has made the personal data publicly available, their obligation to delete the data also includes taking all reasonable measures, including technical measures, in accordance with available technologies and cost-bearing capabilities, to inform other Controllers who are processing those data that the data subject has requested the deletion of all copies of such data and the removal of any links or references to those data.

                    13. Deletion of User Account

                    13.1. A user may delete their account at any time. Deleting the user account does not terminate the contractual relationship established for the provision of services related to digital assets.

                    13.2. If you wish to delete your account, you can click the “Delete Account” button on the Controller’s website or application and follow the further instructions, or you can send us a deletion request (from the email address with which you are registered). Upon receiving your request, we will notify you of the account deletion as soon as possible. Your account can only be deleted if the balance on your user account is zero.

                    14. Right to Restriction of Processing

                    14.1. The user has the right to request that the Controller restrict the processing of their personal data if one of the following conditions is met:

                    • The Controller no longer needs the personal data for the purposes of processing, but the user requires the data for the submission, exercise, or defense of a legal claim.
                    • The user contests the accuracy of the personal data, for a period enabling the Controller to verify the accuracy of the personal data;
                    • The processing is unlawful, and the user objects to the deletion of personal data and instead requests a restriction on its use;

                    15. Security Measures Implemented by the Controller

                    15.1. Considering the level of technological advancement and the costs of implementation, the nature, scope, circumstances, and purpose of processing, as well as the likelihood and severity of risks to the rights and freedoms of natural persons arising from processing, the Controller is obliged, when determining the method of processing and during processing, to:

                      1. implement appropriate technical, organizational, and personnel measures, such as pseudonymization, aimed at ensuring the effective application of the principles of personal data protection, including minimizing the amount of data processed.
                      2. ensure the implementation of necessary protective mechanisms during processing in order to comply with the conditions for processing prescribed by applicable law and to safeguard the rights and freedoms of the data subjects.

                      15.2. The Controller is obliged, through the continuous application of appropriate technical, organizational, and personnel measures, to ensure that only personal data necessary for achieving each specific purpose of processing are processed.

                      15.3. In accordance with the level of technological development and the costs of its implementation, the nature, scope, circumstances, and purpose of processing, as well as the likelihood and severity of risks to the rights and freedoms of natural persons, the Controller implements appropriate technical, organizational, and personnel measures to achieve a level of security proportionate to the risk.

                      15.4. Where necessary, these measures particularly include:

                      • Procedures for the regular testing, assessment, and evaluation of the effectiveness of technical, organizational, and personnel measures for the security of data processing.
                      • Pseudonymization and encryption of personal data;
                      • The ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
                      • Ensuring the restoration of availability and access to personal data in the event of physical or technical incidents as quickly as possible;

                      15.5. When assessing the appropriate level of security, particular attention is given to processing risks, in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data that has been transmitted, stored, or otherwise processed.

                      15.6. Based on risk assessment, the Controller applies appropriate measures during automated processing to ensure that: 

                      • The system operates correctly, errors are properly reported (“reliability”), and stored personal data are not compromised due to system malfunctions (“integrity”).
                      • Unauthorized persons are prevented from accessing the equipment used for processing (“equipment access control”);
                      • Unauthorized reading, copying, modification, or removal of data carriers is prevented (“data carrier control”);
                      • Unauthorized input of personal data, as well as unauthorized modification, deletion, and control of stored personal data, is prevented (“storage control”);
                      • The automated processing system cannot be used by unauthorized persons through data transmission equipment (“use control”);
                      • Authorized persons have access only to the personal data for which they are authorized (“data access control”);
                      • It is possible to verify or determine to whom personal data have been or may be transferred or made available, using data transmission equipment (“transfer control”);
                      • It is possible to subsequently verify or determine which personal data were entered into the automated processing system, by whom, and when (“input control”);
                      • Unauthorized reading, copying, modification, or deletion of personal data during transfer or transport of data carriers is prevented (“transport control”);
                      • The installed system can be restored in the event of a disruption (“system recovery”);

                      15.7. Specifically, the personal data protection measures applied by the Controller, VESCON DOO BEOGRAD, include restricting access to database copies, securing the databases of customer service agents, effective management of access rights, network-level security, and effective threat protection and monitoring.

                      15.8. Restriction of access to the database copy. The server hosting the database copy is located in a server room, in accordance with the planned measures for managing ICT system security. Access to the server is granted only to personnel responsible for ICT system administration and security. Data will be retained for a minimum of 10 years. Physical access to the server is controlled through card authentication. Every entry into the server room is monitored by an IP camera, and access to the recorded footage is restricted exclusively to personnel responsible for ICT system administration and security.

                      15.9. The security of the customer service agents’ databases is ensured by installing antivirus/antimalware protection on the Controller’s endpoint devices. Additionally, employees do not have administrative privileges on their computers, and document printing is restricted.

                      15.10. Access Rights Management. Secure user authentication to the Cloud service will be performed via the user’s Cloud account using SSO authentication. The Cloud maintains event logs of all user activities within the system, and the use of multi-factor authentication will be mandatory for all applications. Depending on business processes and the information stored in the Cloud, administrative access to Cloud resources will be restricted to devices owned by the Controller. Access to Cloud resources and information owned by the Controller will be strictly controlled and limited to the minimum necessary. Users of the ICT system are granted only the privileges strictly necessary to perform their work.

                      15.11.  Network-Level Security. Information stored in the Cloud is protected during transmission and access through secure communication channels with Cloud services, which are secured using encryption (HTTPS, TLS, etc.).

                      15.12. Threat Protection and Monitoring. The Cloud service implements appropriate protection systems against malicious code, intrusion prevention systems for resources containing VESCON’s information, and web application firewalls. Standard DDoS protection is also in place, with configured mitigation based on predefined limits for each individual service that could be affected by a DDoS attack. The Cloud service provider monitors platform vulnerabilities and promptly notifies VESCON d.o.o. of newly discovered vulnerabilities at all system levels and components, along with security patches or other measures to reduce risk. Activities of privileged accounts on the Cloud service are logged and transferred to the Log Management System, and the Cloud service provider can access data owned by Controller only with authorization from the director. Additionally, confidential information is stored in an encrypted form.

                      16. Notification of the Commissioner about Personal Data Breaches

                      16.1. The Controller is obliged to notify the Commissioner of any personal data breach that may pose a risk to the rights and freedoms of natural persons without undue delay, or, where possible, within 72 hours of becoming aware of the breach.

                      16.2. If the Controller does not act within 72 hours of becoming aware of the breach, they are required to provide justification explaining the reasons for not acting within that timeframe.

                      16.3. The notification must contain at least the following information:

                      • A description of the measures that the Controller has taken or proposes to take in relation to the breach, including measures taken to mitigate potential adverse effects.
                      • A description of the nature of the personal data breach, including the types of data and the approximate number of individuals affected by each type, as well as the approximate number of personal data records whose security has been compromised.
                      • The name and contact details of the Data Protection Officer, or information on another way to obtain details about the breach.
                      • A description of the possible consequences of the breach.

                      16.4. If all information cannot be provided simultaneously, the Controller must, without undue delay, provide the available information progressively.

                      16.5. The Controller is obliged to document every personal data breach, including the facts regarding the breach, its consequences, and the measures taken to address them.

                      17. Notification of Data Subjects in Case of a Personal Data Security Breach

                      17.1. If a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller is obliged to inform the data subject of the breach without undue delay. 

                      17.2. In the notification referred to in paragraph 1 of this Article, the Controller is obliged to clearly and understandably describe the nature of personal data breach. The Controller is not required to notify the data subject if:

                      • Notifying the data subject would involve a disproportionate expenditure of time and resources. In such a case, the Controller is obliged to ensure that the data subject is informed by other effective means.
                      • Appropriate technical, organizational, and personnel measures have been implemented to protect the personal data whose security was breached, particularly if encryption or other measures have made the data unintelligible to any person not authorized to access it.
                      • Subsequent measures have been taken that ensure that a personal data breach posing a high risk to the rights and freedoms of the data subject can no longer result in any consequences for that person;

                      18. Consistent Application of the LPDP

                       18.1. In all matters not otherwise regulated by these Rules, the provisions of LPDP shall apply accordingly.

                      In Belgrade, on January 13, 2026

                      On behalf of and for the Controller

                      _____________________________     

                      Radoje Marić, Director