Notice on processing of personal data
Last updated: Thursday, April 13th, 2023
1. Introductory Provisions
1.1. In order to prevent money laundering and terrorist financing, VESCON DOO BEOGRAD-NOVI BEOGRAD, in the capacity of the controller (“Controller”), carries out actions and measures of knowing the User [1] and monitoring of their business transactions, which includes the processing of certain personal data of the User who is a natural person, a sole trader, or a legal representative of the User which is a legal entity, a legal representative of the User who is a person of foreign law or a person of civil law, as well as any other natural person who establishes a business relationship with the Controller on behalf of the User (“Person representing the User”).
1.2. The Controller processes certain personal data of a natural person who, in accordance with the Law on the Prevention of Money Laundering and Financing of Terrorism (“AML-CFT Law”), is considered the ultimate beneficial owner of the User (“User’s UBO”) in order to know and monitor the User.
2. Controller’s obligation to provide personal data
2.1. In accordance with the AML-CFT Law, it is mandatory to provide the Controller with data on the User’s legal representative and the User’s UBO.
2.2. In case of failure to provide personal data on the Person representing the User and the User’s UBO, the Controller is obliged to reject the offer to establish a business relationship, and if the business relationship has already been established, the Controller is obliged to terminate the said business relationship.
3. Legal basis for data collection
3.1. All data collected by the Controller has a legal basis in the AML-CFT Law, other legal provisions and bylaws, and/or legitimate business interests. The processing of the collected data is, in general, necessary for the agreement execution and the fulfillment of the Controller’s legal obligations, and to a lesser extent for the realization of Controller’s legitimate business interests, such as advertising activities and security.
4. Collected and processed data (and method of collecting personal data)
4.1. User’s personal data is collected during his registration and verification when the User visits and uses the Controller’s website, platform, and mobile application.
4.2. During the User’s registration and verification, the following data is collected:
- e-mail address;
- name and surname;
- date and place of birth;
- mobile phone number;
- residence;
- natural person’s unique ID number;
- type and number of the personal identification document, name of the issuer, document issuing date, and place;
- the purpose and the purpose of the business relationship;
- IP address;
- about business activities of the User;
- data and information on the funds’ origin;
- that is, a statement whether the User is an official, a close family member of an official or a close associate of an official; name and surname, date and place of birth, residence or place of residence and unique ID number of the official who establishes a business relationship or places a transaction, i.e. for whom a business relationship is established or a transaction is conducted, as well as the type and number of the personal document, name of the issuer, date and place of issuance; data on whether the natural person is an official who holds or in the last four years has held a high public office in the Republic of Serbia, that is, another state or international organization, whether he is a member of the family of the official or his close associate; time period when the function was/is performed; data on the type of public function that the official holds or has held in the last four years; data on the family relationship, if the party is a close family member of an official; data on the type of business cooperation, if the party is a close associate of the official;
- video recording of the User and the person accompanying the User which records biometric data – a face image, during the User’s visit to the Controller’s office;
- audio recording of the User’s voice when calling customer service by phone, which records the biometric data – the voice of the person;
- the address of the digital assets.
4.3. Cookies collected on the Controller’s website and mobile phone application are thoroughly regulated by the Cookie Policy, with the User’s consent which is obtained in the collection process in a clear, transparent, non-suggestive, and unambiguous manner.
4.4. Data is received by a Collector’s employee with whom the User directly cooperates (e.g., customer service agent or customer support manager), as well as persons authorized to prevent money laundering and terrorist financing at the Controller, marketing director, and ICT technician.
4.5. External consultants that are either legal entities or natural persons may have limited access to personal data, but only to the extent that such access is mandatory for the performance of the service. In the respective contracts on the business engagement of those persons, the Controller is obliged to inform them of his obligations in accordance with the Personal Data Protection Act and its internal rules on the protection of personal data.
5. Consent
5.1. The User’s consent to collecting and processing personal data is given in the form of a written statement accompanied by a presentation of the User’s rights and obligations or in an understandable and easily accessible form by using clear and simple terms. The Controller is particularly obliged to clearly present the consequences of the User denying certain data which then results in denial-of-service. The User has the right to revoke his consent at any time, provided that the revoked consent does not affect the previously consented data processing that was carried out before the revocation.
5.2. Prior to giving consent, the person to whom the data refers must be informed of their right to revoke consent, as well as the effect of the revocation. Withdrawing consent must be as simple as giving consent. The rules related to revocation do not apply to data that the Controller is obliged to collect, process, and store in accordance with the specific laws within the agreed-upon period and in the manner prescribed by those laws.
5.3. The Controller, as a license holder who provides services related to digital assets, besides obliging by the Law on Digital Assets, also abides by the AML-CFT Law, as well as all the by-laws adopted based on them. The application of these regulations implies the continuous regulatory supervision of the Administration for the Prevention of Money Laundering, the Securities Commission, and the National Bank of Serbia, which includes the periodic exchange of User data, which are collected in accordance with the Law on Personal Data Protection and the Controller’s internal rules on protecting personal data.
5.4. In addition, the Controller is obliged to act according to requests of the competent authority (administrative authorities, prosecutor’s office, and court) and provide the data requested by the law, aiming to discover the perpetrators of illicit acts.
5.5. In order to provide certain services, the Controller cooperates with commercial banks where on behalf of and for the User the Controller holds the User funds in collective and dedicated accounts, to which it also delivers data in accordance with the law and the obligations assumed by the contract with the banks, in accordance with the law.
5.6. Personal data related to the Controller’s Users are not transferred to another country, but the business partner SHIFT MARKETS LLC, 295 Madison Avenue 30th floor, NY 10017, which adjusts the software for VESCON DOO BEOGRAD-NOVI BEOGRAD, is technologically capable of accessing the data that is stored on the Crypto12 trading platform.
6. Storage period of collected personal data
6.1. Based on Article 84 of the Law on Digital Assets, the Controller is obliged to keep in electronic form and store for at least ten years the data related to all transactions of digital assets that were carried out, for its own account or on behalf of and for the User of digital assets, and if the transactions are carried out in the name and on behalf of the User, this record contains all the data related to the identity of that User, as well as data prescribed by the law regulating the prevention of money laundering and terrorist financing.
6.2. The data collected on the website and in the Controller’s application using “cookies”, are stored as long as that is prescribed by the valid Cookie Policy at the time of data collection.
7. Personal data processing method
7.1. Personal data processing is carried out manually.
8. Rights of persons to whom the data refers
8.1. Persons whose data is processed have the right to access, correct, supplement, delete or restrict data processing, the right to object to data processing, and the right to information about data transfer in accordance with the Personal Data Protection Act.
8.2. The person to whom the data refers has the right to file a complaint with the Commissioner for Information of Public Importance and Protection of Personal Data if he/she believes that data processing has been carried out contrary to the provisions of the Personal Data Protection Act.
9. Contact information
9.1. You are welcome to send all questions, complaints, and requests for the exercise of rights related to the processing and protection of personal data you submitted to the Controller to the following e-mail address: [email protected].
10. Account deletion
10.1. You can delete your user account at any time. Due to avoidance of doubt, the deletion of your user account does not terminate the contractual relationship established for providing services related to digital assets.
10.2. In order to delete your account, you can click on the „Delete Account” button on the Website and
in the Controller’s mobile phone application and follow further instructions, or you can send us a request for deletion (from the e-mail address with which you are registered) and we will, upon receipt of the request, send you a notification about the deletion of the User Account as soon as possible. Your account can only be deleted if the balance on your user account is equal to zero.
[1] The user is a natural person, a sole trader, a legal person, a person under foreign law, and a person under civil law who establishes/has established a business relationship with the company Vescon d.o.o. Beograd-Novi Beograd (hereinafter: ”User”)