The following information sheet provides information concerning the processing of your personal data by iQR d.o.o. and your rights under data protection law of BiH regarding your data. The content and extent of the processing of your data are essentially determined by your business relationship with iQR d.o.o.
Data controller
The data controller is:
iQR d.o.o.,
Emerika Bluma number 1
71 000 Sarajevo
Bosna and Hercegovina
Type and origin of the data processed
iQR d.o.o. processes personal data which it has received from you during the business relationship or while setting up a business relationship with you. In addition, iQR d.o.o. processes data it has received from affiliated companies and credit agencies, and from publicly accessible sources (such as commercial registers, land registers, the media), which iQR d.o.o. has received on a legally permissible basis and is permitted to process such data.
Personal data in this connection can be: personal details (e.g. first name and surname, address, contact details, date and place of birth, nationality, etc.), proof of identity data (e.g. personal ID or passport details), or authentication data (e.g. signature sample).
In addition, personal data can include order data and data derived from the performance of contractual obligations, documentation data, register data, visual and audio data, processing results which have been generated by iQR d.o.o., and data for the fulfilment of statutory and regulatory obligations, in particular the fulfilment of the statutory iQR d.o.o. tasks.
Purposes and legal basis of data processing
The processing of personal data is carried out in accordance with the provisions of the data protection law of BiH and all additional relevant laws, for the following purposes:
- Where you have given your consent
If you have given to iQR d.o.o. your consent to the processing of your personal data, your data will only be processed according to the purposes as specified in the declaration of consent and in the extent agreed therein (e.g. registration/newsletter).
Any consent given can be withdrawn at any time with effect for the future. Withdrawal of consent does not affect the lawfulness of the data processing carried out based on the consent as provided up to the time of withdrawal.
- For the fulfilment of pre-contractual or contractual obligations:
Your personal data are processed in order to carry out the legal relationship between you and iQR d.o.o., and to perform all necessary activities in connection with the operation and management of iQR d.o.o. for the fulfilment of the statutory tasks.
The purpose of the data processing is based primarily on the specific legal and in the particular case operational tasks.
- For the fulfilment of legal obligations carried out in the public interest:
The processing of personal data is necessary for the purpose of the fulfilment of various statutory and supervisory regulations to which iQR d.o.o. is subject.
- For the safeguarding of legitimate interests:
If necessary, in the context of a balancing of interests in favour of iQR d.o.o. or a third party, the processing of data can go beyond the fulfilment of the contract to include the safeguarding of legitimate interests of iQR d.o.o. or third parties. The following cases may be involved here (legitimate interests):
- measures for business and risk management of the iQR d.o.o. activity
- in the context of legal prosecution (assertion of lawful claims and defence in the context of legal disputes, management of claims/complaints, criminal investigations)
- measures for the protection of employees and property of iQR d.o.o.
- measures to prevent and combat fraud
- measures to combat money laundering and terrorist financing
- planning, execution and documentation of audit measures, conformity with reviews carried out by authorities
- measures to ensure the safety of buildings and equipment
Passing on of data
Within iQR d.o.o., departments and employees have access to your data, who need such data to fulfil contractual, statutory, and supervisory law duties and also to fulfil legitimate interests.
In addition, service providers acting on iQR d.o.o. instructions (such as attorneys, notaries, tax advisers, public accountants, other advisers, and valuation experts) and persons processing data on behalf of iQR d.o.o. (i.e. IT service providers) receive your data insofar as they need such data for the provision of their respective services.
To the extent that service providers and processors acting on behalf of iQR d.o.o. are used, they are placed under a contractual obligation to treat your data confidentially and to only process your data within the framework of the provision of services.
Regarding the passing on of data to affiliated companies and other third parties, we would like to point out that iQR d.o.o. has to observe bank secrecy and is therefore under an obligation of secrecy concerning all customer-related information and facts that have been entrusted to or made accessible to iQR d.o.o. based on the business relationship.
Consequently iQR d.o.o. only passes on your personal data if you have expressly and in writing released us from bank secrecy in this regard beforehand, or if iQR d.o.o. is obliged or authorised to do so by law or under supervisory regulations, and/or the transmission of the data is necessary for the fulfilment of contractual obligations.
If a statutory obligation or an obligation under supervisory regulations applies, public bodies and institutions (such as the Direct or Indirect Tax Offices, the courts, external auditors, criminal prosecution authorities, administrative authorities,) can be recipients of your personal data, to the extent that this is necessary.
Other investors, banks and financial institutions or comparable organisations can also be recipients of personal data, as well as (potential) purchasers of assets of iQR d.o.o. to whom data are transmitted for the fulfilment of iQR d.o.o. business tasks.
Joint Responsibility
If data are passed on in the context of a joint responsibility as envisaged iQR d.o.o. will conclude an agreement with the affiliated company in question and/or the other third parties, specifying which of them has to fulfil which obligation (in particular as far as the safeguarding of the rights of the data subjects is concerned) and which of them fulfils which duties.
Data transmission to third countries
Data transmission to countries of EU and outside of the EU (third countries) only takes place insofar as this is necessary for the execution of your orders or if required by law, or if you have given us your express consent to such transmission, or if this is necessary for the fulfilment of iQR d.o.o. statutory tasks, or in the context of data processing carried out by processors on behalf of iQR d.o.o. Similarly, any transmission of data to affiliated companies in third countries only takes place in accordance with these criteria.
The transmission of personal data to a third country takes place only on the adequacy legal basis, or on the basis of appropriate safeguards (e.g. attorneys, public accountants, notaries, creditors, courts and other public authorities, if this is necessary for the fulfilment of the respective contract or for the assertion, exercise or defence of legal claims).
Duration of storage
iQR d.o.o. processes and stores your personal data for as long as is necessary for the fulfilment of our contractual and statutory duties, normally for the duration of the entire business relationship (i.e. until a contract is ended, e.g. as a result of restitution or sale) and also beyond that period, in accordance with contractual and statutory duties of preservation and documentation in accordance with applicable Law on Data Protection.
Because of different period for the assertion of legal claims iQR d.o.o. can preserve any personal data of yours for as long as is necessary, depending on the potential claim and for the exercise of iQR d.o.o. legal claims, which is required for the assertion of such claims. A longer preservation period can also arise against the background of iQR d.o.o. activities.
Data protection rights
You have the right at any time to have access to your stored personal data, and to require rectification, erasure and restriction of the processing of your data.
You have a right to object to the processing of your data, a right to data portability, and a right to measures in connection with automated decisions in the individual case, including profiling, in accordance with the requirements of data protection law.
To assert these rights, contact our Data Protection Officer (see section A of this document). You can address any complaints to the iQR d.o.o. or Agency for protection of personal data of BiH.
Obligation to provide data
In the context of the business relationship, you must provide iQR d.o.o. with the personal data which are required for the acceptance and execution of the business relationship, and which iQR d.o.o. is obliged to collect by law.
If you do not provide such data to iQR d.o.o., iQR d.o.o. will normally have to refuse to conclude the contract or refuse to execute the order, or iQR d.o.o. will no longer be able to continue to execute an existing contract and will therefore have to terminate it.
However, you are not obliged to issue your consent to the processing of data which are not relevant to the fulfilment of the contract, or which are not required by law or regulations.
Automated decision making (including profiling)
iQR d.o.o. does not use any automated decision making, to bring a decision concerning the establishment and execution of the business relationship.