G-Petrol d.o.o. Sarajevo (hereinafter referred to as G-Petrol) is a personal data controller processing personal data according to the Law on personal data protection (Official Gazette of Bosnia and Herzegovina no. 49/2006, 76/2011 and 89/2011) and its business needs.

G-Petrol processes personal data in accordance with this Personal Data Processing Policy (hereinafter referred to as the Policy) and other internal regulations regarding personal data protection and privacy.

1. Objective and key terms

The objective of this Policy is to clearly, simply, and transparently inform the public on the types of personal data G-Petrol collects, the objectives for collecting personal data, the legal framework that regulates the process, and how individuals can exercise their rights regarding the processing of their personal data. For individuals to be aware of their rights with regard to their personal data and be able to exercise such rights, they need to understand the following terms used herein:

  • Processing of personal data means any action or sequence of actions involving data, automatic or otherwise, including the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data, directly by G-Petrol or by its affiliated persons.
  • Personal data is any information that relates to an identified or identifiable living individual.
  • The data subject is an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, whose personal data is processed by G-Petrol.

2. Scope of application

The policy applies to all personal data of service users, employees, hired persons and other persons whose data G-Petrol processes, or regarding which it determines the purpose and method of processing.

The policy applies to all products, services, processes and activities, in which G-Petrol includes the processing of personal data.

The policy is primarily intended for individuals who fill out forms and/or complete requests and/or use the services and products of G-Petrol (hereinafter: Users) and/or are interested in services and products (hereinafter: Interested Persons), employees of G-Petrol and persons hired by G-Petrol.

The policy does not apply to anonymized data, i.e. to data based on which the identity of the person cannot be directly or indirectly determined. Anonymized data is data that has been manipulated in such a way that the identity of a natural person cannot be determined nor is the identity determinable, and therefore, in accordance with the applicable regulations, it is not considered personal data.

G-Petrol processes personal data for various specific, explicit, justified and lawful purposes, and the processing, use, disclosure and retention periods are based on the data subject’s consent.

3. Principles of personal data processing

G-Petrol processes personal data in accordance with the principles of personal data processing, which ensure the protection of the rights and freedoms of users, interested persons, employees, hired workers and other persons whose personal data is processed.

G-Petrol ensures the rights and freedoms of data subjects in accordance with the Law based on the following principles:

a) Legitimacy, fairness and transparency

G-Petrol provides a legal, fair and transparent way of processing personal data with the help of the following measures:

  • it clearly and transparently informs data subjects about the following: the purpose of the processing, what controller, receiving authority or third party the data will be available to, whether there is a legal obligation to submit the data for processing, what would be the consequences of the data subject’s refusal to submit data, in which cases the data subject has the right to refuse to provide personal data, whether the acquisition of personal data is voluntary, and whether the data subject has the right to access and correct its data at the stage of collection;
  • Processing is necessary to exercise the contract concluded with the data subject or to take actions on request of the data subject before the conclusion of the contract;
  • Processing is carried out following the data subject’s consent;
  • Processing is required to comply with the legal obligations that G-Petrol has as a controller of personal data (e.g. forwarding personal data of employees to state authorities on the basis of concluded employment contracts) or to exercise the rights that G-Petrol has as a controller;
  • Processing is necessary for G-Petrol to exercise its legitimate interest.

b) Limitation of purpose – personal data is collected for special, explicit and legal purposes and is not processed in any way that is not in accordance with that purpose

G-Petrol processes personal data for the purposes that are specifically stated, explicit, justified and legal, and may not process data in ways that are inconsistent with those purposes.

If G-Petrol needs to process data for other purposes than those stated earlier, it shall assess the integrated and implicit protection of personal data and, if necessary, prepare an assessment of impact of such processing on the personal data protection, and, if necessary, obtain the consent of the data subject.

When assessing the integrated and implicit protection of personal data, G-Petrol shall assesses individually for each product, service, procedure and activity whether the personal data processing is necessary for a specific purpose.

c) Minimum volume of data – personal data is processed only at the volume and to the extent necessary for a specific purpose
In the process of obtaining personal data from the data subject, G-Petrol only processes personal data that are appropriate, essential and limited to fulfil the purpose for which the data is processed.

d) Accuracy – only authentic and accurate data is processed, and is updated as necessary

G-Petrol ensures the accuracy of personal data by taking reasonable measures to ensure that inaccurate personal data is deleted or corrected immediately.

e) Limited storage – personal data is processed only for the period of time necessary to fulfil the purpose for which the data was collected, and is stored in a form that allows for identification of the data subject no longer than is necessary for the purpose for which it was collected or processed

Data storage terms are determined by G-Petrol’s internal regulations in line with the storage terms set by the law and within the terms necessary to achieve the purpose of processing.

If processing personal data after the expiration of the storage period, e.g. for statistical analysis purposes, G-Petrol shall permanently anonymize such data is a way to make the data subject unidentifiable.

f) Integrity and confidentiality – ensuring that personal data collected for different purposes is not merged or combined

G-Petrol respects the principle of integrity and confidentiality of personal data. In addition, it uses technical and organizational measures for the protection of personal data following legal requirements, good business practice and internationally recognized standards.

The processing of personal data at the processor’s premises is carried out on the basis of a contract, which regulates the duties of the processor regarding the organizational and technical measures for the protection of personal data and requires immediate reporting of security events that could have an impact on the confidentiality and / or integrity of the personal data.

4. What types of personal data do we process?

G-Petrol collects and processes the following personal data types:
Information contained in application forms and other forms filled in by Users and requests from Interested Persons.

Personal data contained in application forms and requests, which is necessary in order to provide a service, fulfil a contractual obligation, or conclude a contract. This means the processing of the following data: Full name, contact information, address, sex, date of birth, user card number (e.g. for the Zajedno na putu loyalty cards).

Information provided by Users and/or Interested Parties by filling out appropriate forms on our website.

This includes data entered when creating accounts on any of the G-Petrol’s websites, portals, or apps, or when sending questions, requests, complaints, objections, or doing other similar actions online. Personal data processed for these purposes may include, but are not limited to: Full name, identification number, ID document number, address, phone number, and email address.

Information contained in records of conversations and correspondence initiated by Users, Interested Parties and other individuals – records of written and online communication.

Personal data of employees and workers hired by G-Petrol to the extents needed to establish a contractual relationship and fulfil contractual rights and obligations – more closely defined by the relevant legal provisions and G-Petrol’s internal policies and regulations.

Personal data collected for controlling access to G-Petrol’s facilities.
Information collected to fulfil legal obligations.

This includes personal data that G-Petrol is obliged to collect, store and process in accordance with the applicable laws of Bosnia and Herzegovina and submit to competent state authorities (courts, investigative bodies, etc.).

Other information collected on grounds of legitimate interest of G-Petrol.
When processing personal data on grounds of legitimate interest, G-Petrol takes special care to consider of the impact of the processing on the rights and freedoms of the data subject. The legitimate interests of G-Petrol are not assumed to be the interests of the data subject. If interests or fundamental rights and freedoms of the data subject prevail over G-Petrol’s legitimate interest, G-Petrol will not process data, unless it receives explicit consent of the data subject to do so.

G-Petrol does not process special categories of personal data. As an exception, G-Petrol can process these types of data only if the data subject has provided express consent in accordance with the Law, if the processing is necessary to protect the life, health, property and other vital interests of the data holder or another person whose consent cannot be obtained, for example, if such person is physically, mentally, or legally incapacitated, or considered missing, or cannot provide consent for other similar reasons, if data processing is required to fulfil an obligation or special rights of a controller in the field of labour law to the extent that it is authorized by law, if such processing is necessary for the execution of G-Petrol’s legal obligations, if the data is clearly publicly available or if the processing is necessary to initiate, execute or defend against legal claims, in order to achieve the public interest defined by law or in other cases prescribed by law.

5. How do we collect personal data?

G-Petrol collects personal data in the following ways:

  • Directly from the User or Interested Persons – the User and/or Interested Person provides the data directly (e.g. when submitting a request for a service at a point of sale)
  • Directly from employees – when concluding a contractual relationship and during the duration of the employment relationship
  • By exchanging data with ist affiliated bodies, such as NIS PETROL doo Banja Luka and NIS j.s.c. Novi Sad
  • From other controllers in terms of a corresponding contractual relationship – in situations when another controller or processor entrusts G-Petrol with a certain action of personal data processing based on a pre-existing contract whereunder G-Petrol as a processor can process such personal data provided to it for processing by another controller.

In any case, personal data is collected in accordance with the applicable laws.

6. Duration of personal data storage

Personal data is stored only as long as it is necessary to achieve the purpose of the processing, unless a longer or shorter storage time is provided for a specific purpose by the applicable regulations or in other cases expressly prescribed by law. After that, the data is permanently deleted or anonymized. If processing personal data after the expiration of the storage period, G-Petrol shall permanently anonymize such data is a way to make the data subject unidentifiable.

7. What are the legal grounds for persona data processing?

G-Petrol processed personal data only insofar it is allowed by law. Processing is allowed by law in the following cases:

  • Processing is necessary to exercise the contract concluded with the data subject or to take actions on request of the data subject before the conclusion of the contract
  • processing is necessary to comply with G-Petrol’s legal obligations (effective regulations G-Petrol is obliged to comply with)
  • processing is necessary to exercise legitimate interests of G-Petrol or a third party, except for cases when interests or the fundamental rights and freedoms of the data subjects prevail
  • data subject has consented to the processing of its personal data for one or more specific purposes, provided that the consent is given in writing, signed by the data holder, clearly specifies the data it refers to, contains the name of the controller, clearly specified the purpose and the time period for which the consent is given, is verifiable and voluntary (freely given), and is written in easy-to-understand language, and the data subject may withdraw the consent at any time

8. G-Petrol implements appropriate protection measures to comply with the basic principles of personal data processing in accordance with the Law.

These are some of the protection measures G-Petrol uses:

  • Training G-Petrol employees to handle personal data;
    Separating personal data processed without the use of automation from the information processed automatically;
  • Separately storing personal data processed for different purposes and different categories of personal data;
  • Prohibiting transfer of unencrypted personal data through open communication channels, computer networks not controlled by G-Petrol and over the internet (except for publicly available and/or anonymized data);
  • Using appropriate technical, organizational and personnel measures, such as pseudonymization, to ensure effective protection of personal data;
  • Undertaking legal, organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, loss, prevention of access, unauthorized transmission, transfer, publication, and other forms of illegal actions related to personal data, according to the specific risk assessment for each individual instance of processing;
  • Assessing integrated and default personal data protection when introducing any new product, service, activity, process, or procedure.

9. Decision-making based on automatic data processing

G-Petrol, within the scope of its operations, may not make decisions that produce legal consequences for data subjects or that significantly affect the position of data subjects, and its goal is to assess certain personal characteristics of the data holder based exclusively on automatic data processing. Exceptionally, a decision made solely on the basis of automatic data processing may produce a legal effect for the data subject:

  • if it was made in the process of concluding or executing a contract, provided that the data subject’s request is met or if there are appropriate measures to protect its legitimate interests;
  • if the controller is authorized on the basis of the law, which also determines measures to protect the legitimate interests of the data subject, to make such a decision;

10. Who has access to personal data and who is it transferred to?

Only employees of G-Petrol or persons hired by it have access to personal data, based on the appropriate authorizations determined by G-Petrol and only to the extent necessary, with the obligation to act in accordance with G-Petrol’s internal regulations in the area of personal data protection.

Personal data is accessible to third parties outside G-Petrol only in the following cases:

  • if there is a legal obligation or express authorization based on the law (e.g. a court order);
  • if a third party, a processor, is engaged to perform certain tasks, where such processor acts exclusively on instructions of G-Petrol, and G-Petrol ensures all data protection measures as if it were performing these tasks directly;
  • to G-Petrol’s affiliated companies on the condition that there is a legal basis for such transfer or access if the data needs to be forwarded for the purpose of executing contracts concluded by G-Petrol with other legal entities;
  • To other persons outside of G-Petrol subject to an express consent of the data subject.
  • Personal data may be transferred to G-Petrol’s affiliated persons in other countries only provided such countries are signatories to the Council of Europe Convention on the Protection of Individuals with regard to Automatic Processing or otherwise guarantee adequate personal data protection.

11. What rights do data subjects have?

Users, interested parties, employees and other data subjects can exercise the following rights:

a) The right to access personal data
The person applying to exercise this right may obtain information about the course of processing of their data by the controller or data processor, the existence of processing of their personal data, the purpose of processing, the type of personal data being processed, the legal basis and duration of processing, whether the data was obtained from the data subject or from a third party and about the right to access personal data, as well as about who received or will receive the data and for what purpose, the storage periods provided for, or if this is not possible, about the criteria for determining the retention period, on the existence of the right to request correction or deletion of personal data, i.e. the right to limit processing and the right to object to processing, on the existence of the right to submit an objection to the Agency for the Protection of Personal Data in Bosnia and Herzegovina (hereinafter: the Agency), on the existence of an automated decision-making procedure, including profiling, and, at least in those cases, relevant information about the logic used, as well as about the significance and expected consequences of that processing for the data subject.

If personal data is transferred to another country or international organization, the data subject has the right to be informed about the appropriate protection measures related to the transfer in accordance with the Law.

G-Petrol is obliged to provide a copy of the data it processes upon the data subject’s request.

If the request for a copy is submitted electronically, the information is submitted in a commonly used electronic form, unless the data subject instructed otherwise.

Exercising the right to obtain a copy of data may not undermine rights and freedoms of other persons.

b) The right to correction, deletion, blocking and addition of personal data

G-Petrol is obliged to enable the data subject to exercise the right to correction, deletion or blocking, whereby G-Petrol will immediately take all actions to correct, delete or block inaccurate data, incorrectly disclosed data or data otherwise processes in a way contrary to the law and rules related to the processing of the data of the person to whom the data refer. Taking into account the purpose of the processing, the data subject may also supplement missing personal data by providing an additional statement.

c) The right to objection

The person to whom the data refers has the right to submit an objection to G-Petrol at any time regarding the legality of the processing of the personal data established on the basis of appropriate legal grounds for processing (the processing is necessary to do work in the public interest or execute G-Petrol’s legal powers; processing is necessary in order to achieve the legitimate interests of the controller or a third party).

Upon receipt of such objection G-Petrol will limit the processing of data referred to in clause c) above, and after assessing the complaint, stop processing data about the person who submitted the complaint, unless there are legal reasons for the processing that prevail over the interests, rights or the freedoms of the person to whom the data refer or are related to the submission, exercise or defence of a legal claim.

The data subject has the right to object at any time if the personal data is processed for the purposes of direct advertising, including profiling related to direct advertising.

If the data subject objects to the processing for the purposes of direct advertising, the personal data may no longer be processed for such purposes.

d) Right to erasure (“right to be forgotten”)
The data subject has the right to have G-Petrol delete its personal data. G-Petrol is obliged to delete personal data without undue delay in the following cases:

  • personal data are no longer necessary to achieve the purpose for which they were collected or otherwise processed;
  • the person to whom the data refers has revoked the consent on the basis of which the processing was carried out, and there is no other legal basis for the processing;
  • the person to whom the data refers has filed an objection to the processing in accordance with the Law, and there is no other legal basis for the processing that prevails over the legitimate interest,
  • right or freedom of the person to whom the data refers;
  • personal data was processed illegally;
  • personal data must be deleted in order to fulfil G-Petrol’s legal obligations;
  • a minor’s data was collected in connection with the use of information society services.

e) The right to data transfer

G-Petrol is obliged to enable the person to whom the data refer to receive its personal data previously submitted to G-Petrol in a structured, commonly used and electronically readable form and the data subject has the right to transfer this data to another controller.

This right may include direct transfer of the data subject’s data by G-Petrol to another controller insofar this is technically feasible.

When fulfilling the data subject’s request for data transfer G-Petrol may not adversely affect the exercise of the rights and freedoms of other persons.

12. Exercising data subject’s rights

The persons to whom the personal data refer can exercise their rights by filling out the request at the link below.

The person whose data is being processed can submit a request in written or electronic form to the official postal address of G-Petrol, bih.info@nis.rs.

G-Petrol employees will request the data subject to present an identifying document. G-Petrol must fulfil the request no later than within 30 calendar days from the date of its receipt. This period may be extended for another 60 days, only if the request is complex or there is a large number of requests. G-Petrol is obliged to inform the interested party about the extension of the period and the reasons for that extension within 30 days from the date of receipt of the request.

If G-Petrol does not fulfil the request, it must inform the applicant of the reasons without delay, but in any case not later than within 30 calendar days from the receipt of the request. As part of such notification G-Petrol must also inform the applicant of its right to submit a complaint to the Agency, i.e. a lawsuit to the court in order to exercise their rights.

12. Submitting a complaint to the Agency for Information of Public Importance and Protection of Personal Data

The supervisory body for the protection of personal data in Bosnia and Herzegovina is the Personal Data Protection Agency, 6 Dubrovačka st., Sarajevo (the Agency).

The data subject has the right to submit a complaint to the Agency if he considers that the processing of his personal data by G-Petrol was carried out contrary to the provisions of the Law.

Submitting a complaint to the Agency does not affect the right of this person to initiate other administrative or judicial protection procedures.

13. Personal data protection management at G-Petrol

G-Petrol has employees whose role is to inform and give opinions about the legal obligations of G-Petrol and legal entities that perform the role of processors for G-Petrol in connection with the protection of personal data, monitor the application of the provisions of the Law and internal regulations of G -Petrol, which concern the processing of personal data, give opinions on the assessment of the impact on the protection of personal data and monitor the actions in accordance with the assessment, represent the contact point for cooperation with the Agency and consult with the same regarding issues concerning data processing about personality.

For any additional information related to the processing of your personal data and your rights in this respect, email us at bih.info@nis.rs.