On the basis of the Personal Data Protection Act , the company "COMPANY FOR ANIMATION, FILM AND VIDEO POSTPRODUCTION CRATER STUDIO DOO BELGRADE (STARI GRAD)", from Belgrade, with headquarters at Knićaninova 3/I, MB: 20331305, PIB: 105184282, on 13 . 06 .2023. year, brings the following:
1.4. The website under the name "Craterstudio" is owned and controlled by the company " COMPANY FOR ANIMATION, FILM AND VIDEO POSTPRODUCTION CRATER STUDIO DOO BELGRADE (STARI GRAD)" from Belgrade, with headquarters at ul. Knićaninova 3/I, with registration number: 20331305, PIB: 105184282 (in the previous and further text: Rukovalac ).
● PROCESSOR – the company referred to in Article 1.4, which processes personal data;
● SERVICE – a studio dedicated to art with a full service of digital visual effects for film and television, post-production delivery of feature films, commercials and animations, as well as general and specialized courses/training services from the visual effects industry (hereinafter: Service );
● WEBSITE VISITORS/VISITORS - natural person who accesses the content of the Website and has the possibility to sign up for the Operator's Newsletter and thus be informed about news regarding trainings and courses organized by the Operator;
● EMPLOYMENT CANDIDATE/CANDIDATE - a natural person who is interested in employment with the Manager and who, when accessing the content of the Website, leaves their data in a special section on the website related to career;
● COURSE PARTICIPANT / PARTICIPANT - is any natural person who is interested in acquiring knowledge and skills in the field of visual effects in film, video design and game art and other specialized educational programs, i.e. who has registered for the courses organized by Rukovalac, and who has and the possibility of signing up for the Handler's Newsletter and thus being informed about news regarding trainings and courses organized by the Handler;
● USER – common name for Website Visitor, Course Participant and Job Candidate;
● NEWSLETTER - an option on the Operator's website, which allows interested parties, more precisely Website Visitors and Course Participants, to be informed about news and benefits regarding training and courses organized by the Operator, by giving express consent and leaving their email address in a special field ;
● LAW - Law on Personal Data Protection of the Republic of Serbia (Official Gazette of the RS No. 87 of November 13, 2018 ) (hereinafter: Law );
● GDPR - General Data Protection Regulation of the European Union (2016/679);
● CONSENT is any voluntary, definite, informed and unequivocal expression of the will of the User, by which he, by a statement or a clear affirmative action, gives his consent to the processing of personal data relating to him;
● PERSONAL DATA is any data relating to a natural person whose identity is determined or determinable, directly or indirectly, especially on the basis of an identity marker, such as name and identification number, location data, identifiers in electronic communication networks or one, i.e. more features of his physical, physiological, genetic, mental, economic, cultural and social identity;
● PERSONAL DATA PROCESSING is any action or set of actions that are performed automatically or non-automated with the User's personal data, such as collection, recording, sorting, grouping, i.e. structuring, storing, conforming or changing, disclosure, inspection, use, disclosure by transmission , i.e. submitting, duplicating, disseminating or otherwise making available, comparing, restricting, deleting or destroying;
● PROCESSOR is a natural or legal person engaged by the Controller to process the User's personal data on his behalf and for his account;
● A THIRD PARTY is a natural or legal person, i.e. an authority, who is not a User, Controller or Processor, as well as a person authorized to process personal data under the direct supervision of a Controller or Processor;
● COMPETENT AUTHORITIES are authorities that are competent for the prevention, investigation and detection of criminal offenses, as well as the prosecution of perpetrators of criminal offenses or the execution of criminal sanctions, including the protection and prevention of threats to public and national security, as well as the legal entity that is responsible for the performance of the previously listed tasks authorized by law;
● THE COMMISSIONER or SUPERVISORY AUTHORITY is an independent and autonomous authority established on the basis of the Law, which is responsible for supervising the implementation of the Law and performing other tasks prescribed by the Law .
3.1. The data handler is a company, more closely defined in Article 2.1. point 1, with contact information as in Article 16.
3.2. The company from Article 3.1. in the capacity of handler, is responsible for the personal data collected from the User, in the manner and to the extent provided by this act and the Law.
3.3. The operator undertakes the necessary technical, organizational and personnel measures to ensure that the processing is carried out in accordance with the Law and to be able to present it to the Users, taking into account the nature, scope, circumstances and purpose of the processing, as well as the probability of occurrence of risk and the level risks for the rights and freedoms of the User.
3.4. Data on which of the employees or otherwise employed by the Controller has access to personal data, and who is their administrator are contained in the Records of processing activities from Article 13.
4.1. In order to fulfill rights and obligations, as well as in order to comply with legal obligations, legitimate interests and reasons for improving, more efficient and legal work of the Operator or on the basis of the User's consent, which is further explained in detail in the text, the Operator collects and processes personal data of the User.
4.2. The operator collects and processes the following data of the Visitor through the Website :
• IP adress;
• data collected from Internet browsers, from Article 4.6.
4.2.1. The Operator also collects the email addresses of Visitors who, based on their express consent, sign up for the Newsletter, in order to inform them about news regarding training and courses organized by the Operator, as explained in more detail in Article 5.4.
4.3. The operator collects and processes the following data of the Job Candidate through the Website :
• E-mail address;
• Name and surname;
• phone number;
4.4. The Operator collects and processes the following data of the Course Participants through the Website:
4.4.1. By filling out the "Registration of Interest" form, the following data is collected from the Course Participants:
• E-mail address;
• Name and surname;
• phone number;
• choosing which of the offered courses you are applying for;
• way of attending classes - live/online;
• asked question.
4.4.2. Data collected through the form from Article 4.4.1. are processed for the purpose of informing about the courses for which persons have expressed interest.
4.4.3. By filling out the "Registration sheet" form, the following data is collected from the Course Participants:
• choosing an individual course;
• choosing an educational program;
• way of attending classes;
• a question about previous attendance at one of our courses;
• Name and surname;
• address and place of residence;
• Date of Birth;
• place of birth;
• ID number/passport number;
• Mobile phone number;
• Employment Status;
• data related to employment;
• data related to studying;
• data related to education;
• data on interest in working with the Operator and retraining;
• name of completed high school;
• name of the completed faculty and major;
• payment options.
4.4.4. Depending on the type of selected course to which the Participant applies, Ru kovalac also collects the following data:
4.4.5. Data collected through the form from Article 4.4.3. they are processed for the purpose of registering the course participant to the selected course with the Supervisor, as well as for the purpose of drawing up a course attendance contract.
4.4.6. Course participants' data is also processed in accordance with the Rulebook on personal data protection of course participants, about which participants can be informed upon request.
4.4.7. As part of these two forms, interested Participants can also sign up for the Manager's Newsletter, that is, news and benefits related to course and training offers, by leaving their e-mail address.
4.4.8. Participants have the right at any time to unsubscribe from further notifications by submitting a request to stop receiving notifications. Unsubscribing from further notification does not affect the admissibility of the processing that was carried out before submitting the request for suspension of receiving notifications. Unsubscribing from notifications is clearly indicated or presented and is part of every newly received notification that the Participant receives as his e-mail.
4.4.9. You can withdraw your consent by clicking on the field intended for opting out of future notifications about news and promotional offers of the Operator, as well as in writing to the e-mail address: firstname.lastname@example.org
4.5. Special categories of personal data.
4.5.1. The operator does not process data concerning racial or ethnic origin, political opinion, religious or philosophical belief or trade union membership, genetic data, biometric data for the purpose of unique identification of a person, data on health status or data on sexual life or sexual orientation of a natural person. .
4.6. Data obtained from the User's internet browser - Cookies.
4.6.1. In order to improve the service on our website, and to improve the User's experience when browsing the page, the Controller collects data from the User's internet browser, i.e. Cookies.
4.6.2. Data on the type of concrete cookie, name, supplier, purpose of collection, as well as the type and time of data storage, and other data that could be important for data storage from Article 4.6.1. they can be found at the address : https://craterstudio.com/cookie-policy .
5.1. Data from Article 4 is processed by the Controller on the basis of:
● the consent given by the course participants who leave their personal data listed in articles 4.2.1, 4.4.1. and 4.4.3, which consent must be given by express statement in electronic form;
● on the basis of the performance of the contractual obligation from Article 12, paragraph 1, point 2 of the Law, of Course Participants who have signed a contract on attending the course, and which contract contains the information from Article 4.4.3;
● based on the legitimate interest from Article 12, paragraph 1, point 6, data of the Website Visitor from Article 4.2. dot 2
● according to other conditions/grounds stipulated by the Law according to which the Operator is obliged to collect, store and process the User's data;
5.1.1. The controller reserves the right to process personal data on other legal grounds, especially on the basis of legitimate interest, as well as the need to fulfill legal obligations, etc.
5.2. Data processing from Article 4 is carried out by the Controller for the following purposes:
● to improve the user experience when visiting the Website (data from Article 4.6.);
● for the purposes of informing the User about the Services provided by the Operator;
● for the purposes specified in Article 4.4.2. and 4.4.5;
● for security and fraud prevention purposes, data from Article 4.2, point 1
● for other purposes in accordance with the Law.
5.3. Processing for other purposes
5.3.1. If the processing for a purpose that is different from the purpose for which the data was collected is not based on the law or on the consent of the person to whom the data refer, the Manager, while observing adequate security measures, evaluates whether that other purpose of the processing is in accordance with the purpose of the processing for which the data were collected, taking into account in particular:
● whether there is a connection between the purpose for which the data was collected and other purposes of the intended processing;
● the circumstances in which the data were collected, including the relationship between the Controller and the User;
● the nature of the data;
● possible consequences of further processing for the User.
5.4. Processing for the purpose of sending the Newsletter
5.4.1. The Operator processes the data referred to in Article 4.2.1 , namely the email address of the Visitor/Course Participant for the purpose of signing up for the Newsletter, i.e. informing about news regarding trainings and courses organized by the Operator;
5.4.2. The data collected for the stated purposes are collected solely on the basis of the express consent of the Visitor/Course Participant, which the Visitor/Course Participant gives by filling in a special field (check box).
5.4.3. Giving consent to receive the Newsletter is not mandatory, and if given, the Visitor/Course Participant has the right at any time to revoke the given consent, i.e. to opt out of further receiving the Newsletter, i.e. news about training and courses organized by the Operator, in accordance with Article 6.
5.5. The operator is obliged to ensure, through the constant application of appropriate technical, organizational and personnel measures, that only those personal data that are necessary for the achievement of each individual processing purpose are always processed, which is applied in relation to the number of data collected, the extent of their processing, the term of their storage and their availability.
6.1. The consent given by the User is given in a separate form, with a clear and prominent title "Consent", or another title that unequivocally indicates that it is consent, and its content is described informatively, transparently, comprehensibly, accessible, using clear and simple words in the manner prescribed by the Law.
6.2. The User is not conditioned by giving consent in order to be provided with a service or a part of a service for which consent is not necessary in order for it to be performed, and the same can be considered voluntary, unless it is not possible to enable the User to exercise his right without the processing for which consent is requested.
6.3. The user has the right to revoke consent at any time. Revocation of consent does not affect the admissibility of processing that was carried out on the basis of consent before the revocation. Before giving consent, the person to whom the data refer must be informed about the right to revocation, as well as the effect of revocation. Withdrawing consent must be as simple as giving consent.
6.4. Consent from Article 6.1. it can also be given in electronic form in such a way that Users, when using the Operator's Website, will have the opportunity to read the consent text and, in accordance with Article 6, decide whether to accept it or not, by clicking on a specific field.
7.1. The right to be informed and the right to access information:
7.1.1. The operator is obliged to provide the following information in a concise, transparent, comprehensible and easily accessible manner, using clear and simple words, at the request of the 6er:
● the identity and contact information of the Controller and the employee or other person engaged by the Controller who is responsible for the processing;
● the purpose of the intended processing and the legal basis for the processing;
● the existence of a legitimate interest of the Controller or a third party, if the basis of the processing is a legitimate interest;
● the recipient, that is, the group of recipients of personal data, if they exist;
● the fact that the Controller intends to transfer personal data to another country or international organization;
● the period of storage of personal data or, if this is not possible, the criteria for its determination;
● the existence of the right to request access, correction or deletion of personal data from the Controller, i.e. the existence of the right to limit processing, the right to object, as well as the right to data portability;
● the existence of the right to revoke consent at any time, as well as the fact that the revocation of consent does not affect the admissibility of processing based on consent before the revocation;
● the right to submit a complaint to the Commissioner;
● whether the provision of personal data is a legal or contractual obligation or whether the provision of data is a necessary condition for concluding a contract, as well as whether the person to whom the data relates has an obligation to provide personal data and the possible consequences if the data is not provided;
● the existence of automated decision-making, including profiling, if the Controller performs such processing.
7.2. Right to correction and addition
7.2.1. The user has the right to have his inaccurate personal data corrected if possible without delay. Depending on the purpose of the processing, the User has the right to complete their incomplete personal data, which includes providing an additional statement.
7.2.2. If it is possible to make the correction by correcting, deleting and entering different data, the User will make the same correction from Article 7.2.1. execute it myself.
7.2.3. If the User is not able to make corrections and additions in the manner referred to in Article 7.2.2. will address the request to the Handler.
7.3. Right to erasure
7.3.1. If the legal conditions are met, the Operator is obliged to delete personal data from Article 4 at the request of the User without undue delay in the following cases:
● personal data are no longer necessary to achieve the purpose for which they were collected or otherwise processed;
● The user revoked the consent on the basis of which the processing was carried out, in accordance with the Law, and there is no other legal basis for the processing;
● The user has submitted an objection to the processing in accordance with the Law, and there is no other legal basis for the processing that prevails over the legitimate interest, right or freedom of the person to whom the data refer;
● personal data were illegally processed;
● personal data must be deleted in order to fulfill the legal obligations of the Controller;
● personal data was collected in connection with the use of information society services in the sense of the Law.
7.3.2. Paragraph 7.3.1. of this Article does not apply to the extent that the processing is necessary due to:
• realization of freedom of expression and information;
• compliance with the Controller's legal obligation, which requires the processing or execution of tasks in the public interest or the execution of the Controller's official powers;
• realization of public interest in the field of public health, in accordance with the Law;
• purposes of archiving in the public interest, purposes of scientific or historical research, as well as statistical purposes in accordance with the Law;
• submitting, exercising or defending a legal claim.
7.4. Right to restriction of processing
7.4.1. Users have the right to ask the Controller to restrict the processing of data relating to them, if the processing is illegal, if the inaccuracy of the data is indicated, if an objection to the processing is submitted in accordance with the Law, if the Controller no longer needs personal data, and the Person whose the data being processed has been requested for the purpose of filing and defending a legal claim or if the Person whose data is being processed has submitted an objection to the processing, and an assessment is underway as to whether the interests of the Controller prevail over the interests of the Person whose data is being processed. . 7.4.2. The rule on exercising the right to limit processing does not apply to processing carried out by state authorities for special purposes.
7.5. The right to object
7.5.1. Depending on the specific case and if he considers it justified, the User has the right to submit to the Controller at any time an objection to the processing of his personal data, which is carried out on the basis of consent in connection with the collection of data that is in the legitimate interest of the Controller, and the Controller is obliged to stop processing the data of the User who submitted the complaint.
7.5.2. The operator is not obliged to stop the processing in the manner referred to in Article 7.5.1. if he presented to the User that there are legal reasons for processing that prevail over the interests, rights or freedoms of that User or are related to the submission, realization or defense of legal claims.
7.5.3. The right to object can only be exercised in relation to processing based on consent or legitimate interest as a basis.
7.5.4. The User has the right not to be the subject of a decision based solely on automatic processing, including profiling, which produces legal consequences or affects the User to a large extent.
7.6. Right to data portability
7.6.1. If applicable, the User has the right to receive his/her personal data previously submitted to the Controller in a structured, commonly used and electronically readable form and has the right to transfer this data to another Controller without interference from the Controller to whom the data was delivered, if are together - the following conditions are cumulatively met:
• processing is based on consent, performance of a contractual obligation or
• processing is done automatically.
7.6.2. The User's right from Article 7.6.1 also includes the right to have their personal data directly transferred to another controller by the Controller to whom this data was previously delivered, if this is technically feasible.
7.7. Handler's answer
7.7.1. The Operator must respond to requests for the exercise of rights within 30 days, with the fact that this period can be extended by another 60 days if necessary, taking into account the complexity and number of requests. The Operator is obliged to inform the User about the extension of the deadline and the reasons for that extension within 30 days from the date of receipt of the request, and if the User submitted the request electronically, the information must be provided electronically if possible.
8.1. Personal data of Job Candidates collected through the Website are stored in electronic form on the internal servers of the Manager, on a closed network and are secured by two-factor authentication, i.e. the RADI10 system, with limited access to the database by persons employed by the Operator.
8.2. Data on Candidates is also stored in physical form in locked rooms with limited access to employees of the Manager.
8.3. User data is collected by the Operator through a Google form in which Users enter their personal data, which are automatically forwarded to the Operator. You can find more detailed information about the Google form at the link: https://docs.google.com/forms/d/e/1FAIpQLSdfzkDtG3VSCK1yVqKOfmcRRFuZ_PMhoT3KZQa0LHpH5RGKbQ/viewform.
8.5. Data on course participants are also stored in material form in locked rooms with limited access by employees at the Manager.
8.6. For the purposes of the best possible functioning of the Website, the operator applies Gooogle's analytics, through which the data on the Users specified in Article 4.6 is collected, and which are protected in accordance with the security policy applied by the company Google Inc., which can be read more at the following link: https ://support.google.com/analytics/answer/7318509?hl=en .
9.1. The operator is authorized to use the services of accounting agencies, programmers, IT consultants and other external and internal collaborators, for whose work and results he is responsible in accordance with the Law, for the purposes of fulfilling his obligations, performing payment transactions, legal obligations, maintaining the service, improving his work .
9.2. The Operator guarantees that the Processor will apply the necessary technical, organizational and personnel measures, so that the processing is carried out in accordance with the Law and that adequate protection of the User's personal data is ensured.
9.3. In order to ensure the conditions from Article 9.2. The Controller and the Processor can conclude a contract on data processing, which will be an integral or accompanying part of the basic contract, and which contract will, among other things, have all the necessary elements stipulated by the Law.
9.4. For the purpose of achieving the purpose from Article 9.1. The operator engages the following processors:
• Google Inc;
• 12 POINTS LLC;
10.1. When assessing the necessary level of established security of personal data, the Controller takes into account and monitors the level of technological achievements as well as the costs of their application, then the nature, scope, circumstances and purpose of data processing and based on these parameters assesses the probability of the occurrence of risk, i.e. the potential level of risk for rights and freedom of the User.
10.2. In relation to the circumstances from Article 10.1. The operator implements appropriate technical, organizational and personnel measures in order to reach the required level of protection in relation to the risk.
10.3. When sending data to Processors, the Operator is obliged to ensure a secure communication channel through which the data travels, as well as to ensure that the data is safely stored with adequate security standards.
10.5. Data about Candidates that are stored in electronic form are stored on the internal servers of the Operator and are located on a closed network, namely at the Operator's premises, while data that are stored in physical form are located in locked rooms, i.e. in cupboards at the Operator's headquarters, and to which only certain employees of the Manager have access.
10.6. Data on Candidates collected through the Website is secured by two-factor authentication, i.e. RAID10 system, with limited access to the database by persons employed by the Operator.
10.7. Data on Course Participants are stored in electronic form on the Manager's internal server, and data stored in material form are located in locked rooms, i.e. in cupboards at the Manager's headquarters, to which only certain employees of the Manager have access.
11.2. In the event of a data breach, the Controller is obliged to inform the Supervisory Authority about the violation of the right to the protection of personal data, which may cause a risk to the rights of the User, without undue delay, or at the latest within 72 hours of becoming aware of the violation. In case of failure to act within the relevant deadline, the Manager will explain the reasons for the delay.
11.3. Notification of the Manager to the Supervisory Authority from Article 11.2. must contain at least the following information:
● description of the nature of the violation of the right to protection of personal data, including the types of data and the approximate number of Users to whom the data of that type refers, as well as the approximate number of personal data whose security has been violated;
● name and contact information of the person from whom information about the injury can be obtained;
● description of the possible consequences of the injury;
● a description of the measures taken by the Handler or proposed to be taken in connection with the violation, including the measures taken in order to reduce the harmful consequences.
11.4. In the event of a violation of the right to the protection of personal data, the Controller is obliged to inform the Users about the violation of personal data that may cause a risk to the rights and freedoms of natural persons.
11.5. Notification of the User from Article 11.4. must clearly and comprehensibly describe the nature of the data and state the information from Article 11.3
11.6. The Operator is not obliged to inform Users in the situation referred to in Article 11.4. if:
● has taken appropriate technical and organizational protection measures in relation to personal data whose security has been violated;
● has subsequently taken measures to ensure that a violation of personal data with a high risk for the rights and freedoms of the person to whom the data relates can no longer produce consequences for that person;
● the notification of the person to whom the data refer would represent a disproportionate expenditure of time and resources, in which case the Controller is obliged to ensure the provision of information to the person to whom the data refer through public notification or in another effective way.
11.7. If the User becomes aware of any event that has led or may lead to the endangerment of his personal data or the personal data of third parties, he is obliged to inform the Controller about it without delay through the contacts found in this document.
12.1. Data from Article 4 are stored as long as necessary for the purpose for which they are processed, except in the case when the basis for collecting this data is the User's consent, when they are stored until the consent is revoked.
12.2. In the case referred to in Article 12.1. and where the basis for collecting data on Users from Article 4 is their consent, this data will be stored until the consent is revoked in accordance with Article 6.3.
13.2. In addition to the name and business data of the Controller, the record consists of the following information: category of person whose data is processed, category of personal data, purpose of processing, third parties to whom data is disclosed, length of data storage, description of protection measures, form in which data is stored .
13.3. Records from Article 13.1. it is kept in electronic form and stored permanently, in accordance with the Law.
14.1. The operator does not transfer the personal data it collects from the User to other countries. The operator stores the data it collects from the User exclusively on the territory of the Republic of Serbia.
15.1. The supervisory authority for the protection of personal data in the Republic of Serbia is the Commissioner for Information of Public Importance and Protection of Personal Data of the Republic of Serbia. You can contact the authority at Bulevar kralja Aleksandra 15, 11000 Belgrade, Republic of Serbia, by email at email@example.com or by phone at +381 11 3408 900.
15.2. The operator cooperates with the Commissioner in the exercise of his powers, in accordance with the obligations prescribed by the Law.
● Business name of the Manager: "COMPANY FOR ANIMATION, FILM AND VIDEO POST-PRODUCTION CRATER STUDIO DOO BELGRADE (STARI GRAD)", from Belgrade , with headquarters in ul. Knićaninova 3/I, with registration number: 20331305, PIB: 105184282.
● Address: Knićaninova 3/I Belgrade
● Manager's email: firstname.lastname@example.org
● Handler's phone number: +38111 2620440
● Working hours: 9am - 6pm On working days:
18.1. The substantive law that applies to the processing of the User's personal data, and in relation to the processing by the Controller, is the law of the Republic of Serbia, the Personal Data Protection Act as well as the GDPR where applicable.
18.2. For administrative and judicial proceedings, the local competent authorities and competent courts of the Republic of Serbia are in accordance with the positive legislation of this country.