Terms of use and Privacy Policy

Intellectual Property Rights
Intellectual Property Rights for the purposes of this Legal Disclaimer the term "website" shall include all web pages at the website www.cert.rs (hereinafter: website).

All author's works, which are in any way included in the website are subject to copyright.

Logo Ratel is protected by acts (both national and international), which are registered in the Republic of Serbia for intellectual right.

All rights are reserved. Visitor or user of the website may use its content for their own purposes only, which means for non-commercial purposes. Any other form of using the content of the website (such as copying, reproduction, distribution, etc.) for commercial purposes is forbidden.


Limitation of Usage of Information and Material 

Information and material, which are presented on the website, may be taken from server for own purposes (home use), whereby there may be no violation of an indicated copyright or intellectual property right or other rights of which a notice is given.It is allowed to take or print information or material for the purposes of viewing them and using them for a non-commercial purpose. Any other copying, distribution, reprint, alternation of information or material from www.cert.rs or mailing and diffusing them in any other way without a prior permission is forbidden. The usage of any elements from www.cert.rs for any purposes other than personal, non-commercial, home use is forbidden.

The Regulatory Agency for Electronic Communications and Postal Services  (hereinafter: RATEL) shall not be responsible for the form or content of linked websites.


Limitation of Liability

RATEL endeavors to keep the data at the website correct and updated, so that neither RATEL nor any other legal or natural person, who took part in making or updating the website cannot be held responsible for any damage or loss which may be incurred due to using or not being able to use the website.

RATEL shall only provide for undisturbed operation of the website, and shall not be responsible for any damage or loss which may be endured due to obstruction of the operation of the website.

RATEL is entitled to change the website without prior notice.


General 
In case of any disputes in regard to the usage of the website, the law of the Republic of Serbia shall be applicable. Any disputes shall be solved by relevant court in Belgrade.

In regard to the usage of the website, the user hereby confirms that they accept afore described terms and agree on them.

 

Privacy Policy of the National CERT of the Republic of Serbia

 

The Privacy Policy (hereinafter: the Policy) governs the general rules of personal data processing related to Internet page of the National CERT of the Republic of Serbia https://www.cert.rs/, under the competence of and owned by the Regulatory Agency for Electronic Communications and Postal Services. The Cookie Policy, governing the use of cookies and how they collect and process personal data, is also an integral part of this Policy.

 

General provisions

The National CERT is tasked with coordination of prevention and protection against security risks in ICT systems in the Republic of Serbia on the national level. Pursuant to the Law on Information Security (“Official Gazette of RS”, Nos. 6/16, 94/17 and 77/19), the Regulatory Agency for Electronic Communications and Postal Services is responsible for the tasks and activities of the National CERT.

In this Privacy Policy, the Regulatory Agency for Electronic Communications and Postal Services, Palmotićeva 2, 11000 Belgrade, identification number: 17606590, (hereinafter: the Agency), in its capacity as Data Controller, pursuant to the Law on Personal Data Protection („Official Gazette of RS“, No. 87/18, hereinafter: the LPDP), defines the type of personal data it collects and processes during the browsing of Internet page of the National CERT of the Republic of Serbia https://www.cert.rs/, how it handles the data, and informs the public accordingly.

The Agency shall process the user’s personal data in a lawful, fair and transparent manner in relation to the data subject and shall protect these data by implementing appropriate technical, organizational and personnel measures. The Agency shall collect data for specified, explicit, legitimate and lawful purposes. The data collected by the Agency shall be adequate and limited to what is necessary in relation to the purposes for which they are processed. The Agency shall also undertake all reasonable measures to provide that the data be accurate and up-to-date.

 

What kind of personal data does the Agency collect?

While performing the entrusted tasks based on public authorization pertaining to coordination of prevention and protection against security risks in ICT systems in the Republic of Serbia, the Agency collects the following type of data: first and last name, telephone number, email address, IP address and job/ Special CERT authorized person’s position.

 

On what legal grounds does the Agency collect and process personal data?

The legal grounds for collection and processing of personal data performd by the Agency, as defined in the LPDP, can be the folowing: consent of the data subject (Article 12, paragraph 1), compliance with legal obligations to which the Controller is subject (Article 12, paragraph 3) and performance of tasks carried out in the public interest or in the exercise of official authority vested in the Controller (Article 12, paragraph 5).

 

For what purposes does the Agency collect personal data?

Personal data are collected exclusively for the purposes of smooth operation of the Agency in the field of coordination of prevention and protection against security risks in ICT systems in the Republic of Serbia on the national level, and for the purpose of keeping records of the Special CERTs.

The Agency collects users’ personal data for specified, explicit and legitimate purposes and does not process them in a manner that is incompatible with those purposes. Data collected for one specific purpose shall not be used for any other purpose or in any other manner that might be incompatible with the consented purpose, i.e. the purpose for which that data was collected.

Personal data are used and processed exclusively by authorized persons employed at the Agency, as part of their regular professional tasks and activities within the Agency’s competence. The person from whom personal data are collected, i.e. the data subject, discloses the data willingly, in line with the provisions set forth in the Law on Information Security, General Administrative Procedure Act, Law on Personal Data Protection and other applicable laws and regulations.

 

How does the Agency collect your data?

During the visit to this web page, the browser you are using on your device will automatically, without your activity,  send to this web page server the following data: chosen language and font size, IP address of the device the request was sent from, date and time of the access, name and URL of the downloaded database, web page from which the access was made (referrer URL), the browser you are using and, if necessary, the operating system installed on your device, the name of your Internet access provider and the country from which the access is being made. These data will be stored temporarily (for approximately one month) in a log database, for the following purposes: establishment of a smooth connection, easy and comfortable use of our web page and assessment of system security and stability.

While performing public authorizations entrusted to it pursuant to the Law on Information Security, the Agency, i.e. the National CERT keeps records of Special CERTs. A Special CERT is a team performing the activities pertaining to prevention and protection against security risks in ICT systems within a legal entity, a group of legal entities or an industry and similar. In performing the tasks within its competence, the Agency – the National CERT will only collect the personal data it needs for keeping the registry of Special CERTs. To that end, the Agency collects the following personal data on the Special CERT’s authorized person: first and last name, address, job position, office telephone number, office email address.

In addition, the Agency makes it possible for the users to send emails to the National CERT at info@cert.rs. In the process, the Agency collects the following data: first and last name and e-mail address. These personal data will only be used for the purpose of communication with the user, i.e. to provide an answer to the sent question, and shall not be processed in any other way, nor shall be passed on to third parties.

In accordance with the applicable regulations, the Law on Information Security and the accompanying by-laws, the Agency – the National CERT is obliged to react upon reported incidents in ICT systems of special importance, as well as upon reported incidents filed by natural and legal persons, by providing advice and recommendations and by undertaking other necessary measures under its competence, based on the received intelligence and information on the incidents. During incident reporting via the National CERT’s application available at https://www.cert.rs/, the Agency shall collect the following personal data on the report submitter: first and last name, email address and/or telephone number.

 

Definition of terms:

  • “personal data” means any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • „data subject“ means any natural person whose personal data are being processed;
  • „controller“ means the natural or legal person, or public authority which, alone or jointly with others, determines the purposes and means of the processing of personal data;
  • „processor“ means a natural or legal person, or public authority which processes personal data on behalf of the controller;
  • „processing of personal data“ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (hereinafter: processing);
  • „privacy policy“ is a statement or a legal document explaining how and why personal data are collected and processed, along with collector’s responsibilities and citizens’ rights;
  • „cookies“ are text files stored locally in the user’s browser, exchanged between the website and user’s device as a short-term memory of user’s activity on the website.

 

How does the Agency protect personal data?

In order to ensure personal data protection, the Agency uses advanced technologies combined with an efficient security control management. For maximum data protection in line with the international standards, the Agency plans to implement standards ISO 27001 and COBIT, and has designated an officer for personal data protection, with a designated authorized person for cyber and communication security already in place.

In addition, the Agency is committed to applying the highest possible data protection standards, subsequently implementing all necessary organizational, technical and personnel measures, including but not limited to:

  • technical protection measures,
  • physical access control to the system where personal data are stored,
  • data access control,
  • data entry control,
  • data availability control,
  • other cyber security measures,
  • all other necessary measures of personal data protection.

All personal data processors and/or recipients are equally bound to implement the prescribed protection measures pursuant to the signed contract with the Data Controller, and the legally prescribed standards and requirements.

 

For how long does the Agency store its users’ personal data?

The Agency, as a legal person entrusted with public authorizations, is obligated to store documents and data contained in it, within the set time limits defined in the applicable laws and bylaws.

 

Personal data recipients and processors

Personal data recipients can include:

  1. State authorities – administrative bodies and judicial organs, independent authorities (Commissioner, Ombudsman), organizations entrusted with public authorizations, regulatory bodies and operators when submitting data pertaining to complaints or requests before the competent court or to the administrative body, independent authority, organization entrusted with public authorizations, regulatory body, operator of electronic communications or postal service provider, during the complaint handling by the Agency;
  2. Other legally authorized entities (such as public enforcement officers, administrative receivers etc.);
  3. Data Processors – based on special agreements or other legally binding acts made in compliance with Article 45 of the LPDP, the Agency is entitled to hire data processors that will process personal data at the request and on behalf of the Agency (such as independent auditors, IT companies, accounting agencies and similar).

The Agency shall not transmit users’ personal data to other countries or international organizations.

 

What are the rights of persons whose personal data are processed by the Agency?

 

Right of access

The data subject shall have the right to obtain from the Agency confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed; the envisaged period for which the personal data will be stored or the criteria used to determine that period; the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority (the Commissioner); where the personal data are not collected from the data subject, any available information as to their source; and the existence of automated decision-making. (Article 26 of the LPDP)

 

Right of rectification and completion

The data subject shall have the right to obtain without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. (Article 29 of the LPDP)

 

Right to erasure of personal data

The data subject shall have the right to obtain the erasure of personal data concerning him or her, if the requirements from Article 30 of the LPDP are fulfilled.

 

Right to restriction of processing

The data subject shall have the right to obtain restriction of processing, if one of the requirements under Article 31, paragraph 1 of the LPDP has been fulfilled.

 

Right to object

If deemed legitimate, the data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, to the Agency (Palmotićeva 2, 11000 Belgrade).

 

Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Agency, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Agency, if the requirements from Article 36 of the LPDP have been cumulatively fulfilled.

The Agency shall provide information regarding the exercise of rights under Articles 26, from 29 to 31 and 36 of the LPDP, free of charge. Where the data subject’s requests are manifestly unfounded or excessive, in particular because of their repetitive character, the Agency may:

  • charge a reasonable fee based on administrative costs, i.e. acting on the request;
  • refuse to act on the request.

 

Automated decision-making and profiling

Automated decision-making is the process of making a decision by automated means without any human involvement. “Profiling” means any form of automated processing of personal data relating to a natural person, in particular to analyse that person’s habits, interests or online behaviour.

The Agency does not employ automated decision-making nor does it perform any kind of profiling on this site.

 

Cookies

On its web page https://www.cert.rs/, the Agency uses cookies, which enable site functionality and provide a better user experience.

During the visit to the above website, a notification will appear asking for your consent to use cookies. You are free to decide whether the browser on your computer or mobile device will automatically accept and store all cookie categories described in the following text.

 

Cookie categories used on this site

Necessary cookies – help you use the Internet page, allowing your navigation through the website and the use of its functions. The web location cannot work properly without these cookies.

Statistics cookies – help the owner of the website (the Agency) understand how the visitors use the website. To that purpose, in order to analyze the frequency of website visits and track the browsing of specific sections and improve the service, we use Google Analytic, a web analytics tool provided by Google Inc.

 

How to delete cookies?

„Cookies“ can be deleted or disabled from your Internet browser. Here are the links containing detailed instructions as to how to delete cookies from some of the most used browsers:

If you are using another browser, please follow the instructions of the relevant provider.

 

Other sites’ privacy policy

From the web page https://www.cert.rs/ it is possible for you to connect through links to the Agency’s website www.ratel.rs, as well as to the following websites: the European Union Agency for Cybersecurity ENISA https://www.enisa.europa.eu/,  the Forum of Incident Response and Security Teams FIRST https://www.first.org/, the Register of approved CERT teams „TI“ https://www.trusted-introducer.org/index.html, the Serbian Academic Network „AMRES“ https://www.amres.ac.rs/ and the Special Prosecution Office for High-Tech Crime of the Republic of Serbia  http://www.beograd.vtk.jt.rs/. This Privacy Policy does not apply to these websites.

 

Entering into force and updating of the Act on RATEL’s privacy policy

This Privacy Policy shall enter into force on the day of its publishing on the Agency’s web page https://www.cert.rs/.

The Agency’s Privacy Policy can be changed or amended due to changes in the applicable legislation, following an initiative by the Agency, the users or the competent body (the Commissioner for Information of Public Importance and Personal Data Protection).

All subsequent changes will be timely published on the Agency’s official Internet page https://www.cert.rs/.

 

How to contact us?

You can send your questions and requests regarding personal data processing to the authorized person for personal data protection, via the following emails: milica.bosnic@ratel.rs or info@cert.rs.

Headquarters address: Regulatory Agency for Electronic Communications and Postal Services, Palmotićeva 2, 11000 Belgrade.

 

Supervisory authority

The monitoring of the LPDP application is carried out by the Commissioner for Information of Public Importance and Personal Data Protection.

If you feel your right to personal data protection has been violated by the Agency, you are entitled, pursuant to Article 82, paragraph 1 of the LPDP, to lodge a complaint with the Commissioner at: office@poverenik.rs, or to: the Commissioner for Information of Public Importance and Personal Data Protection, Bulevar Kralja Aleksandra 15, 11000 Belgrade.

The complaint form is available on the website of the Commissioner www.poverenik.rs, in the section data protection/forms.

 

The website www.cert.rs uses cookies for improvement of user experience and website functionality. By continuing to browse this website, you agree to the use of cookies.

Details