PRIVACY POLICY OF THE SERBIA FILM COMMISSION

1. Introductory Provisions

1.1. The purpose of this Privacy Policy is to regulate the internal privacy policies, rules, and procedures of the Serbia Film Commission (hereinafter: “SFC”), in accordance with the Law on Personal Data Protection (“Official Gazette of RS”, 87/2018) – hereinafter referred to as the “Law.”

1.2. The definitions and expressions used in this Privacy Policy correspond to those provided in the Law.

1.3. SFC is committed to complying with the legislation of the Republic of Serbia regarding personal data protection and to respecting the protection of fundamental human rights and freedoms, especially the right to privacy of individuals whose personal data is processed by SFC.

1.4. SFC collects and processes data as specifically defined in Section 1 of this Privacy Policy.

1.5. The relevant laws of the Republic of Serbia and this Privacy Policy apply to all data processing activities carried out by SFC. “Individuals” refers to employees, freelance collaborators and job applicants, website visitors who fill out online forms, SFC members who complete membership forms (for individuals or legal entities), individuals submitting forms to the location or online profile databases, producers, training participants, CGA Belgrade Warm- Up and Conference participants, and subscribers to the SFC Newsletter (hereinafter collectively referred to as: “Individuals”).

1.6 SFC employees are required to follow and apply this Privacy Policy in their In the event of a breach of this Policy or the Law, applicable legislation and internal procedures (outlined in Section 6 of this Privacy Policy) shall apply.

1.7. Third parties collaborating with SFC who may have access to personal data as part of that collaboration are expected to read and adhere to this Privacy No third party shall access data processed by SFC without first signing an appropriate confidentiality agreement, joint data processing agreement, or data processor-controller agreement with SFC.

2.  Data Processed by SFC

2.1 SFC processes the following personal data from Individuals:

• Full name
• Unique Citizen Identification Number (JMBG)
• Date and place of birth (city, municipality, republic, country)
• Gender
• Residence and home address
• Information on insured family members
• Type and level of education
• Landline phone number
• Mobile phone number
• Email address
• ID card number
• Bank account number

(Hereinafter collectively referred to as: “Data”)

2.2. This data is collected so that SFC may fulfill all legal and regulatory obligations related to its operations, including the Labor Law, the Law on Employment Records, the Law on Private Security, and the Law on the Unique Master Citizen Number.

2.3. SFC is legally required to collect the following data from its employees (including individuals engaged via temporary/occasional work contracts and supplemental work contracts):

1. Full name
2. Unique Citizen Identification Number
3. Date and place of birth
4. Gender
5. Residence and home address
6. Type and level of education
7. Information on insured family members

3.  SFC as Data Controller

Data Subjects Whose Data SFC Processes

3.1. As the data controller, SFC processes the Data of the following Individuals:

• Persons employed under employment contracts, persons engaged on temporary and occasional jobs, and persons engaged under supplemental work contracts (collectively: “Employees”);
• Persons who have submitted their CVs to SFC for employment or engagement (collectively: “Candidates”);
• Individuals who filled out the individual or legal entity membership forms, location database forms, or online profile database forms (collectively: “Members”);
• Website visitors who submit the online form;
• Producers;
• Participants of SFC training, CGA Belgrade Warm-Up, and CGA Belgrade

3.2. If in the future SFC needs to process the Data of individuals not listed above, it will do so in accordance with the Law without needing to amend this Privacy Policy. However, if such data processing becomes systematic or part of SFC’s daily activities, this Privacy Policy will be amended accordingly.

3.3. Details about the categories of data subjects and relevant information about the processed Data are contained in the Data Processing Record, which SFC regularly updates.

3.4.  Purpose of Data Processing

Data is collected in order for SFC to:

• Comply with legal obligations;
• Fulfill contracts with Employees and Candidates;
• Conduct statistical research;
• Inform and fulfill obligations to stakeholders in employment processes;
• Ensure employment and social security rights;
• Provide information to government bodies for economic and social policy;
• Contact Candidates regarding possible engagement;
• Maintain communication and mailing lists;
• Send updates and respond to inquiries or

3.5. If SFC at any point processes Data for purposes not covered above, it will comply with relevant Serbian legislation without needing to amend this Privacy Policy—unless the processing becomes systematic or part of daily operations, in which case the Policy will be updated accordingly.

3.6. Retention periods for each category of Data are aligned with their respective processing purposes and are recorded in the Data Processing Record. These periods are periodically reviewed and updated as needed.

3.7. SFC’s data processing activities do not include profiling or any form of automated processing aimed at evaluating personal aspects such as financial or health status, preferences, or other personal traits.

3.8.  Legal Basis for Data Processing

SFC identifies the legal basis for data processing before beginning any processing activity by clearly defining and, where applicable, documenting the specific purpose and legal basis.

At the time of adoption of this Policy, SFC processes data on the following legal bases:

• Law;
• Contract with the Individual;
• Consent of the

When consent is the basis for processing, it will be obtained in a form and content compliant with the Law. A sample consent form for Employees and Candidates is provided in Annex 1 of this Policy, although SFC reserves the right to modify it if laws change. Consent may also be embedded in other documentation or contracts with third parties, provided it is clear and transparent. Individuals may withdraw their consent at any time.

If SFC decides to process data based on legitimate interest, it will conduct an appropriate assessment to ensure this interest does not override the rights and freedoms of the Individual. If it does, the data will not be processed.

All legal bases for processing are recorded in the SFC Data Processing Record.

3.9.  Data Processing Agreements

Any agreement between SFC and its data processors will include all legally required provisions.

3.10. Data Transfer

SFC does not transfer data internationally.

 3.11. Data Processing Record

To ensure compliance and good practice, SFC maintains an up-to-date Data Processing Record, which it may revise in accordance with legal changes.

4.  Technical Measures

SFC takes appropriate technical measures to ensure optimal protection of all categories of data it processes.

Anonymization and Pseudonymization

All Data processed by SFC is anonymized (encrypted). Data collected for statistical purposes is pseudonymized.

Access Restrictions

SFC has procedures in place to prevent access to its systems by individuals who are no longer employed.

Testing and Evaluation of Technical Measures

SFC regularly tests and evaluates its technical measures. If existing measures are deemed insufficient, SFC will adopt appropriate new ones and update this Policy accordingly.

5.  Organizational Measures

5.1. Confidentiality

SFC includes confidentiality clauses in all employment or contractor agreements for individuals who have access to personal data.

5.2.  Access Restrictions

Only specific personnel in designated departments have access to SFC systems and data, in accordance with their work responsibilities. Annex 2 of this Policy contains the list of individuals authorized to access personal data.

5.3.  Data Protection Officer

SFC is not legally required to appoint a Data Protection Officer and therefore will not appoint one.

5.4.  Internal Training

SFC will organize internal training for all staff who handle personal data.

6.  Breach Notification Procedures Notification to the Commissioner

If a personal data breach may pose a risk to individuals’ rights and freedoms, SFC must notify the Commissioner without undue delay, and ideally within 72 hours of becoming aware of the breach.

If SFC fails to notify within 72 hours, it must explain the reasons for the delay. The notification to the Commissioner must include:

• Nature of the breach (type of data, estimated number of affected individuals and data entries);
• Contact details of the responsible person;
• Possible consequences of the breach;
• Measures taken or proposed to mitigate the

Notifications are sent in writing or by email to: povredapodataka@poverenik.rs

Notification to Individuals

If the breach poses a high risk to individuals’ rights and freedoms, SFC must inform the affected individuals without undue delay.

This notification must clearly describe:

• Nature of the breach;
• Contact information of the responsible person;
• Possible consequences;
• Measures taken to mitigate harmful

7.  Rights of Data Subjects

Individuals listed in Section 3.1 have the following rights:

• To request information about whether SFC processes their data;
• To access their personal data;
• To request correction or completion of data;
• To request deletion of data;
• To request restriction of processing;
• To object to data

. Procedure for Exercising Rights

Requests may be submitted in any written form via email to: info@filminserbia.com

Upon receipt, SFC will verify the identity of the requester and may request additional information.

The date of verification and the scope of the request will be recorded.

SFC will respond within 30 days. This period may be extended by an additional 60 days in complex cases, with notification sent within the initial 30-day period.

Requests are handled free of charge, unless they are clearly unfounded or excessive, in which case SFC may:

• Charge administrative costs; or
• Refuse to act on the

The burden of proving that a request is excessive or unfounded lies with SFC.

8.  Final Provisions

This Privacy Policy is adopted by the legal representative of SFC, who may amend it when necessary. The Policy becomes binding upon adoption.