With this policy, byte-consulting d.o.o (hereinafter referred to as the Organisation) expresses its
attitude towards processing personal data and data processing, defines rules and assigns
responsibilities, and provides full support for the personal data management system. Personal
information collected and processed by the company in accordance with and with the custody of
the personal data owner is considered confident
ial and is processed in accordance with the decree that entered into force on May 25, 2018.
Personal data is processed legally, reasonably and in accordance with the reason for the
collection.

1.Collection and processing of personal data

Collection of personal data is carried out solely according to legal regulations and ethical
principles. Personal data is processed only when there is a clearly defined and documented legal
basis, or a basis based on contractual relationship. Other processing of personal data is permitted
only with the Privilege of the Personal Data Holder or its Assignee. The data that is collected are
only those that are strictly necessary. Collecting personal data is considered a breach of the
decree and is legally prohibited.
Prior to collecting personal data, the company commits the proprietors of personal data to
provide clear information about the reason and manner in which the data processing is used and
any third party accessing or storing the information, and has entered into a trust agreement with
the company and the contract binding to implement legally defined guidelines in the Personal
Data Protection Regulation.
If data is collected from children, it is necessary to establish special mechanisms to ensure that
children are old enough to understand the consequences of providing information. Personal data
relating to juveniles may be collected and processed in accordance with the Personal Data
Protection Act and with the necessary protection measures prescribed by special laws (Family
Law, Social Welfare Act).

2. Rights of the information owner

Owners of personal information must be allowed access to information about which personal
information the company owns and why they are used. The proprietor of the personal information
must be able to correct inaccuracies and additions of missing personal data, as well as the
possibility of denying the right to process his data when the processing is based on the owner’s
possession.
At the owner’s request, personal information provided on the grounds of the privilage must be
deleted from all company information systems and third-party information systems to which the
company has access to personal information. The owner is entitled to the transferability of his /
her personal data. At the owner’s request, his / her personal data must be delivered in electronic
form.

3. Recording, storage and handling of personal data

The organization is obliged to establish and maintain a register of personal data and the
processing carried out over them, and for each processing and the type of personal data to be
appointed to the responsible person. The responsible person shall ensure that the processing
includes exclusively personal data for which the processing has an adequate and documented
attachment, legal basis or business need.
All personal data for which there is no basis for guarding must be destroyed without delay.
Organization is required to provide personal information adequately. Personal data may only be
sent to third countries in accordance with the controller’s permission, and if it is possible to
provide a certain level of security with the regulation.
In special cases with the approval of the company, personal data may be provided to the third
party for processing if a third party has the legal basis for processing personal data.
The organization will keep the data of its employees and other personal data owners safe and
secure. This particualry includes and involves the data published on social networks. Data will be
published on social networks (e.g. events, business meetings, conferences etc.) solely with
consent from personal data owner and will be used only for this purpose.
Data owner can request his personal ínformations and ask for deletion of same.

4. Technical and integrated data protection

In the construction of information systems and business process design that may in any way
affect the security of personal data or the exercise of the rights to the privacy of their owners, the
Organization shall carry out an assessment of the safety performance and ensure appropriate
protective measures. If it finds that the protective measures that can be implemented are not
sufficient, they will consult the competent body before processing. All new processes and
information systems in the Organization must be designed to meet all the requirements of this
Policy.

5. Minimization and Protection of Personal Data

The Organization will collect and store personal information solely to the extent that it is
necessary to provide the service. When storing data, personal data will be stored on the smallest
possible number of locations where they must be adequately protected. Access to personal
information may only be made available on the basis of business needs.
It is forbidden to use personal data for the purposes of IT system development or testing.
Wherever possible, personal data must be protected by encryption, pseudonymization or
anonymisation.

6. Incident Management

The organization must establish and maintain procedures for responding to incidents related to
the violation of personal data security within the Organization and to third parties that the
Organization has given or have given personal data to the organization. The organization must
establish and maintain the structure of responsibility for reporting incidents related to the security
of personal data.
The organization must establish and maintain measures to detect unauthorized access to
personal data and the leak of personal information from the information system. In the event of a
breach of personal data security, the Organization shall inform the competent authority without
delay, at the latest within 72 hours of the incident’s discovery. In the event of a personal data leak,
the organization will also notify owners whose data is compromised if it can be implemented in a
reasonable manner.

7. Certification

In its personal data management system, the Organization will establish and maintain in
accordance with applicable standards in the field of privacy and information security such as ISO
27001, and compliance will be demonstrated by appropriate certification whenever possible.

8. Exceptions

In special cases with the approval of the Company and the Data Protection Officer, personal data
may be provided to the third party for processing if a third party has a legal basis for processing
personal data.