Notification оn processing of personal data for Anti-Money Laundering purposes (Ernst & Young Consulting DOO)

Ernst & Young Consulting doo Belgrade, a legal entity with its registered address at Vladimira Popovića 8a, Belgrade, registration number 2187084 (“Controller” or “EY”), in accordance with Article 23 of Data Protection Law (“DP Law”), the Controller delivers the following:

NOTIFICATION ON PROCESSING OF PERSONAL DATA

1. Introductory provisions

in accordance with relevant provisions of the Law on Prevention of Money Laundering and Terrorism Financing (“AML Law”), EY is obliged to process certain personal data.

Due to the obligation to perform certain activities and measures for the purpose of knowing and monitoring its clients[1] (“Client due diligence”), the Controller processes certain personal data of the client who is an individual or an entrepreneur (“Client”), as well as a legal representative of the Client which is a legal person, a legal representative of the Client which is a person of a foreign law or person of a civil law, as well as any other individual who on behalf of the Client enters into a business relationship with the Controller (“Client Representative”)

As a part of the Client due diligence procedure, the Controller processes certain personal data of an individual who is, in accordance with the AML Law, considered as an ultimate beneficial owner of the Client (“Client UBO”).

EY processes subject data in his capacity of data controller.

[1] The client is an individual, entrepreneur, legal entity, person under foreign law or person under civil law, which enters/has entered into a business relation with Ernst & Young Consulting doo Belgrade (“client“)

2. Obligation to provide the personal data to the Controller

Providing the Controller with the personal data of the Client, the Client Representative and the Client UBO is mandatory in accordance with the AML Law.

In case of a failure to provide the Controller with personal data of the Client, the Client Representative and the Client UBO, the Controller is obliged to reject the offer to enter into a business relationship, or if a business relationship has already been established to terminate it.

3. Purpose of processing of personal data

The purpose of processing the personal data is fulfilment of the Controller’s obligations indicated by the AML Law, which implies: 

  • the obligation to identify and verify the identity of the Client, the Client Representative and the Client UBO;
  • the obligation of keeping records on clients (“Records on clients”).

4. Legal ground for processing of personal data

The legal ground for processing of the personal data is:

  • the obligation of the Controller to conduct actions and measures for the prevention and detection of money laundering, terrorism financing and financing of the mass destruction weapons, in accordance with Articles 4 and 5 of the AML Law
  • the obligation of the Controller to identify and verify the identity of the Client and the Client Representative, in accordance with Articles 7, 17, 19, 21, 22, 23 and 99 of the AML Law.
  • the obligation of the Controller to identify and verify the identity of the Client UBO, in accordance with Articles 7 and 25 of the AML Law. 
  • the obligation of the Controller to conduct the actions and measures for identification and verification of identification of the Client, the Client Representative and the Client UBO during the business relation, in accordance with Articles 7 and 8 of the AML Law.
  • the obligation of the Controller to obtain a copy, or print-out, of a personal document of the Client and the Client Representative and to keep the copy or print-out of such document, in accordance with Articles 17, 19, 21, 22 and 23 of the AML Law.
  • the obligation of the Controller to conduct the enhanced client due diligence actions and measures if the Client or the Client UBO is considered as a politically exposed person, or close person to politically exposed person, under the AML Law, in accordance with Article 35 and 38 of the AML Law.
  • the obligation of the Controller to keep Records on clients, in accordance with Articles 98 and 99 of the AML Law. 

5. Personal data processed by the Controller

The Controller processes the following personal data of the Client and the Client Representative:

  • name and surname
  • date and place of birth
  • address of residence
  • PIN
  • type and number of a personal document.

The Controller also obtains a copy, or print-out, of the personal document of the Client and the Client Representative.

The Controller processes the following personal data of the Client UBO:

  • name and surname
  • date and place of birth
  • permanent or temporary residence.

If the Client or the Client UBO is considered as a politically exposed person, or close person to politically exposed person, under the AML Law, in addition to above mentioned personal data, the Controller process the following personal data of such person as well:

  • Data on total personal property and the legal ground for acquiring such property.

Above mentioned personal data of the Client, the Client Representative and the Client UBO which Controller processes in further text are indicated as “Personal Data”.

6. Personal Data recipients

The Personal Data will be used exclusively by the Controller for its own needs, in accordance with the AML Law and the DP Law.

Personal Data recipients are the employees of the Controller who directly cooperate with the client and employees authorized for prevention of the money laundering and terrorism financing at the Controller.

The Personal Data may be disclosed only to competent authorities, on their official request.

7. Manner of personal data collecting

The Controller collects Personal Data:

  • from the identification form, filled-in by the Client or the Client Representative before the establishment of the business relation with the Controller and/or during the business relation (“Identification Form”).
  • from the personal document, or print-out of personal document, of the Client or the Client Representative.
  • from the statement on personal property of the Client or the Client UBO who is considered as a politically exposed person, or close person to the politically exposed person.
  • in any other manner from Client or the Client Representative.

8. Manner of personal data processing

Data processing will be conducted manually.

9. Period of keeping the Personal Data

The Personal Data and other documents collected from the client are kept for a period of five years from the date of termination of the business relationship.

10. Rights of the data subjects

The data subject has the right to access the Personal Data, the right to request from the Controller to correct, supplement, delete the Personal Data, right to object processing of Personal Data and right to transfer Personal Data in accordance with DP Law.

The data subject has the right to file a complaint to the Commissioner for Information of Public Importance and Personal Data Protection, if he / she considers that the processing of the Personal Data was performed contrary to the provisions of the DP Law.

11. Contact data

Any questions, complaints or requests for exercising rights related to protection of personal data at the Controller can be submitted to the following e-mail address: data.protection@rs.ey.com.

You are visiting EY rs (en)
rs en