Notification On processing of personal data

29 January 2021

1. Introductory provisions

in accordance with relevant provisions of the Law on Prevention of Money Laundering and Terrorism Financing (“AML Law”), EY is obliged to process certain personal data.

Due to the obligation to perform certain activities and measures for the purpose of knowing and monitoring its clients1 (“Client due diligence”), the Controller processes certain personal data of the Client who is an individual, an entrepreneur, a legal representative of the Client which is a legal person, a legal representative of the Client which is a person of a foreign law or person of a civil law, as well as any other individual who on behalf of the Client enters into a business relationship with the Controller (“Representative of the Client”)

As a part of the Client due diligence procedure, the Controller processes certain personal data of an individual who is, in accordance with the AML Law, considered as an ultimate beneficial owner of the Client (“UBO of the Client”).

EY processes subject data in his capacity of data controller.

2. Obligation to provide the personal data to the Controller

Providing the Controller with the personal data of the Representative of the Client and the UBO of the Client is mandatory in accordance with the AML Law.

In case of a failure to provide the Controller with personal data of the Representative of the Client and the UBO of the Client, the Controller is obliged to reject the offer to enter into a business relationship, or if a business relationship has already been established to terminate it.

3. Purpose of processing of personal data

The purpose of processing the personal data is fulfilment of the Controller’s obligations indicated by the AML Law, which implies: 

  • the obligation to identify and verify the identity of the Representative of the Client and the UBO of the Client
  • the obligation of keeping records on Clients (“Records on Clients”).

4. Legal ground for processing of personal data

The legal ground for processing of the personal data is:

  • the obligation of the Controller to conduct actions and measures for the prevention and detection of money laundering and terrorism financing, in accordance with Articles 4 and 5 of the AML Law
  • the obligation of the Controller to identify and verify the identity of the Representative of the Client, in accordance with Articles 7, 17, 19, 21, 22, 23 and 99 of the AML Law
  • the obligation of the Controller to identify and verify the identity of the UBO of the Client, in accordance with Articles 7 and 25 of the AML Law 
  • the obligation of the Controller to conduct the actions and measures for identification and verification of identification of the Representative of the Client and UBO of the Client during the business relation, in accordance with Articles 7 and 8 of the AML Law
  • the obligation of the Controller to obtain a copy, or print-out, of a personal document of the Representative of the Client and to keep the copy or print-out of such document, in accordance with Articles 17, 19, 21, 22 and 23 of the AML Law
  • the obligation of the Controller to conduct the enhanced client due diligence actions and measures if the UBO of the Client is considered as a politically exposed person, or close person to politically exposed person, under the AML Law
  • the obligation of the Controller to keep Records on Clients, in accordance with Articles 98 and 99 of the AML Law. 

5. Personal data processed by the Controller

The Controller processes the following personal data of the Representative of the Client:

  • name and surname
  • date and place of birth
  • address of residence
  • PIN
  • type and number of a personal document.

The Controller also obtains a copy, or print-out, of the personal document of the Representative of the Client.

The Controller processes the following personal data of the UBO of the Client:

  • name and surname
  • date and place of birth
  • address of residence.

If the UBO of the Client is considered as a politically exposed person, or close person to politically exposed person, under the AML Law, in addition to above mentioned personal data, the Controller process the following personal data of such person as well:

  • Data on total personal property and the legal ground for acquiring such property.

Above mentioned personal data of the Representative of the Client and UBO of the Client which Controller processes in further text are indicated as “Personal Data”.

6. Personal Data recipients

The Personal Data will be used exclusively by the Controller for its own needs, in accordance with the AML Law and the DP Law.

Personal Data recipients are the employees of the Controller who directly cooperate with the Client and employees authorized for prevention of the money laundering and terrorism financing at the Controller.

The Personal Data may be disclosed only to competent authorities, on their official request.

7. Manner of personal data collecting

The Controller collects Personal Data:

  • from the Identification Form, filled-in by the Representative of the Client before the establishment of the business relation with the Controller and/or during the business relation (“Identification Form”)
  • from the personal document, or print-out of personal document, of the Representative of the Client
  • from the statement on personal property of the UBO of the Client who is considered as a politically exposed person, or close person to the politically exposed person
  • in any other manner from the Representative of the Client.

8. Manner of personal data processing

Data processing will be conducted manually.

9. Period of keeping the Personal Data

The Personal Data and other documents collected from the Client are kept for a period of 10 years from the date of termination of the business relationship.

10. Rights of the data subjects

The data subject has the right to access the Personal Data, the right to request from the Data Controller to correct, supplement, delete the Personal Data, right to object processing of Personal Data and right to transfer Personal Data in accordance with DP Law.

The data subject has the right to file a complaint to the Commissioner for Information of Public Importance and Personal Data Protection, if he / she considers that the processing of the Personal Data was performed contrary to the provisions of the DP Law.

11. Contact data

Any questions, complaints or requests for exercising rights related to protection of personal data at the Controller can be submitted to the following e-mail address: data.protection@rs.ey.com.

 

1The client is an individual, entrepreneur, legal entity, person under foreign law or person under civil law, which enters/has entered into a business relation with Ernst & Young ltd Belgrade („Client“)