Notification On processing of personal data
29 January 2021
1. Introductory provisions
In order to prevent the money laundering and terrorism financing, the Controller conducts certain actions and measures for knowing and monitoring its clients1 (“Client due diligence”) which implies processing of certain personal data of the Client who is an individual, an entrepreneur, a legal representative of the Client which is a legal person, a legal representative of the Client which is a person of a foreign law or person of a civil law, as well as any other individual who on behalf of the Client enters into a business relationship with the Controller (“Representative of the Client”)
Additionally, as a part of the Client due diligence procedure, the Controller processes certain personal data of an individual who is, in accordance with the Anti Money Laundering and Terrorism Financing Law (“AML Law”), considered as an ultimate beneficial owner of the Client (“UBO of the Client”).
EY processes subject data in his capacity of data controller.
2. Obligation to provide the personal data to the Controller
In case of a failure to provide the Controller with personal data of the Representative of the Client and the UBO of the Client, the Controller may reject the offer to enter into a business relationship with the Client, or if a business relationship has already been established to terminate it.
3. Purpose of processing of personal data
The purpose of processing of the personal data is the Controller’s intention to implement the best business practices in order to prevent money laundering and terrorist financing, which implies:
- identification and verification of the identity of the Representative of the Client and the UBO of the Client
- keeping records on Clients (“Records on Clients”).
4. Legal ground for processing of personal data
The legal ground for processing of the personal data is the legitimate interest of the Controller to ensure that the Controller is conducting business with Clients that are not involved in any way (directly or indirectly) in any money laundering and financing of terrorism activities.
5. Personal data processed by the Controller
The Controller processes the following personal data of the Representative of the Client:
- name and surname
- date and place of birth
- address of residence
- type and number of a personal document.
The Controller also obtains a copy, or print-out, of the personal document of the Representative of the Client.
The Controller processes the following personal data of the UBO of the Client:
- name and surname
- date and place of birth
- address of residence.
Above mentioned personal data of the Representative of the Client and UBO of the Client which Controller processes in further text are indicated as “Personal Data”.
6. Personal Data recipients
The Personal Data will be used exclusively by the Controller for its own needs, in accordance with the AML Law and the DP Law.
Personal Data recipients are the employees of the Controller who directly cooperate with the Client and employees authorized for prevention of the money laundering and terrorism financing at the Controller.
The Personal Data may be disclosed only to competent authorities, on their official request.
7. Manner of personal data collecting
The Controller collects Personal Data:
- from the Identification Form, filled-in by the Representative of the Client before the establishment of the business relation with the Controller and/or during the business relation (“Identification Form”)
- from the personal document, or print-out of personal document, of the Representative of the Client
- in any other manner from the Representative of the Client.
8. Manner of personal data processing
Data processing will be conducted manually.
9. Period of keeping the Personal Data
The Personal Data and other documents collected from the Client are kept for a period of 10 years from the date of termination of the business relationship.
10. Rights of the data subjects
The data subject has the right to access the Personal Data, the right to request from the Data Controller to correct, supplement, delete the Personal Data, right to object processing of Personal Data and right to transfer Personal Data in accordance with DP Law.
The data subject has the right to file a complaint to the Commissioner for Information of Public Importance and Personal Data Protection, if he / she considers that the processing of the Personal Data was performed contrary to the provisions of the DP Law.
11. Contact data
Any questions, complaints or requests for exercising rights related to protection of personal data at the Controller can be submitted to the following e-mail address: firstname.lastname@example.org
1 The client is an individual, entrepreneur, legal entity, person under foreign law or person under civil law, which enters/has entered into a business relation with Ernst & Young ltd Belgrade („Client“)