EKO Smile

EKO SERBIA AD, with registered seat at Belgrade (Novi Beograd), street Tošin Bunar 274a, CIN: 17413333, TIN: 100118236, acting as the Controller, in accordance with the definitions of the Law on Personal Data Protection (“Law) (hereinafter: EKO SERBIA), hereby informs users of the EKO SMILE KLUB program (hereinafter: Users) about all essential aspects of personal data processing for the purposes of the EKO SMILE LOYALTY program (hereinafter: EKO SMILETYPE OF PERSONAL DATA BEING PROCESSED

EKO SERBIA collects, uses and otherwise process, the following categories of personal data of users:

•name and surname

•date of birth

•e-mail address

•mobile phone number

•gender (optional)

•city (optional)

EKO SERBIA processes personal data based on the informed consent of users, in accordance with the requirements of the Law.

EKO SERBIA collects, uses, and otherwise processes personal data of EKO SMILE users for the following purposes:

•fulfillment of mutual rights and obligations between users and EKO SERBIA, in accordance with the Terms of Participation in the EKO SMILE program, both in case of registration at the gas station by filling out a digital form on a tablet, and in case of registration through the EKO SMILE mobile application. 

•marketing purposes, including contacting EKO SMILE members, sending messages of commercial content via email, Viber app, or other similar means, recommending EKO SERBIA services, and providing relevant information regarding EKO SMILE benefits.

EKO SERBIA performs the following processing activities:

•Collection;

•Recording;

•Storing data in appropriate records, both in physical and electronic form, and creating special records of personal data;

•Adaptation of data to the needs of EKO SERBIA;

•Alteration inaccuracies in entered data or updating data upon user request;

•Structuring personal data;

•Disclosure of data;

•Dissemination of personal data;

•Transferring data to entities mentioned in point 4 of this Notice;

•Anonymizing or otherwise making personal data unrecognizable, in accordance with applicable regulations and internal policies related to personal data protection;

•Erasure or destruction of data;

•Use of personal data;

•Other types of processing necessary to achieve the purpose outlined in this section of the Privacy Notice.

In addition to EKO SERBIA, the following categories of processors have access to the personal data of users:

•affiliates of EKO SERBIA;

•local partners;

•companies responsible for establishing and maintaining ICT systems for EKO SERBIA;

•companies providing security services for EKO SERBIA;

•other companies classified as personal data Processors for EKO SERBIA.

Foe avoidance of doubt, Processors are considered entities who, on behalf of EKO SERBIA, perform specific processing activities of personal data of users (such as creating records of personal data, forwarding forms containing personal data to EKO SERBIA users, establishing ICT systems processing such data, providing technical support for the implementation of the EKO SMILE program, etc.).

These entities have access to and process data within the purpose outlined in this Privacy Notice, and they will not process personal data of users for other purposes. 

The mentioned entities will be required to adhere to the protection standards and other obligations prescribed by the Law, standards, and requirements outlined in EKO SERBIA's internal policy, as well as the provisions of the Personal Data Processing Agreement (which EKO SERBIA has concluded with all persons having the status of Processors or Users). Processors and Users are obligated to implement anonymization or pseudonymization measures for Personal Data whenever possible, depending on the specific purposes for which the data is used or otherwise processed.

To avoid any doubt, in the case of transferring personal data to other entities in accordance with this section, EKO SMILE remains responsible for ensuring an adequate level of personal data protection. 

EKO SERBIA may exceptionally disclose personal data to authorized state authorities in accordance with the law, to the extent necessary to fulfill legal obligations of EKO SERBIA, while taking into account the application of appropriate data protection measures.

Given that EKO SERBIA operates within an international group of companies, some Processors may be located in foreign countries outside of Europe or in countries that are not on the List of countries of the Government of the Republic of Serbia that provide an appropriate level of protection (cross-border data transfer). In case of cross-border data transfers, EKO SERBIA will ensure that the data transfer is carried out in accordance with the relevant requirements of the Law

Consent for the processing of personal data is voluntary. The user can revoke such consent at any time. The user can withdraw consent through an explicit statement expressing the desire not to have their data processed any longer. The withdrawal of consent results in the cessation of any further processing of personal data, but it does not affect the processing based on consent before the withdrawal. The consequences of withdrawal also apply to the processing of personal data performed by entities mentioned in sections 4 and 5 of this Privacy Notice.

The withdrawal of consent can be requested by calling the call center at the following number 0800 088 887 or by sending an email to the following email address customerservice@hellenic-petroleum.rs or through mobile application.

When making the withdrawal, the individual whose data is processed is obligated to provide at least the following information: full name and EKO SMILE card number in case of withdrawal made by calling the call center or sending an email. In the case of withdrawal through the mobile application, it is only necessary for the consumer to click on the appropriate option in the consent section. These details are used solely to exercise the right to withdraw consent and will not be used for other purposes.

EKO SERBIA respects the rights of data subjects under the conditions, in the manner, and within the deadlines prescribed by the Law. This includes, among other things, the right to access data, the right to copy and alter data, the right to erasure, as well as data portability right. 

Users can exercise their rights by submitting a request in a free form to the Data Protection Officer at EKO SERBIA, at the address or email specified in point 8 of this Notice.

When submitting a request, the individual exercising their rights regarding personal data protection is obligated to provide at least the following information: full name and EKO SMILE card number, i.e., when the request is submitted through the mobile application, the individual needs to enter their name, surname and the mobile phone number linked to the EKO Smile application. These details are used solely for the identification of the individual wishing to exercise their rights regarding personal data protection and will not be used for other purposes.

If a user believes that the processing of their personal data is in violation of the law governing personal data protection, they are entitled to lodge a complaint with the data protection authority (i.e., the Commissioner for Information of Public Importance and Personal Data Protection), in accordance with the Law.

Data subjects can contact the Data Protection Officer by phone at 011 / 2061 500, email at licezpl@hellenic-petroleum.rs, and/or the address EKO SERBIA A.D, Tošin bunar 274a, 11070 Belgrade (with the note: "For the Data protection Officer").

The Data Protection Officer will respond to any inquiries from data subjects as soon as possible, depending on the nature of the inquiry, but no later than 10 days from the date of receiving the inquiry.

Within its business organization, EKO SERBIA implements all necessary aspects of data protection (organizational, technical, and personnel-related), including but not limited to:

•Technical security measures;

•Control of physical access to the system where personal data is stored;

•Access control to personal data;

•Control of the transfer of personal data;

•Control of the input of personal data;

•Control of the availability of personal data;

•Other information security measures;

•All other measures necessary for the protection of personal data.

For avoidance doubt, all third parties acting as Processors or Users are obligated to apply the protection measures prescribed in this section, and EKO SERBIA guarantees the implementation of these protection measures even in the case of such processing.

Data is stored and processed until the occurrence of any of the following circumstances and within the specified time frames:

•Until the completion of the EKO SMILE program, after which the data is promptly deleted, but no later than 30 days from the end of the program;

•Without undue delay after the date of termination (or otherwise cessation) of the agreement, in accordance with the Terms of Use, user’s data will be deleted.