Effective Date: June 11, 2025
Wine Vision by Open Balkan (“we” or “us”) is firmly committed to protecting personal data and using it responsibly. This Data Policy outlines the principles and guidelines we follow in handling data (especially personal data) in compliance with the EU General Data Protection Regulation (GDPR) and Serbian Law on Personal Data Protectiondlapiperdataprotection.com, along with applicable e-commerce and communications laws. This policy is closely related to our Privacy Policy, but here we emphasize our data management principles, security practices, and organizational measures in a more comprehensive way. Think of it as the high-level rulebook we abide by internally when processing any user or participant data.
Our key data protection principles are: Lawfulness, Fairness & Transparency; Purpose Limitation; Data Minimization; Accuracy; Storage Limitation; Integrity & Confidentiality; and Accountability. Below we explain how we implement each of these.
1. Lawfulness, Fairness & Transparency
We process personal data lawfully – meaning we always have a valid legal basis for processing (such as consent, contract necessity, legitimate interest, or legal obligation). We ensure fairness by not using data in ways that individuals would not reasonably expect, and by avoiding any processing that could unjustifiably harm their rights or interests.
We maintain transparency by clearly informing individuals about how their data will be used. This is achieved through our Privacy Policy (which provides detailed information on collection, use, sharing, etc.), our cookie notices, and notices on specific data capture forms. If we collect data for new purposes, we will inform you at the time of collection what the intended use is. We avoid secretive data practices – users should not be surprised by any personal data processing if they have read our privacy communications.
For example, when exhibitors fill in registration forms, we explicitly state what information is required and why (e.g., needing their contact info to communicate about the event). We provide contact information (email and address) in our Privacy Policy and this policy so anyone can reach out with questionsfair.openbalkan.com. We strive to make our explanations understandable, avoiding unnecessary legal jargon.
2. Purpose Limitation
We collect personal data for specific, explicit, and legitimate purposes, and we do not further process it in a manner that is incompatible with those purposes.
In practice, this means:
- When we collect data during user registration or via the website, we have defined purposes such as event organization, user account management, marketing of our events, improving our services, etc. These purposes are clearly laid out in our Privacy Policy’s “How We Use Your Information” section.
- We do not use personal data for completely unrelated purposes without obtaining additional consent or having a clear legal basis. For instance, if someone gives us their email to register for the fair, we won’t pass that email to another company for their marketing purposes without consent. We won’t suddenly use that email to sign them up for an unrelated product’s mailing list.
- If a new purpose for using existing data arises, we assess compatibility. GDPR allows further processing for certain archiving, research, or statistical purposes under some safeguards – if we ever did that (say, analyzing trends across event participants over years for an industry study), we would ensure it’s done either in aggregated form or with appropriate legal basis.
- Any new use case that is different from what was originally stated will trigger either a user notification or request for consent. For example, if we decide to publish a directory of exhibitors with contact emails, and originally we collected emails only for internal communication, we would go back and seek permission from each exhibitor before such publication, since that’s a new use beyond the initial scope.
3. Data Minimization
We adhere to the principle of collecting only the data that is truly necessary for the purposes stated. Each form and data collection mechanism is reviewed to avoid excess:
- Our registration forms ask only for information we need. While we collect a wide range of data from exhibitors and buyers (see Privacy Policy, e.g., professional info, banking details for payments, etc.), each item has a rationale. If an item is optional (nice to have but not essential), we mark it as such. We do not collect irrelevant data (for example, we do not ask for someone’s ethnicity or political affiliation, as it’s unnecessary for a wine fair).
- We periodically review data held to ensure we are not storing data we don’t need. For instance, if we initially asked for something that turned out not to be used, we would remove that field from future forms and consider deleting previously collected instances if not needed.
- When sharing data with third-party processors, we share the minimum required for them to perform their function. Example: when sending a mailing list to an email service provider, we might only share name and email, not full postal addresses, if the addresses are not needed for that email campaign.
- Data minimization also applies to access – only staff who need access to certain data get it. Our internal systems are set so that, for example, the team handling exhibitor logistics sees company and contact info, but maybe not detailed payment info if their role doesn’t require it (payment info might be restricted to finance team).
- If we conduct surveys or feedback forms, we often allow anonymity or at least make personal questions optional, unless knowing identity is necessary for follow-up.
4. Accuracy
We take reasonable steps to ensure that personal data is accurate, complete, and up-to-date:
- Data subjects (users) are given the opportunity to correct their data. Through contact with us or account settings, users can update their contact info or other details. For instance, if an exhibitor’s company address changes after registration, they can inform us and we’ll update our records, including in any published exhibitor list.
- We do initial verification on critical data. For example, for professional buyers, we might verify their credentials or the existence of their business (to ensure only bona fide professionals get buyer status). This verification indirectly helps ensure the data they provided (like company name, position) is accurate.
- We avoid storing data in multiple places unnecessarily (to reduce divergence). We maintain a central database for participants; if other copies exist (say in spreadsheets for working purposes), we try to synchronize changes or limit such duplication.
- Periodic audits: Before each event edition’s communication, we might send out emails asking people to confirm or update their details (especially if they carry over year to year). For example, an email might say “We have your company name as X and email as Y, please let us know if any changes.”
- If we discover data is incorrect or outdated, we either rectify it or, if that’s not possible, delete it. For instance, if an email repeatedly bounces or we learn a contact has left a company, we flag that record. We might reach out via alternate means to update, or mark it inactive.
- Certain critical data points like payment info or addresses we double-check at time of use (e.g., validating payment card with bank, postal code lookup for addresses if shipping something, etc.).
5. Storage Limitation
We do not keep personal data for longer than necessary for the purposes for which it is processed:
- Our retention schedules (as outlined in our Privacy Policy’s Data Retention section) guide how long different categories of data are kept. For instance, exhibitor data might be retained for a few years for future fair invitations, while website inquiry data might be deleted sooner if no longer needed.
- We either anonymize or securely delete data that we no longer require. For example, a year after an event, we might anonymize visitor registration data but keep aggregated statistics (like total attendance, country breakdown) for reporting. Personal identifiers in that context would be removed.
- Some data must be retained to comply with legal obligations (financial records, etc.) and we adhere to those legal minimum periods, but not longer. For example, accounting records with personal data (invoices with names) are kept for at least the statutory period (e.g., 5-10 years per Serbian law)dlapiperdataprotection.com, but we schedule their deletion once no longer required.
- We have processes to periodically review our databases. Old records that no longer serve an active purpose are flagged. If, say, a buyer registered in 2023 and did not attend or engage in following years, by 2028 we would likely remove their personal contact from our active lists (unless they opted to remain in mailing list).
- Backup data: while backups might retain information beyond active deletion, we manage backup retention as well. We might keep rolling backups for a certain period (e.g., 6 months). When backups expire, they are deleted or overwritten. Thus, even data that was deleted from live systems might reside in backup for a finite time, but those backups are tightly secured and eventually cycle out.
6. Integrity & Confidentiality (Security)
Protecting data is paramount. We implement technical and organizational measures to ensure personal data is secure from unauthorized access, alteration, disclosure, or destructiongchrj.netgchrj.net:
- Technical Measures: Our website and databases use encryption (SSL for data in transit, encryption at rest for sensitive fields where appropriate). We have firewalls and anti-malware systems guarding our IT infrastructure. Regular security updates are applied to software and systems. Where feasible, we pseudonymize or encrypt data sets (for example, hashing passwords, truncating stored credit card info if ever stored, etc.).
- Access Control: We enforce role-based access control. Only authorized personnel with a need-to-know can access personal data, and even then, only the portion relevant to their role. Access to the master database is limited to key staff and is password-protected (with strong password policies and 2-factor authentication enabled for remote access systems). Physical access to servers or computers that contain personal data is also restricted (our offices have security, and our hosting providers have physical security and environmental controls).
- Organizational Policies: We have internal data protection policies and provide training to our team about privacy and security. Staff are required to keep data confidential. Any subcontractors or volunteers who handle data are also bound by confidentiality agreements. We emphasize caution in handling data – e.g., avoiding download of data to personal devices unless necessary and approved, not sharing data over insecure channels, etc.
- Incident Response: We have an incident response plan. If a data breach is suspected or detected, we act promptly to contain and investigate it. We will notify affected individuals and authorities as required by law (GDPR mandates notification within 72 hours to authorities for certain breaches, and to individuals if there’s high risk to them). Our team is briefed on escalation procedures for any security incidents.
- Testing and Audits: We periodically test our systems (or hire external experts to do so) for vulnerabilities. Also, we audit logs to monitor for any unauthorized access. Unusual access patterns (like someone accessing large amounts of data without need) are checked. If we find any weakness, we address it promptly.
- Secure Development: If we develop or customize software, we follow secure coding practices. For example, our website forms have measures to prevent SQL injection, XSS attacks, etc. We also ensure that when we decommission equipment or software, any personal data is securely wiped.
- Data Breach Insurance: While not a direct measure, we are evaluating insurance to cover cyber incidents. This doesn’t reduce risk per se, but it ensures we have resources to respond and compensate if something does happen, showing our proactive stance.
7. Accountability
We take responsibility for complying with these principles and can demonstrate our compliance:
- We have assigned clear responsibilities within our team for data protection compliance. There is a designated privacy coordinator (notified internally) who keeps track of our data processing activities and ensures policies are followed. Given the scale, a formal DPO might not be legally required, but we act in the spirit of having that accountability.
- We maintain documentation of our processing activities (a “Record of Processing Activities” as per GDPR Art. 30). This includes what data we collect, why, who it’s shared with, how long we keep it, etc. If asked by regulators, we can provide this documentation to show we’ve thought through compliance.
- Data Protection Impact Assessments (DPIA): For any high-risk processing (for instance, if we were to introduce new technology like facial recognition at event entry, or large-scale profiling of attendees), we would conduct a DPIA to evaluate and mitigate risks to individuals’ privacy.
- Third-Party Management: We carefully vet and use contracts (Data Processing Agreements) with our third-party processors. These contracts obligate them to protect data to GDPR standards, as Serbia’s law demands similar diligencedlapiperdataprotection.com. We monitor their compliance (asking for their security measures, etc., and requiring breach notifications).
- We provide training to our staff and create an environment where privacy is valued. Mistakes can happen, but we encourage prompt reporting of any lapses so they can be fixed rather than hidden.
- If any data subject (user) exercises their rights (access, correction, deletion, etc.), we have established procedures to respond within required timeframes. We log these requests and how we handled them, as proof of compliance.
- We keep an eye on developments in data protection law and best practices. For example, if Serbia amends laws or if new EU guidelines (from EDPB) come out that affect us (like new cookie consent methods), we adapt our policies accordingly. In late 2023 Serbia released a Data Protection Strategy focusing on aligning with GDPRschoenherr.eu; we align our internal rules to such strategic directions.
- In the event of any audit or inquiry by authorities (like Serbia’s Commissioner for Information of Public Importance and Personal Data Protection), we stand ready to demonstrate our compliance via records, policies, and technical evidence. We treat compliance as an ongoing task, not a one-time checkbox.
8. Data Subject Considerations
Our data policy puts individuals (data subjects) at the center:
- Consent and Choice: Where we rely on consent, we ensure it is freely given, specific, informed, and unambiguous (e.g., using opt-in checkboxes, not pre-ticked boxesfair.openbalkan.com). We also make it easy to withdraw consent (opt-out links in emails, etc.).
- Children’s Data: We take special care when processing data of minors. As noted in our Privacy Policy, children under 15 in Serbia require parental consent to use our online servicesgchrj.net. If we know a user is under that age, we seek a guardian’s consent verification. We also design any interface or explanation addressed to minors in clear, age-appropriate language (however, since our site targets professionals and general audience, not young children, this is less frequent).
- Respect for Privacy by Design and Default: When we introduce a new feature, we consider privacy from the outset. For example, if we start a mobile app for the fair, we’ll ensure that by default it only collects what’s necessary (and maybe asks users to opt-in to any extra tracking or data sharing). Data protection settings are set at a high level of protection by default – e.g., a user’s profile might be private unless they choose to make it public for networking.
- Avoiding Overreach: We do not engage in excessive profiling or automated decisions that could negatively affect users without human intervention. Any analysis we do (like preferences for email targeting or making networking recommendations) is done thoughtfully and with human oversight.
- Continuous Improvement: We treat our privacy practices as something to continuously improve. We welcome feedback from users. If anyone believes their data has been handled in a way not consistent with what we say, we investigate and rectify. We also consider industry best practices – e.g., if new, more secure methods of protecting data become available (like advanced encryption techniques or anonymization tools), we assess adopting them.
9. Third-Party Data Transfers and International Compliance
We ensure that any transfer of personal data to third parties or across borders is done in compliance with applicable laws:
- Within the Open Balkan Region: Since our initiative involves multiple countries (Serbia, North Macedonia, Albania, etc.), sometimes data might be shared with counterparts or co-organizers in those countries. We ensure all involved parties commit to GDPR-level standards. Even if those countries have differing laws, through agreements and understanding we treat data with one high standard.
- Outside EEA Transfers: As noted, Serbia is not in the EEA, but our stance is to treat all personal data, whether of EU citizens or others, under GDPR principles. If we transfer data from the EU to Serbia (e.g., an EU exhibitor’s data ends up stored in Serbia on our servers), we rely on safeguards like Standard Contractual Clauses and user consent as neededdlapiperdataprotection.com. Similarly, if our providers in the US handle any personal data (like Google for analytics, etc.), we ensure compliance through SCCs or new approved mechanisms.
- Processor Oversight: For each processor (be it a cloud service, mailing service, payment gateway), we maintain a record of what data is sent, under what terms, and we verify their compliance credentials (like if they are ISO 27001 certified, or in case of US companies, if they are part of the EU-US Data Privacy Framework or have SCCs).
- Auditing Third Parties: Where feasible, we include rights in contracts to audit or get assurance from these third parties. We might not physically audit big companies like Google, but we rely on their published audits and certifications. For smaller vendors (say a local IT support firm that might have access to systems), we can directly oversee their practices or include them in our security drills.
- Data Transfer Records: We document cross-border data flows. E.g., user data -> hosted on EU cloud -> accessible in Serbia by our team -> backup in EU, etc. This mapping ensures we know where data is at any time and can address questions about jurisdiction and applicable law.
10. Enforcement and Redress
We have mechanisms to enforce this Data Policy within our organization and to address any concerns:
- Internal Enforcement: Any employee or contractor who violates these data protection principles may face disciplinary action. We treat personal data mishandling as a serious matter. We also have internal reporting channels for any unethical or non-compliant behavior (whistleblowing policy) – employees are encouraged to report if they see data being misused.
- User Redress: If an individual believes their data has been handled improperly or their rights not respected, they can contact us (contact info below and in Privacy Policy). We will investigate and respond in a timely manner. We aim to amicably resolve any complaints. If we find we made a mistake, we will take corrective action (e.g., fix the data, change a process to prevent recurrence, and if necessary, notify anyone affected).
- Regulatory Compliance: We are prepared to work with data protection authorities. If someone lodges a complaint to the Serbian Commissioner or an EU DPA and they reach out to us, we will cooperate fully, providing required information and taking remediation steps suggested. As an organization, we consider compliance a continuous journey, and regulatory guidance is welcome to help us improve.
- Liability and Insurance: While we do everything to prevent incidents, we acknowledge our responsibility. In contracts with exhibitors and users (via Terms and this Policy), we try to limit liability in reasonable ways, but we stand by our obligations to protect data. We also maintain (or are in process of obtaining) appropriate insurance for cyber incidents to ensure we can provide redress if something goes wrong (for instance, to cover the costs of notifications, credit monitoring for individuals if needed, etc.). This is part of being accountable and prepared.
- Periodic Reviews: We periodically review this Data Policy and our data protection program (at least annually, or whenever significant changes in law or business occur). This review might involve external experts or consultants to audit our practices. Any findings are used to update our policies and training.
- Certification: If in future there are relevant data protection certifications or codes of conduct in our industry, we will consider adhering to them as an extra layer of commitment (for example, if a standard for event organizers’ data protection emerges).
11. Contact and Further Information
For any questions or concerns regarding our Data Policy or data protection practices, please reach out to:
Wine Vision by Open Balkan – Data Protection Office
Address: Bulevar Vojvode Mišića 14, 11030 Belgrade, Serbia
Email: [email protected] (please include “Data Policy” or “Privacy Inquiry” in the subject)
Phone: +381 11 26 55 239 (you can ask to speak to our data protection coordinator).
We will gladly provide additional information or clarification. If you feel that any aspect of this policy is unclear or that we’re not living up to it, let us know – continuous improvement is part of our accountability.
By adhering to the above principles and measures, Wine Vision by Open Balkan ensures that personal data is handled with the utmost care and in line with the trust our participants and users place in us. We understand that data is about people – our colleagues, partners, and visitors – and we respect their privacy as we would our own.