Pursuant to Article 15 of the Serbian Law on Personal Data Protection ("Official Gazette of the Republic of Serbia", No. 97/2008, 104/2009–different law, 68/2012–Constitutional Court ruling and 107/2012) concerning the collection of personal data in course of the registration of national Internet domains, the Serbian National Internet Domain Registry Foundation, as a data controller, hereby gives the following notification regarding the processing of personal data:
1) Identity of entity responsible for data processing
Serbian National Internet Domain Registry Foundation [Fondacija "Registar nacionalnog internet domena Srbije"], entered in the Register of Endowments and Foundations held with the Business Registers Agency
Žorža Klemansoa 18a/I, 11108 Belgrade, Serbia
Žarko Kecić, acting director
2) Purpose of data collection and processing
The National Internet Domain Registry is a unified electronic database in which national Internet domain names are maintained, as well as data connected with them. Data on registrants and on contacts for registered domain names – who may be individuals or legal entities – comprise an integral part of this database.
Personal data is collected for the purposes of maintaining records on who the registrant is for a particular domain name and who the contacts are for that domain, as well as in order to pursue the rights and obligations arising from the contractual relationship entered into for the registration of domain names, as laid out in the General Terms and Conditions for the Registration of National Internet Domain Names.
The data collected by RNIDS is recorded in the central registry held by the Commissioner for Information of Public Importance and Personal Data Protection.
3) How data are used
RNIDS collects data on domain names via a RNIDS accredited registrar (AR). An AR is a legal entity or sole proprietorship with a registered office in the Republic of Serbia that has been authorised by RNIDS to provide domain name registration services at the request of registrants for and on behalf of RNIDS (in terms of the Law on Personal Data Protection, AR has the role of "data processor" on behalf of RNIDS).
Domain name data is passed between RNIDS and ARs in electronic form via an encrypted Internet connection, and then held on infrastructure that is protected from unauthorised access using physical, software and organisational measures (controlled access to equipment on which data are held, software systems for controlling and logging access, detection of unauthorised access, etc.).
Domain name data are kept for 10 years after the last change.
Data on registered domain names are publicly accessible. Data on the registrant and the administrative and technical contacts made publicly available by RNIDS consist of:
- for individuals: name and surname;
- for legal entities and sole proprietorships: name and surname of the contact within the legal entity or sole proprietorship who is the administrative or technical contact, name (business name), registered address and corporate registration number.
On request by the registrant, submitted via the AR, RNIDS will activate protection against public exposure of data on the registrant and the administrative and technical contacts. In this case, no data are made public on the registrant or administrative or technical contact, be they an individual or legal entity.
4) Persons using data
Data from the national Internet domain Registry are used by employees for tasks involving the registration of domain names in RNIDS, solely for the purposes of the tasks being performed and in proportion to them. All operations performed by employees within the national domain registration system (RSreg 2.0) are recorded and monitored.
RNIDS may allow relevant authorities, other entities and agencies access to information from the Registry collected by RNIDS in accordance with the General Terms, including data for which protection from public exposure has been activated, if they have the right to access this information under the applicable regulations of the Republic of Serbia. RNIDS may also supply these data in response to a request submitted through official routes by a court or alternative domain name dispute resolution body.
5) Legal basis for the collection and processing of data
The legal basis for the collection and processing of personal data is the consent provided by the subject in entering into a contractual relationship for the registration of a national domain name.
6) Withdrawal of consent for the processing of data and legal consequences of withdrawal
An entity who is the registrant of a domain has the right to withdraw previously given consent for the processing of personal data processed by RNIDS. The legal consequence of withdrawal is termination of the contractual relationship between RNIDS and the registrant, since the contract becomes untenable, and following on from this the registration of all national domains for which the entity is listed as a registrant is terminated.
7) Rights of the entity in event of unauthorised processing
In the event of unauthorised processing of data, the entity may claim all rights arising from the Law on Personal Data Protection, the application of which is monitored by the Commissioner for Information of Public Importance and Personal Data Protection.
8) More information on the administration of domains and on contacts for questions relating to the processing of personal data
You can find more information on the administration of domains on Administering domain names.
Contact for questions relating to the processing of personal data is:
General and Legal Affairs sector manager
Phone: +381 60 0120-553
Working hours: 09.00-17.00 (CET/CEST), Monday-Friday