🤝 Ugovor o obradi podataka / Data Processing Agreement
Planeta računari — GDPR Čl. 28(3) DPA za Agency klijente koji koriste plug-in za obradu podataka krajnjih korisnika.
GDPR Art. 28(3) DPA for Agency clients using the plug-in to process end-user data.
1 Preambula
Ovaj Ugovor o obradi podataka (u daljem tekstu "DPA" ili "Ugovor") zaključuje se između:
Rukovaoca podataka ("Controller" ili "Vi" / "Vaša firma"):
- Naziv: kako je naveden u Vašem Order Form-u ili license aktivaciji
- Sedište: kako je registrovano u Vašoj državi
i
Obrađivača podataka ("Processor" ili "Mi" / "Planeta"):
- Planeta računari — PLANETA RAČUNARI (Aleksander Krsmanović)
- Sedište: Milice Pavlović 32/3/12, 32000 Čačak, Srbija
- Matični broj: 62397314 · PIB: 106 957 267
- Email: office@planeta-racunari.rs
Zajedno označeni kao "Strane", a pojedinačno "Strana".
Ovaj DPA dopunjuje Uslove korišćenja i u slučaju neslaganja sa ToS, odredbe ovog DPA prevazilaze za pitanja zaštite podataka.
2 Definicije
Pojmovi korišćeni u ovom Ugovoru imaju značenja iz GDPR-a (Uredba EU 2016/679) i srpskog ZZPL-a (Zakon o zaštiti podataka o ličnosti):
| Pojam | Definicija |
|---|---|
| GDPR | Uredba (EU) 2016/679 o zaštiti podataka |
| ZZPL | Srpski Zakon o zaštiti podataka o ličnosti |
| Lični podaci | Bilo koji podaci koji se odnose na identifikovano ili identifikovljivo fizičko lice |
| Subjekt podataka | Fizičko lice čiji se podaci obrađuju |
| Obrada | Bilo koja radnja sa ličnim podacima (sakupljanje, čuvanje, brisanje, itd.) |
| Rukovalac | Strana koja određuje svrhu i način obrade |
| Obrađivač | Strana koja obrađuje podatke u ime Rukovaoca |
| Pod-obrađivač | Treća strana koju Obrađivač angažuje za obradu |
| Prekršaj zaštite podataka | Bezbednosni incident koji vodi neovlašćenom pristupu, gubitku, izmeni, ili otkrivanju |
| Nadzorni organ | Telo nadležno za zaštitu podataka (npr. Poverenik za Srbiju, ICO za UK, CNIL za Francusku) |
| Plug-in | QR vCard Pro WordPress plug-in |
3 Pozadina i svrha
2.1 Konteks
Vi (Rukovalac) koristite QR vCard Pro plug-in koji ste licencirali od Planeta računari. Plug-in obrađuje lične podatke u sledećim scenarijima:
Scenario A — Skeniranje QR kartica: Kada posetilac skenira QR kod kreiran preko plug-ina, plug-in beleži tehničke podatke o skeniranju (datum, vreme, uređaj, hashovana IP adresa).
Scenario B — Contact Exchange: Ako ste uključili Contact Exchange funkciju, posetilac može slati Vama svoje podatke (ime, email, telefon, firma, poruka) preko forme na landing stranici.
Scenario C — Geografska lokacija (opciono): Ako ste uključili opciju "Geografska lokacija skenova", IP adresa posetioca se šalje servisu ip-api.com (treća strana) radi dobijanja gradskog/državnog nivoa lokacije.
2.2 Uloge Strana
Vi ste Rukovalac za sve lične podatke obrađene putem plug-ina na Vašem sajtu (scan podaci, Contact Exchange, geografska lokacija). Vi:
- Odlučujete koje funkcije plug-ina ćete uključiti
- Postavljate cookie banner i privacy notice na Vašem sajtu
- Pribavljate saglasnost subjekata podataka kada je potrebna
- Obrađujete zahteve subjekata za pristupu, brisanje, itd.
Mi smo Obrađivač u meri u kojoj obrađujemo podatke u Vaše ime, što uključuje:
- License server obrade (validacija ključa, brojanje aktivacija)
- Auto-update preuzimanje
- Eventualno: skladištenje podataka u našoj infrastrukturi ako koristite naš managed hosting (trenutno NIJE u ponudi, ali se može pojaviti)
ip-api.com je naš pod-obrađivač (vidi Sekciju 8) ako uključite geografsku lokaciju.
2.3 Šta NIJE u opsegu ovog DPA
Ovaj DPA NE pokriva sledeće — to su odvojeni odnosi:
- Naša obrada Vaših kupovnih podataka (email, name, billing) — to je naša obrada gde smo MI Rukovalac, vi ste subjekt. Pokriveno Privacy Policy-jem.
- Vaša obrada ličnih podataka Vaših zaposlenih ili kupaca van plug-ina — to je Vaš nezavisan posao.
4 Predmet, trajanje, priroda i svrha obrade
3.1 Predmet obrade
Obrada ličnih podataka u kontekstu Vašeg korišćenja QR vCard Pro plug-ina, uključujući:
- Skladištenje scan podataka u WordPress bazi na Vašem sajtu (NE u našoj infrastrukturi)
- Validaciju license key-a preko našeg servera
- Preuzimanje ažuriranja
- Opcionu geografsku obogaćivanje IP adresa
3.2 Trajanje
Obrada traje dok je license key aktivan i plug-in instaliran na Vašem sajtu. Posle:
- Deaktivacije license-a, ili
- Brisanja plug-ina, ili
- Isteka važenja licence (ako se uvede subscription model)
Naše obaveze obrađivača prestaju, izuzev za podatke koje moramo da čuvamo po zakonu (računovodstvo).
3.3 Priroda obrade
| Operacija | Vrši se |
|---|---|
| Sakupljanje scan podataka | Na Vašem sajtu (WP DB) |
| Čuvanje scan podataka | Na Vašem sajtu (WP DB) |
| Hashovanje IP adresa (SHA256+salt) | Na Vašem sajtu, u trenutku skeniranja |
| Slanje IP na ip-api.com (opciono) | Vaš sajt → ip-api.com direktno |
| Validacija license key-a | Vaš sajt → naš license server |
| Update check | Vaš sajt → naš license server |
| Contact Exchange forme | Posetilac → Vaš sajt (WP DB) + email notifikacija ka Vama |
KLJUČNO: Veliki deo podataka NE prolazi kroz našu infrastrukturu. Naš license server prima samo:
- License key
- Domain aktivacije
- Verziju plug-ina
- Hashovanu IP adresu Vašeg servera (za fraud detection)
3.4 Svrhe obrade
- Operativna svrha: omogućiti QR kartica funkcionalnost i analitiku Vašeg poslovanja
- License compliance: verifikovati da koristite plug-in u skladu sa licencom
- Sigurnost: detekcija sumnjivih aktivnosti i fraud-a
5 Kategorije ličnih podataka i subjekata
4.1 Kategorije ličnih podataka koji se mogu obrađivati
| Kategorija | Primer | Osetljivost |
|---|---|---|
| Tehnički identifikatori | Hash IP (SHA256+salt), User-Agent string | Standardna |
| Geografski podaci (opciono) | Grad, država (preko ip-api.com) | Standardna |
| Identifikacioni podaci | Ime, prezime (Contact Exchange forma) | Standardna |
| Kontakt podaci | Email, telefon (Contact Exchange) | Standardna |
| Profesionalni podaci | Naziv firme, pozicija (ako klijent unese na QR kartici) | Standardna |
| Bihevioralni podaci | Vreme i učestalost skenova | Standardna |
Specijalne kategorije (rasa, religija, zdravlje, itd.) se NE obrađuju kroz plug-in. Ako Vi unesete takve podatke u QR karticu (npr. medicinske informacije), to je Vaša odgovornost — ne mi.
4.2 Kategorije subjekata
| Kategorija | Opis |
|---|---|
| Vaši klijenti / posetioci | Osobe koje skeniraju Vaše QR kartice |
| Pošiljaoci Contact Exchange forme | Osobe koje koriste opt-in formu da podele svoje podatke sa Vama |
| Vlasnici QR kartica | Osobe čiji se podaci nalaze NA QR kartici (ako kreirate kartice za druge — zaposlene, klijente) |
6 Naše obaveze kao Obrađivač
U skladu sa GDPR Članom 28(3), Mi se obavezujemo da:
5.1 Obrada samo po Vašim instrukcijama
Obrađujemo lične podatke samo po Vašim dokumentovanim instrukcijama, uključujući prenose ka trećim zemljama. Vaše instrukcije su sadržane u:
- Ovom DPA
- Konfiguraciji plug-ina (koje funkcije ste uključili)
- Direktnim pisanim instrukcijama upućenim na office@planeta-racunari.rs
Ako verujemo da Vaša instrukcija krši GDPR ili druge propise, odmah ćemo Vas obavestiti.
5.2 Poverljivost
Osiguravamo da osobe koje obrađuju Vaše podatke (Aleksander Krsmanović i bilo koji budući zaposleni):
- Su pod ugovornom obavezom poverljivosti
- Su prošli osnovni trening o GDPR-u
- Pristupaju podacima samo na need-to-know osnovi
5.3 Bezbednosne mere (Član 32 GDPR)
Implementiramo odgovarajuće tehničke i organizacione mere (TOMs) detaljno opisane u Aneksu 2 ovog DPA. Mere uključuju:
- TLS/HTTPS enkripciju za sav saobraćaj
- Bcrypt/argon2 hashovanje lozinki
- SHA256+salt hashovanje IP adresa (default)
- Redovne backup-ove
- 2FA za admin pristup
- Pristup po least-privilege principu
5.4 Pod-obrađivači (vidi Sekciju 8)
Možemo angažovati pod-obrađivače samo:
- Uz prethodnu opštu autorizaciju koju ste dali kroz prihvatanje ovog DPA
- Sa 30 dana najavom za nove pod-obrađivače
- Pod istim obavezama kao i sami
5.5 Pomoć oko prava subjekata
Pomažemo Vam u izvršavanju prava subjekata (pristup, ispravka, brisanje, prenosivost, prigovor, ograničenje obrade) tako što:
- Pružamo Vam tehničke alate u plug-inu za izvršavanje ovih prava (npr. brisanje scan podataka, eksport kontakata)
- Odgovaramo na Vaše zahteve za pristup nalozima/sistemima u roku od 5 radnih dana
- Brišemo podatke koje smo direktno obradili kada Vi tako zatražite
5.6 Obaveštavanje o prekršaju zaštite podataka
U slučaju prekršaja koji utiče na Vaše subjekte podataka, obaveštavamo Vas:
- U roku od 24 sata od saznanja o prekršaju
- Sa svim relevantnim informacijama: priroda prekršaja, broj pogođenih subjekata, kategorije podataka, mere koje smo preduzeli
- Pomažemo Vam da ispoštujete Vaše obaveze obaveštavanja prema nadležnom nadzornom organu (72-satni rok)
5.7 Pomoć oko DPIA i konsultacija
Pomažemo Vam kad treba da uradite Data Protection Impact Assessment (DPIA) ili konsultaciju sa nadzornim organom, dajući Vam tehničke informacije o obradi i bezbednosnim merama.
5.8 Brisanje ili vraćanje podataka
Po isteku ovog DPA (npr. deaktivacija licence, brisanje plug-ina), Mi ćemo:
- Brisati sve lične podatke koje smo Vam u ime obradili (sa license servera), osim podataka koji su tehnički preplitani sa Vašim računovodstvenim podacima (čuvaju se 10 godina po srpskom Zakonu o računovodstvu)
- Brisati backup kopije u roku od 30 dana (rotacija)
- Davati Vam izvod podataka koje smo držali, ako tako zatražite, u roku od 30 dana
5.9 Audit prava
Pristajemo da nam:
- Vi ili revizor po Vašem izboru (uz prethodnu najavu od 30 dana) možete proveriti našu usklađenost sa ovim DPA
- Audit se radi tokom radnog vremena, ne ometajući naše operacije
- Audit ne sme da otkriva poverljive podatke drugih klijenata
- Frekvencija: jednom godišnje (osim u slučaju opravdane sumnje u prekršaj)
- Troškove audita snosite Vi, osim ako audit otkrije materijalno nepoštovanje DPA
Alternativno: Pružamo Vam godišnji compliance izveštaj koji uključuje status TOMs, listu pod-obrađivača, i sažetak svih incidenata. Ovaj izveštaj se može koristiti umesto direktnog audita.
7 Vaše obaveze kao Rukovalac
6.1 Zakonski osnov
Vi garantujete da imate legitiman pravni osnov (Član 6 GDPR) za sve obrade koje vršite putem plug-ina:
- Pribavljate saglasnost gde je potrebno (npr. Contact Exchange)
- Imate legitiman interes gde se on primenjuje (npr. scan analitika)
- Pružate adekvatne privacy notice na svom sajtu
6.2 Privacy notice na Vašem sajtu
Obavezuje se da:
- Imate Vašu sopstvenu Privacy Policy koja jasno opisuje kako koristite QR vCard Pro plug-in
- Pominjete našu ulogu kao Obrađivača
- Listate ip-api.com kao pod-obrađivača (ako ste uključili geo lokaciju)
- Pribavljate eksplicitnu saglasnost za Contact Exchange forme (default check uvek otčekiran)
6.3 Cookies / tracking
- Implementirate cookie banner na svom sajtu ako koristite ne-essential cookies
- Pribavljate saglasnost za cookies pre nego što ih postavite
6.4 Vaši zahtevi nama
Vaše instrukcije nama moraju biti:
- U pisanoj formi (email)
- Razumne i u skladu sa zakonom
- Sa razumnim rokom za izvršavanje
6.5 Bezbednost na Vašoj strani
Vi ste odgovorni za:
- Bezbednost Vašeg WordPress okruženja (jake lozinke, 2FA, ažuriranje WP core/plug-ins)
- Bezbednost servera i hosting provider-a
- Sigurnu konfiguraciju plug-ina (npr. NE isključite IP hashing osim ako imate dobar razlog)
8 Bezbednosne mere
Detaljne Tehničke i organizacione mere (TOMs) su navedene u Aneksu 2. Svodno:
| Kategorija | Mere |
|---|---|
| Pseudonimizacija | IP adrese SHA256+salt hashovane |
| Enkripcija u tranzitu | HTTPS/TLS 1.2+ za sav saobraćaj |
| Enkripcija u mirovanju | Backup-ovi enkriptovani; produkciona baza nije enkriptovana na nivou aplikacije (oslanja se na hosting/disk enkripciju) |
| Pristup | 2FA, IP whitelist za admin, least-privilege |
| Logovanje | Sve operacije na license serveru se loguju; logovi se čuvaju 90 dana |
| Backup | Daily DB + weekly full; testovi povratka kvartalno |
| Incident response | Plan u Aneksu 2; 24/7 monitoring |
9 Pod-obrađivači
8.1 Lista trenutnih pod-obrađivača
Vidi Aneks 3 za kompletnu listu, ali sumarno:
| Pod-obrađivač | Svrha | Lokacija | Standard |
|---|---|---|---|
| Unlimited (United Internet d.o.o.) | Hosting license server-a | Beograd, Srbija (EU adekvatnost) | ISO 27001 |
| UniCredit Banka a.d. Srbija | Procesiranje kartičnih plaćanja (redirect na bančinu stranicu) | Beograd, Srbija | PCI DSS · GDPR usklađenost |
| ip-api.com (Brisbane, AU) | Geo lookup (samo ako uključite) | Brisbane, AU | Privacy Shield zamenjen sa SCCs |
| SMTP od hosting providera (Unlimited) | Transakcioni email-ovi | Beograd, Srbija (EU adekvatnost) | — |
8.2 Vaša prava na prigovor
Vi imate pravo da prigovorite na novog pod-obrađivača u roku od 14 dana od naše najave:
- Ako prigovorite, pokušaćemo da nađemo alternativno rešenje
- Ako rešenje nije moguće, imate pravo da otkažete licencu uz pun refund za neiskorišćeni deo
8.3 Promene pod-obrađivača
Najavićemo nove pod-obrađivače minimum 30 dana unapred:
- Email obaveštenjem
- Ažuriranjem Aneksa 3 ovog DPA na našem sajtu
8.4 Obaveze pod-obrađivača
Svaki pod-obrađivač je obavezan istim zaštitnim merama kao i mi:
- Pisani ugovor (DPA sa njima)
- TOMs ne ispod našeg nivoa
- Pravo audita
Ostajemo u potpunosti odgovorni Vama za radnje pod-obrađivača.
10 Međunarodni prenos podataka
9.1 Prenos van EU/EEZ
Neki naši pod-obrađivači su van EU/EEZ, posebno:
- ip-api.com (Australija): prenos uz Standard Contractual Clauses (SCCs) Evropske komisije 2021/914 (samo opcione city-level geo informacije, IP se ne čuva)
9.2 Pravna zaštita
Sve prenose vršimo uz:
- SCCs (Standard Contractual Clauses) kao osnov
- Transfer Impact Assessment (TIA) za visokorizične zemlje
- Dodatne mere ako su potrebne (enkripcija, anonimizacija)
9.3 Vaša pravu na žalbu
Možete podneti žalbu Vašem nacionalnom nadzornom organu ako smatrate da prenos krši Vaša prava.
11 Procedura prekršaja zaštite podataka
10.1 Vremenski rokovi
| Faza | Rok |
|---|---|
| Otkrivanje prekršaja | T+0 |
| Inicijalno obaveštenje Vama | T+24h |
| Detaljan izveštaj | T+72h |
| Final post-mortem | T+30 dana |
10.2 Sadržaj obaveštenja
Naše obaveštenje će sadržati:
- Priroda prekršaja
- Kategorije i približan broj pogođenih subjekata
- Kategorije i približan broj pogođenih zapisa podataka
- Verovatne posledice
- Mere koje smo preduzeli ili ćemo preduzeti
10.3 Vaša obaveza prema subjektima
Ako prekršaj ima visok rizik za prava subjekata podataka, Vi ste obavezni da:
- Obavestite subjekte podataka direktno (Član 34 GDPR)
- Obavestite nadzorni organ u roku od 72h (Član 33 GDPR)
- Mi Vam pomažemo sa tehničkim informacijama potrebnim za ove obaveze.
12 Trajanje i prekid
11.1 Stupanje na snagu
Ovaj DPA stupa na snagu:
- Click-through: kada otčekirate checkbox prilikom aktivacije licence ili u plug-in admin panelu
- Wet-signed: datumom potpisivanja obeju Strana
11.2 Trajanje
DPA traje:
- Dok je Vaša licenca aktivna, ILI
- Dok bilo koja Strana ne raskine pisanim obaveštenjem 30 dana unapred
11.3 Posle prekida
U roku od 30 dana od prekida:
- Brišemo Vaše podatke (osim onih koje moramo zakonski čuvati)
- Vraćamo Vam izvod podataka po Vašem zahtevu
- Obaveštavamo Vas o završetku brisanja
Naše obaveze poverljivosti traju i posle prekida.
13 Odgovornost
12.1 Naša odgovornost
U meri u kojoj sami uzrokujemo štetu kršenjem ovog DPA ili GDPR-a, odgovaramo Vama do iznosa ekvivalentnog 12 meseci license naknada koje ste platili (do maksimalno $399 za Agency tier).
12.2 Solidarnost prema subjektima
Po GDPR Članu 82(4), Rukovalac i Obrađivač mogu biti solidarno odgovorni subjektu podataka. U tom slučaju, imamo pravo na regresno potraživanje prema Vama u meri u kojoj je Vaša odgovornost.
12.3 Izuzeci
Naša odgovornost ne pokriva:
- Štetu zbog Vašeg lošeg konfigurisanja plug-ina
- Štetu zbog Vaše loše bezbednosti na Vašem sajtu
- Indirektne štete, gubitak profita, reputacionu štetu
14 Razno
13.1 Celokupan sporazum
Ovaj DPA + ToS + Privacy Policy predstavljaju celokupan sporazum između Strana o predmetu obrade podataka.
13.2 Delimična važnost
Ako se utvrdi da je neka odredba neprimenjiva, ostalo ostaje na snazi.
13.3 Komunikacija
Sva pravno relevantna komunikacija se vrši email-om:
- Vaš: na email iz Vaše licence
- Naš: office@planeta-racunari.rs
13.4 Verzioniranje
DPA može da se ažurira. Materijalne izmene najavljujemo 30 dana unapred. Vidite uvek najnoviju verziju na: https://planeta-racunari.rs/dpa/
15 Merodavno pravo i sporovi
14.1 Merodavno pravo
Pravo Republike Srbije se primenjuje na ovaj DPA, isključujući kolizione norme.
14.2 EU GDPR primenjivost
Kao GDPR ostaje primenljiv ako ste Rukovalac koji obrađuje podatke EU subjekata. Ova klauzula ne ograničava Vaša GDPR prava ili obaveze.
14.3 Sporovi
Sporovi se rešavaju prema Sekciji 15 Uslova korišćenja.
16 Prihvatanje DPA
15.1 Click-through prihvatanje (default)
Aktivacijom Vaše QR vCard Pro licence ili klikom na "Accept DPA" u plug-in admin panelu, prihvatate ovaj DPA u celosti.
Predizgled: Datum prihvatanja se beleži u našem license server-u sa Vašim license key-em.
15.2 Wet-signed verzija
Za Agency klijente ili klijente koji zahtevaju formalni potpisan DPA:
1. Pošaljite zahtev na office@planeta-racunari.rs sa naslovom "[REQUEST] Signed DPA" 2. Pošaljite podatke o Vašoj firmi (pun naziv, sedište, registracioni broj, ovlašćeno lice) 3. U roku od 5 radnih dana, šaljemo Vam PDF DPA-a sa našim potpisom 4. Vi potpisujete (eSign ili štampa-skener), vraćate 5. Razmenjujemo finalne kopije 6. Trošak: besplatno za Agency tier; €50 za niže tier-ove (administrativna naknada)
17 Kontakt
Pitanja o ovom DPA ili obrade podataka:
Planeta računari (Aleksander Krsmanović)
- Email: office@planeta-racunari.rs
- Veb sajt: https://planeta-racunari.rs
- Data Protection Officer (DPO): Nemamo formalno imenovanog DPO-a. Za sva pitanja u vezi sa zaštitom podataka, kontakt tačka je: Aleksander Krsmanović (office@planeta-racunari.rs)
18 ANEKS 1 — Detalji obrade
A1.1 Predmet i trajanje
Vidi Sekciju 3.1 i 3.2.
A1.2 Priroda i svrha
Vidi Sekciju 3.3 i 3.4.
A1.3 Tipovi ličnih podataka
| Tip | Da/Ne | Napomena |
|---|---|---|
| Identifikacija (ime, prezime) | Da | Kroz Contact Exchange |
| Kontakt podaci (email, telefon) | Da | Kroz Contact Exchange |
| Profesionalni podaci | Opciono | Ako klijent uneo na QR kartici |
| Tehnički podaci (IP hash, UA) | Da | Pri svakom skenu |
| Geografska lokacija (city-level) | Opciono | Ako uključeno |
| Biometrijski / zdravstveni / drugi specijalni | NE | Plug-in ne obrađuje |
A1.4 Kategorije subjekata
| Kategorija | Pristup |
|---|---|
| Posetioci koji skeniraju QR | Anonimni (do hash IP-a) |
| Pošiljaoci Contact Exchange | Identifikovani (sa saglasnošću) |
| Vlasnici QR kartica | Identifikovani od strane Rukovaoca |
A1.5 Obaveze brisanja
| Tip podataka | Brisanje |
|---|---|
| Scan logovi (hash IP) | 365 dana default (možete da konfigurišete) |
| Contact Exchange | Po zahtevu subjekta |
| License server logovi | 90 dana |
| Backup-ovi | 30 dana rotacija |
19 ANEKS 2 — Tehničke i organizacione mere (TOMs)
A2.1 Pseudonimizacija i enkripcija (Član 32(1)(a))
| Mera | Implementacija |
|---|---|
| IP pseudonimizacija | SHA256+salt hash (jednosmerno) |
| Lozinke | Bcrypt sa cost factor 12 ili argon2id |
| API tokens | JWT sa HMAC-SHA256, expire 5 min |
| Database fields (sensitive) | Bcrypt za auth; plain za ostalo (oslanja se na disk enkripciju hosting provider-a) |
| HTTPS | Obavezno za sve endpoint-e, TLS 1.2+, HSTS uključen |
A2.2 Poverljivost, integritet, dostupnost (Član 32(1)(b))
| Mera | Implementacija |
|---|---|
| Pristup license serveru | 2FA + IP whitelist za admin |
| Pristup bazi | Samo Aleksander; nema shared accounts |
| File integrity | Filesystem monitoring (cPanel) |
| Database integritet | Foreign keys, transaction-level isolation |
| DDoS zaštita | Cloudflare (ako koristite) ili hosting-level rate limiting |
| Uptime cilj | 99.5% mesečno |
A2.3 Sposobnost obnavljanja (Član 32(1)(c))
| Mera | Frekvencija |
|---|---|
| Backup baze | Dnevno |
| Backup fajl sistema | Nedeljno |
| Off-site backup | Mesečno na external storage |
| Testiranje obnavljanja | Kvartalno |
| Disaster recovery vreme cilj (RTO) | 24 sata |
| Maksimalan gubitak podataka (RPO) | 24 sata |
A2.4 Redovno testiranje (Član 32(1)(d))
| Test | Frekvencija |
|---|---|
| Security audit | Godišnje |
| Backup restore test | Kvartalno |
| Vulnerability scan | Mesečno (automatski preko hosting-a) |
| Penetration testing | Godišnje (eksterno) |
| Phishing awareness | Godišnje |
A2.5 Organizacione mere
| Mera | Detalji |
|---|---|
| Politika lozinki | Min 16 karaktera, jak password manager |
| Pristup uređajima | Full disk encryption (FileVault / BitLocker) na svim uređajima |
| Onboarding/offboarding | Trenutno: samo Aleksander. Pri budućem zapošljavanju: NDA + GDPR trening + checklist pristupa |
| Incident response plan | Dokumentovan plan u Aneksu 2.6 |
| Vendor management | Lista pod-obrađivača i njihove DPA-e |
A2.6 Incident response plan
`` T+0: Detekcija incidenta (alert, korisnička prijava, audit) T+15min: Trijaža (da li je stvarni incident? scope?) T+1h: Containment (isolovati pogođeni sistem) T+2h: Notifikacija svojih klijenata (email) T+24h: Detaljno obaveštenje sa svim faktima T+72h: Notifikacija nadzornog organa ako zahtevano T+30 dana: Post-mortem i mere prevencije ``
20 ANEKS 3 — Lista autorizovanih pod-obrađivača
Datum poslednje izmene: 21. maj 2026.
| # | Pod-obrađivač | Svrha | Lokacija | Pravni osnov prenosa |
|---|---|---|---|---|
| 1 | Unlimited (United Internet d.o.o.) | Hosting license servera i sajta | Beograd, Srbija (EU adekvatnost) | EU-based ili SCCs |
| 2 | UniCredit Banka a.d. Srbija | Procesiranje kartičnih plaćanja (redirect flow, kartični podaci ne prolaze kroz naš sajt) | Beograd, Srbija | EU adekvatnost · PCI DSS |
| 5 | ip-api.com (Salesforce) | Geo lookup (samo ako klijent uključi) | Brisbane, Australija | SCCs 2021/914 |
| 6 | SMTP od hosting providera (Unlimited) | Transakcioni email-ovi | Beograd, Srbija (EU adekvatnost) | EU ili SCCs |
| 7 | Trenutno ne koristimo analitičke servise | Web analitika | Beograd, Srbija (EU adekvatnost) | EU ili SCCs |
Napomena: Lista se ažurira sa najavom od 30 dana. Vidi Sekciju 8.
1 Preamble
This Data Processing Agreement (hereinafter "DPA" or "Agreement") is concluded between:
Data Controller ("Controller" or "You" / "Your Company"):
- Name: as specified in Your Order Form or license activation
- Address: as registered in Your country
and
Data Processor ("Processor" or "We" / "Planeta"):
- Planeta računari — PLANETA RAČUNARI (Aleksander Krsmanović)
- Address: Milice Pavlović 32/3/12, 32000 Čačak, Serbia
- Registration number: 62397314 · Tax ID: 106 957 267
- Email: office@planeta-racunari.rs
Jointly referred to as "Parties", individually "Party".
This DPA supplements the Terms of Service and in case of conflict with the ToS, the provisions of this DPA prevail for matters of data protection.
2 Definitions
Terms used in this Agreement have the meanings from GDPR (EU Regulation 2016/679) and Serbian ZZPL (Personal Data Protection Law):
| Term | Definition |
|---|---|
| GDPR | Regulation (EU) 2016/679 on data protection |
| ZZPL | Serbian Personal Data Protection Law |
| Personal Data | Any data relating to an identified or identifiable natural person |
| Data Subject | Natural person whose data is processed |
| Processing | Any operation with personal data (collection, storage, deletion, etc.) |
| Controller | Party that determines the purpose and means of processing |
| Processor | Party that processes data on behalf of Controller |
| Sub-processor | Third party engaged by Processor for processing |
| Data Breach | Security incident leading to unauthorized access, loss, alteration, or disclosure |
| Supervisory Authority | Body competent for data protection (e.g., Serbian Commissioner, ICO for UK, CNIL for France) |
| Plug-in | QR vCard Pro WordPress plug-in |
3 Background and Purpose
2.1 Context
You (Controller) use the QR vCard Pro plug-in licensed from Planeta računari. The plug-in processes personal data in the following scenarios:
Scenario A — QR Card Scanning: When a visitor scans a QR code created via the plug-in, the plug-in records technical scan data (date, time, device, hashed IP address).
Scenario B — Contact Exchange: If You enabled the Contact Exchange feature, a visitor can send You their data (name, email, phone, company, message) via a landing page form.
Scenario C — Geographic Location (optional): If You enabled the "Geographic location of scans" option, the visitor's IP is sent to ip-api.com (third party) to obtain city/country-level location.
2.2 Roles of Parties
You are the Controller for all personal data processed via the plug-in on Your site (scan data, Contact Exchange, geographic location). You:
- Decide which plug-in features to enable
- Set up cookie banner and privacy notice on Your site
- Obtain data subject consent where required
- Process data subject requests for access, deletion, etc.
We are the Processor to the extent we process data on Your behalf, including:
- License server processing (key validation, activation counting)
- Auto-update downloads
- Possibly: data storage in our infrastructure if You use our managed hosting (currently NOT offered, but may appear)
ip-api.com is our Sub-processor (see Section 8) if You enable geographic location.
2.3 What is NOT in Scope
This DPA does NOT cover the following — these are separate relationships:
- Our processing of Your purchase data (email, name, billing) — that is our processing where WE are Controller, you are subject. Covered by Privacy Policy.
- Your processing of Your employees' or customers' personal data outside the plug-in — that is Your independent business.
4 Subject Matter, Duration, Nature, and Purpose of Processing
3.1 Subject Matter
Processing of personal data in the context of Your use of the QR vCard Pro plug-in, including:
- Storage of scan data in WordPress database on Your site (NOT in our infrastructure)
- Validation of license key via our server
- Downloading updates
- Optional geographic enrichment of IP addresses
3.2 Duration
Processing lasts while the license key is active and the plug-in is installed on Your site. After:
- License deactivation, or
- Plug-in deletion, or
- License expiration (if subscription model introduced)
Our processor obligations cease, except for data we must retain by law (accounting).
3.3 Nature of Processing
| Operation | Performed |
|---|---|
| Scan data collection | On Your site (WP DB) |
| Scan data storage | On Your site (WP DB) |
| IP hashing (SHA256+salt) | On Your site, at moment of scan |
| Sending IP to ip-api.com (optional) | Your site → ip-api.com directly |
| License key validation | Your site → our license server |
| Update check | Your site → our license server |
| Contact Exchange forms | Visitor → Your site (WP DB) + email notification to You |
KEY: A large portion of data does NOT pass through our infrastructure. Our license server receives only:
- License key
- Activation domain
- Plug-in version
- Hashed IP of Your server (for fraud detection)
3.4 Purposes of Processing
- Operational purpose: enable QR card functionality and Your business analytics
- License compliance: verify you use the plug-in in accordance with the license
- Security: detection of suspicious activity and fraud
5 Categories of Personal Data and Subjects
4.1 Categories of Personal Data That May Be Processed
| Category | Example | Sensitivity |
|---|---|---|
| Technical identifiers | Hash IP (SHA256+salt), User-Agent string | Standard |
| Geographic data (optional) | City, country (via ip-api.com) | Standard |
| Identification data | First name, last name (Contact Exchange form) | Standard |
| Contact data | Email, phone (Contact Exchange) | Standard |
| Professional data | Company name, position (if client enters on QR card) | Standard |
| Behavioral data | Time and frequency of scans | Standard |
Special categories (race, religion, health, etc.) are NOT processed through the plug-in. If You enter such data into a QR card (e.g., medical information), that is Your responsibility — not ours.
4.2 Categories of Subjects
| Category | Description |
|---|---|
| Your clients / visitors | Persons who scan Your QR cards |
| Contact Exchange form senders | Persons who use the opt-in form to share their data with You |
| QR card owners | Persons whose data is ON the QR card (if You create cards for others — employees, clients) |
6 Our Obligations as Processor
In accordance with GDPR Article 28(3), We undertake to:
5.1 Processing Only on Your Instructions
We process personal data only on Your documented instructions, including transfers to third countries. Your instructions are contained in:
- This DPA
- Plug-in configuration (which features You enabled)
- Direct written instructions sent to office@planeta-racunari.rs
If we believe Your instruction violates GDPR or other regulations, we will notify You immediately.
5.2 Confidentiality
We ensure that persons processing Your data (Aleksander Krsmanović and any future employees):
- Are under contractual confidentiality obligation
- Have undergone basic GDPR training
- Access data on a need-to-know basis only
5.3 Security Measures (GDPR Article 32)
We implement appropriate Technical and Organizational Measures (TOMs) detailed in Annex 2 of this DPA. Measures include:
- TLS/HTTPS encryption for all traffic
- Bcrypt/argon2 password hashing
- SHA256+salt IP address hashing (default)
- Regular backups
- 2FA for admin access
- Least-privilege access principle
5.4 Sub-processors (see Section 8)
We may engage sub-processors only:
- With prior general authorization You gave by accepting this DPA
- With 30 days notice for new sub-processors
- Under the same obligations as ourselves
5.5 Assistance with Subject Rights
We assist You in fulfilling subject rights (access, rectification, erasure, portability, objection, restriction of processing) by:
- Providing You with technical tools in the plug-in to fulfill these rights (e.g., delete scan data, export contacts)
- Responding to Your requests for account/system access within 5 business days
- Deleting data we directly processed when You so request
5.6 Data Breach Notification
In case of a breach affecting Your data subjects, we notify You:
- Within 24 hours of becoming aware of the breach
- With all relevant information: nature of breach, number of affected subjects, categories of data, measures we have taken
- Help You comply with Your notification obligations to the competent supervisory authority (72-hour deadline)
5.7 Assistance with DPIA and Consultations
We help You when You need to conduct a Data Protection Impact Assessment (DPIA) or consultation with supervisory authority, providing You with technical information about processing and security measures.
5.8 Deletion or Return of Data
Upon expiration of this DPA (e.g., license deactivation, plug-in deletion), We will:
- Delete all personal data we processed on Your behalf (from license server), except data technically intertwined with Your accounting data (retained 10 years per Serbian Accounting Act)
- Delete backup copies within 30 days (rotation)
- Provide You with data export if You request, within 30 days
5.9 Audit Rights
We agree that:
- You or an auditor of Your choice (with 30 days prior notice) may verify our compliance with this DPA
- Audit is performed during business hours, not disrupting our operations
- Audit must not disclose confidential data of other clients
- Frequency: once a year (except in case of reasonable suspicion of breach)
- Audit costs borne by You, unless audit reveals material non-compliance with DPA
Alternatively: We provide You with an annual compliance report including TOMs status, list of sub-processors, and summary of all incidents. This report can be used in lieu of direct audit.
7 Your Obligations as Controller
6.1 Legal Basis
You warrant that You have a legitimate legal basis (GDPR Article 6) for all processing You perform via the plug-in:
- Obtain consent where required (e.g., Contact Exchange)
- Have legitimate interest where applicable (e.g., scan analytics)
- Provide adequate privacy notice on Your site
6.2 Privacy Notice on Your Site
You undertake to:
- Have Your own Privacy Policy clearly describing how You use the QR vCard Pro plug-in
- Mention our role as Processor
- List ip-api.com as sub-processor (if You enabled geo location)
- Obtain explicit consent for Contact Exchange forms (default check always unchecked)
6.3 Cookies / Tracking
- Implement cookie banner on Your site if You use non-essential cookies
- Obtain consent for cookies before setting them
6.4 Your Requests to Us
Your instructions to us must be:
- In written form (email)
- Reasonable and in accordance with law
- With reasonable deadline for execution
6.5 Security on Your Side
You are responsible for:
- Security of Your WordPress environment (strong passwords, 2FA, updating WP core/plug-ins)
- Security of server and hosting provider
- Secure configuration of the plug-in (e.g., do NOT disable IP hashing unless You have good reason)
8 Security Measures
Detailed Technical and Organizational Measures (TOMs) are listed in Annex 2. Summary:
| Category | Measures |
|---|---|
| Pseudonymization | IP addresses SHA256+salt hashed |
| Encryption in transit | HTTPS/TLS 1.2+ for all traffic |
| Encryption at rest | Backups encrypted; production database not encrypted at application level (relies on hosting/disk encryption) |
| Access | 2FA, IP whitelist for admin, least-privilege |
| Logging | All operations on license server logged; logs retained 90 days |
| Backup | Daily DB + weekly full; restoration tests quarterly |
| Incident response | Plan in Annex 2; 24/7 monitoring |
9 Sub-processors
8.1 List of Current Sub-processors
See Annex 3 for complete list, but summary:
| Sub-processor | Purpose | Location | Standard |
|---|---|---|---|
| Unlimited (United Internet d.o.o.) | License server and site hosting | Belgrade, Serbia (EU adequacy) | ISO 27001 |
| UniCredit Bank a.d. Serbia | Card payment processing (redirect to bank page) | Belgrade, Serbia | PCI DSS · GDPR compliant |
| ip-api.com (Brisbane, AU) | Geo lookup (only if You enable) | Brisbane, AU | Privacy Shield replaced with SCCs |
| SMTP via hosting provider (Unlimited) | Transactional emails | Belgrade, Serbia (EU adequacy) | — |
8.2 Your Right to Object
You have the right to object to a new sub-processor within 14 days of our notice:
- If You object, we will try to find an alternative solution
- If no solution is possible, You have the right to cancel the license with full refund for the unused portion
8.3 Sub-processor Changes
We will announce new sub-processors at least 30 days in advance:
- Email notification
- Update of Annex 3 of this DPA on our site
8.4 Sub-processor Obligations
Each sub-processor is bound by the same protective measures as us:
- Written contract (DPA with them)
- TOMs not below our level
- Audit rights
We remain fully responsible to You for sub-processors' actions.
10 International Data Transfers
9.1 Transfers Outside EU/EEA
Some of our sub-processors are outside EU/EEA, particularly:
- ip-api.com (Australia): transfer with Standard Contractual Clauses (SCCs) of European Commission 2021/914 (optional city-level geo data only; IP not stored)
9.2 Legal Safeguards
All transfers are made with:
- SCCs (Standard Contractual Clauses) as the basis
- Transfer Impact Assessment (TIA) for high-risk countries
- Additional measures if needed (encryption, anonymization)
9.3 Your Right to Complain
You can file a complaint with Your national supervisory authority if You believe the transfer violates Your rights.
11 Data Breach Procedure
10.1 Timelines
| Phase | Deadline |
|---|---|
| Breach detection | T+0 |
| Initial notification to You | T+24h |
| Detailed report | T+72h |
| Final post-mortem | T+30 days |
10.2 Notification Content
Our notification will contain:
- Nature of breach
- Categories and approximate number of affected subjects
- Categories and approximate number of affected data records
- Likely consequences
- Measures we have taken or will take
10.3 Your Obligation to Subjects
If the breach has high risk for subjects' rights, You are obligated to:
- Notify data subjects directly (GDPR Article 34)
- Notify supervisory authority within 72h (GDPR Article 33)
- We assist You with technical information needed for these obligations.
12 Duration and Termination
11.1 Coming Into Force
This DPA comes into force:
- Click-through: when You check the checkbox at license activation or in plug-in admin panel
- Wet-signed: date of signing by both Parties
11.2 Duration
DPA lasts:
- While Your license is active, OR
- Until either Party terminates with written notice 30 days in advance
11.3 After Termination
Within 30 days of termination:
- We delete Your data (except what we must legally retain)
- We provide You with data export upon request
- We notify You of deletion completion
Our confidentiality obligations continue after termination.
13 Liability
12.1 Our Liability
To the extent we ourselves cause damage by breaching this DPA or GDPR, we are liable to You up to the amount equivalent to 12 months of license fees You paid (up to maximum $399 for Agency tier).
12.2 Joint Liability Toward Subjects
Per GDPR Article 82(4), Controller and Processor may be jointly liable to the data subject. In that case, we have the right to recourse claim against You to the extent of Your liability.
12.3 Exclusions
Our liability does not cover:
- Damage from Your poor plug-in configuration
- Damage from Your poor security on Your site
- Indirect damages, lost profits, reputational damage
14 Miscellaneous
13.1 Entire Agreement
This DPA + ToS + Privacy Policy constitute the entire agreement between the Parties on the subject of data processing.
13.2 Severability
If a provision is found unenforceable, the rest remains in force.
13.3 Communication
All legally relevant communication is via email:
- Yours: at the email from Your license
- Ours: office@planeta-racunari.rs
13.4 Versioning
DPA may be updated. Material changes are announced 30 days in advance. Always see the latest version at: https://planeta-racunari.rs/dpa/
15 Governing Law and Disputes
14.1 Governing Law
The law of the Republic of Serbia applies to this DPA, excluding conflict of laws rules.
14.2 EU GDPR Applicability
GDPR remains applicable if You are a Controller processing data of EU subjects. This clause does not limit Your GDPR rights or obligations.
14.3 Disputes
Disputes are resolved according to Section 15 of the Terms of Service.
16 DPA Acceptance
15.1 Click-through Acceptance (default)
By activating Your QR vCard Pro license or clicking "Accept DPA" in the plug-in admin panel, You accept this DPA in full.
Audit trail: Acceptance date is recorded in our license server with Your license key.
15.2 Wet-signed Version
For Agency clients or clients requiring formal signed DPA:
1. Send request to office@planeta-racunari.rs with subject "[REQUEST] Signed DPA" 2. Send Your company details (full name, registered address, registration number, authorized person) 3. Within 5 business days, we send You PDF DPA with our signature 4. You sign (eSign or print-scan), return 5. We exchange final copies 6. Cost: free for Agency tier; €50 for lower tiers (administrative fee)
17 Contact
Questions about this DPA or data processing:
Planeta računari (Aleksander Krsmanović)
- Email: office@planeta-racunari.rs
- Website: https://planeta-racunari.rs
- Data Protection Officer (DPO): We have not formally appointed a DPO. For all data protection inquiries, the contact point is: Aleksander Krsmanović (office@planeta-racunari.rs)
18 ANNEX 1 — Details of Processing
A1.1 Subject Matter and Duration
See Section 3.1 and 3.2.
A1.2 Nature and Purpose
See Section 3.3 and 3.4.
A1.3 Types of Personal Data
| Type | Yes/No | Note |
|---|---|---|
| Identification (name, surname) | Yes | Via Contact Exchange |
| Contact data (email, phone) | Yes | Via Contact Exchange |
| Professional data | Optional | If client entered on QR card |
| Technical data (IP hash, UA) | Yes | At every scan |
| Geographic location (city-level) | Optional | If enabled |
| Biometric / health / other special | NO | Plug-in does not process |
A1.4 Categories of Subjects
| Category | Access |
|---|---|
| Visitors who scan QR | Anonymous (up to hash IP) |
| Contact Exchange senders | Identified (with consent) |
| QR card owners | Identified by Controller |
A1.5 Deletion Obligations
| Type of data | Deletion |
|---|---|
| Scan logs (hash IP) | 365 days default (You can configure) |
| Contact Exchange | Upon subject's request |
| License server logs | 90 days |
| Backups | 30 days rotation |
19 ANNEX 2 — Technical and Organizational Measures (TOMs)
A2.1 Pseudonymization and Encryption (Article 32(1)(a))
| Measure | Implementation |
|---|---|
| IP pseudonymization | SHA256+salt hash (one-way) |
| Passwords | Bcrypt with cost factor 12 or argon2id |
| API tokens | JWT with HMAC-SHA256, expire 5 min |
| Database fields (sensitive) | Bcrypt for auth; plain for rest (relies on hosting provider disk encryption) |
| HTTPS | Mandatory for all endpoints, TLS 1.2+, HSTS enabled |
A2.2 Confidentiality, Integrity, Availability (Article 32(1)(b))
| Measure | Implementation |
|---|---|
| License server access | 2FA + IP whitelist for admin |
| Database access | Only Aleksander; no shared accounts |
| File integrity | Filesystem monitoring (cPanel) |
| Database integrity | Foreign keys, transaction-level isolation |
| DDoS protection | Cloudflare (if used) or hosting-level rate limiting |
| Uptime target | 99.5% monthly |
A2.3 Ability to Restore (Article 32(1)(c))
| Measure | Frequency |
|---|---|
| Database backup | Daily |
| Filesystem backup | Weekly |
| Off-site backup | Monthly to external storage |
| Restoration testing | Quarterly |
| Disaster recovery target time (RTO) | 24 hours |
| Maximum data loss (RPO) | 24 hours |
A2.4 Regular Testing (Article 32(1)(d))
| Test | Frequency |
|---|---|
| Security audit | Annually |
| Backup restore test | Quarterly |
| Vulnerability scan | Monthly (automatic via hosting) |
| Penetration testing | Annually (external) |
| Phishing awareness | Annually |
A2.5 Organizational Measures
| Measure | Details |
|---|---|
| Password policy | Min 16 characters, strong password manager |
| Device access | Full disk encryption (FileVault / BitLocker) on all devices |
| Onboarding/offboarding | Currently: only Aleksander. Upon future hiring: NDA + GDPR training + access checklist |
| Incident response plan | Documented plan in Annex 2.6 |
| Vendor management | List of sub-processors and their DPAs |
A2.6 Incident Response Plan
`` T+0: Incident detection (alert, user report, audit) T+15min: Triage (real incident? scope?) T+1h: Containment (isolate affected system) T+2h: Notification to your clients (email) T+24h: Detailed notification with all facts T+72h: Supervisory authority notification if required T+30 days: Post-mortem and prevention measures ``
20 ANNEX 3 — List of Authorized Sub-processors
Last updated: 21 May 2026
| # | Sub-processor | Purpose | Location | Transfer Legal Basis |
|---|---|---|---|---|
| 1 | Unlimited (United Internet d.o.o.) | License server and site hosting | Belgrade, Serbia (EU adequacy) | EU-based or SCCs |
| 2 | UniCredit Bank a.d. Serbia | Card payment processing (redirect flow; card data never passes through our site) | Belgrade, Serbia | EU adequacy · PCI DSS |
| 5 | ip-api.com (Salesforce) | Geo lookup (only if client enables) | Brisbane, Australia | SCCs 2021/914 |
| 6 | SMTP via hosting provider (Unlimited) | Transactional emails | Belgrade, Serbia (EU adequacy) | EU or SCCs |
| 7 | We currently do not use analytics services | Web analytics | Belgrade, Serbia (EU adequacy) | EU or SCCs |