IPKO Telecommunications LLC (hereinafter referred to as “IPKO”) is a company established in accordance with applicable laws in Kosovo, owned in its entirety by Slovenian Telecom, which processes the personal data of users of its electronic communications services in full compliance with the applicable Law No. 06 / L-082 on Protection of Personal Data.

In this Privacy Policy, IPKO TELECOMMUNICATIONS LLC (hereinafter: IPKO)  provides information on the processing of personal data in accordance with the requirements of the Law on Protection of Personal Data No.06/L-082  to its subscribers, users of its services, buyers and other people.

Specific information and details regarding the processing of personal data within the scope of each specific contractual relationship can also be specified in the contract, general terms and conditions of  use , and in the sales offer for the relevant contractual relationship and/or relevant service.

This Privacy Policy shall apply mutatis mutandis(in the same way)  to the processing of users’ data, when such users are legal or business entities.

Information on the controller

Provided that the documents, regulating a specific contractual relationship, do not stipulate otherwise, the controller of personal data shall be IPKO TELECOMMUNICATIONS LLC., “Zija Shemsiu” Street, No.34 , Ulpiana Neighborhood, Prishtina , www.ipko.com, info@ipko.com

You can communicate in writing with IPKO’s Data Protection Officer, via mail (IPKO Telecommunications LLC, Data Protection Officer, “Zija Shemsiu” Street, No.34, Ulpiana Neighborhood, Prishtina) and/or via e-mail: (ipkopriovacy@ipko.com).

General

IPKO collects information on individuals, which is required to conclude the contract, to satisfy statutory requirements, to provide services, and/or to fulfil other legal purposes where relevant information is submitted to IPKO by individuals themselves, or IPKO may acquire the data from other sources, or such data is created during the provision and use of services. During its business with its subscribers, users and other clients, IPKO also processes other personal data submitted by the data subjects within the scope of such business.

IPKO acquires information on subscribers/users directly from data subjects and/or other sources, in accordance with the conditions set by applicable regulations, relevant contracts, this Privacy Policy and conditions of use of IPKO services.

The data referring to IPKO clients are IPKO’s trade secret.

Due to the accuracy and up-to-dateness of the processed personal data,  IPKO may verify the veracity of personal data by checking a personal identification document and/or other official records of the subscriber/user, to which the data refers.

In order to verify the veracity of data, submitted to IPKO  by the subscriber or user (e.g. data listed in the subscription agreement, data submitted within the client’s order and/or during the client’s use of services or goods, etc),  IPKO may acquire such data and/or verify the data’s veracity from/with anybody, institution, employer, bank or other personal data controllers.

Grounds for and aims of personal data processing

Agreement/Contract

IPKO uses the data to conclude agreements/contracts, and to fulfil contractual obligations from contractual relationships with the users. The aim of personal data processing is also evident from the agreement/contract and/or other documents, governing the relevant contractual relationship. When processing personal data for the needs of implementation of an agreement / contract IPKO shall process only the data, which is required for the conclusion and implementation of the agreement/contract and/or fulfilment of contractual obligations.

During the provision of specific services, IPKO shall process personal data only for the purposes, stipulated by the agreements/contracts, and conditions of use  of the relevant service. In case of changes of existing services or introduction of new services, IPKO shall update this Privacy Policy or amend the existing agreements/contracts and terms and conditions, and/or conclude or adopt new terms and conditions.

Law

Besides processing of personal data, which is required to conclude or implement the agreement/contract, IPKO also processes personal data in cases, stipulated by the law.

Personal data and categories of personal data, processed by IPKO pursuant to the law, are defined in agreements/contracts and in terms and conditions for the use of relevant service. In case of changes of existing services or introduction of new services, if needed and pursuant to the law, IPKO shall update this Privacy Policy or amend the existing agreements/contracts and terms and conditions, and/or conclude or adopt new terms and conditions.

Consent

In case of user’s consent, IPKO shall process personal data only for the purposes, for which the user has given consent. In cases where personal data processing is based on consent, the user may withdraw their consent at any given time.

When processing personal data based on consent, IPKO shall duly assess, which data is required for a specific purpose, and shall use only the data, required to achieve the purpose. During processing of personal data, IPKO shall duly protect such data and implement relevant data protection activities.

By granting their consent, the user agrees that IPKO may process personal data or categories of personal data, available on the user, which is listed in the consent. This can include data, which the user submits to  IPKO when concluding and implementing contractual relationships (e.g. including, but not limited to: data from applications, agreements/contracts, questionnaires, surveys and other documents, including the data on the subscribed/desired services or devices), information on the purchase of goods and use of  IPKO services (e.g. including, but not limited to information on the used and/or billed services, including their quantity and type, as well as information on the use of  IPKO’s websites and apps), and traffic and location data (e.g. including, but not limited to: information on connections and related location data, data on the location of devices).

Personalized offers include the general offers of IPKO, which IPKO submits to users when it assesses that they could be interesting for a specific user, as well as offers, tailored specifically to each user.  IPKO shall process data for automated decision-making whether a specific offer is interesting for a specific user, as well as for their profiling/segmentation (e.g. based on demographic, socio-graphic and behavioral data, and other criteria and factors, such as gender, age, location of residence, service usage frequency, type and time of the use of services, websites and apps, past purchasing habits, location or online identification), on the basis of which IPKO shall submit offers to the user.

Based on consent, IPKO may submit information and offers to the user through all communication channels listed in the consent, for which the data is available within the scope of the contractual relationship, which is the subject of users’ consent.

When processing the data for development and direct marketing of goods and services to IPKO’s business users and partners, personal data shall be processed solely by IPKO or an entity, authorized by IPKO.

In case a client grants their consent for the processing of data for a specific purpose, and has not withdrawn such consent, IPKO may – within the scope compliant with regulations – process personal data for such purpose for another two years after termination of the contractual relationship, for which the consent has been given.

IPKO may also acquire data and consent from individuals, who are not subscribers or users of IPKO’s services, and process such data in accordance with their consent. In case that the subscriber enables the use of services to another person, they shall thus authorize such person to grant consent within the scope of the enabled services.

Users can withdraw their consent by sending a written request to:  IPKO TELECOMMUNICATIONS LLC, “Zija Shemsiu” Street, No.34, Ulpiana Neighborhood, Prishtina, info@ipko.com; by submitting a written request at IPKO’s points of sale; by sending their request by email to:i info@ipko.com; or by calling +38349/700700.

In cases when consent is collected through electronic communication services or information services (e.g. SMS messages, apps) and where appropriate, users can also withdraw their consent through these communication channels.

In case a consent is withdrawn, IPKO shall cease to process data, collected based on the relevant consent, and/or shall no longer process them for the purpose, which was the subject of consent.

Processing based on legitimate interest

IPKO also processes users’ personal data for the legitimate interest of the company ( IPKO) or third parties for purposes, listed herein or in the agreement/contract, as well as in terms and conditions or other documents, which regulate a specific contractual relationship.

In case of processing of users’ personal data based on a legitimate interest, IPKO shall thereby consider potential effects of such processing on users (both positive and negative), as well as users’ rights related to such processing. In such a case, the legitimate interest of IPKO does not automatically prevail over the interests, fundamental rights and freedoms of users.  IPKO shall not process data in cases where user’s interests (esp. when the user is a child) prevail over the interests of IPKO, if it doesn’t have user’s consent, or if such processing is not required by regulations and/or such processing is not allowed pursuant to the law.

When processing personal data based on a legitimate interest, IPKO shall process only the data required to achieve the purpose, pursuant to the given consent, and shall implement all relevant personal data protection measures.

IPKO shall process users’ personal data based on its legitimate interest pursuant to this Policy, in case of and for the purposes listed hereafter. Additional examples of processing based on a legitimate interest can also be listed in agreements/contracts, terms and conditions, as well as other documents regulating each contractual relationship.

Fraud prevention

As a part of care for its users, as well as endeavors to ensure its business continuity, IPKO strives to prevent fraud and provide for security, consistency and continuous operation of IPKO’s networks and services. When entering contractual relationships and purchasing goods or services, and during the implementation of contractual relationships and the use of services, IPKO shall implement procedures and measures for fraud prevention and for ensuring the security of its services, networks and business. When processing data for the above-specified purposes IPKO shall process information about users and the use of IPKO’s services, including traffic and location data. As a rule, the legitimate interest of IPKO to prevent fraud always prevails over the interests, fundamental rights and freedoms of users. On the basis of processing of data,  IPKO can adopt fraud prevention measures, which may include the prevention or restriction of access to  IPKO’s services and networks, restriction of rights from contractual relationships, termination of contractual relationship, activities required for identification of users and/or violators, initiation of relevant civil, inspection or criminal proceedings for prevention or limitation of fraud, as well as other measures, permissible by law or regulations.

Marketing analyses

Pursuant to the Law on Protection of Personal Data, the legal grounds for direct marketing can also serve as a legitimate interest. Pursuant to its legitimate interest and for direct marketing, IPKO also processes the data for segmentation and profiling of its users. In this case IPKO processes the data about the user and the use of IPKO’s services, its websites and apps, social networks and Loyalty Programme. However, in this case IPKO does not process traffic data, including information about connections or location data, unless it acquires relevant prior user’s consent. Such data processing does not affect users’ rights originating from contractual relationships.

As IPKO provides a broad range of services that are subject to regulation and various regulations, the processing of personal data for direct marketing pursuant to a legitimate interest can be additionally defined in contracts, terms and conditions, as well as other documents applicable to a specific service.

Surveys

Users’ feedback is required and of great help for the provision of high-quality services that satisfy users’ needs.  IPKO wants to collect the most relevant information about users’ satisfaction with IPKO’s services and offers. Occasionally and when in contact with its users, IPKO can also send these users an invitation to complete a survey questionnaire and/or submit feedback and opinions about IPKO’s services and offers. In such cases, IPKO processes users’ contact information (phone number, email) and information about the contact. Completion of surveys is voluntary, while (non) failure to complete the survey shall not impact users’ rights.

Risk management

When doing business with its users, IPKO shall act with all due diligence, including diligent risk management.  In  order  to  manage  risks, IPKO  can  monitor  the  implementation  of  contractual relationships with its users, including the processing of data on the users and their use of IPKO’s  services, while this data is used for segmentation and profiling of users.  However, in this case IPKO shall not process traffic data, including information about connections or location data, unless it acquires relevant prior user’s consent. If doing business with a specific user could constitute a risk for IPKO, IPKO can adopt relevant measures to mitigate such risk, including restriction of access to services. Moreover, specific IPKO offers may be available only to specific groups of users, who meet the requirements stated in the offer, which can include a certain level of risk.

Analyses

IPKO strives for continuous customization and improvement of its services and offers. Therefore, it holds a legitimate interest for the monitoring of contractual relationships and analyzing the use of services by its users, i.e. for the planning and development of services and apps, for market assessment and for measuring the success of sales, marketing activities, and activities aiming to improve user experience and the quality of services. In this case, IPKO shall process only the data about the user and the use of IPKO’s services, its websites and apps, social networks and Loyalty Programme, while also applying relevant protection measures that can include anonymization and/or pseudonymisation. However, when doing so, IPKO shall not process traffic data, including information about connections or location data, unless it acquires relevant prior user’s consent, or if such data has been anonymized before that. Data processing for analyses does not affect users’ rights originating from contractual relationships.

Acquisition of consents

When providing goods or services, IPKO wants to provide its users with relevant information, and process personal data as much in line as possible with users’ wishes and expectations. Thus, when exercising contractual relationships with users, IPKO has a legitimate interest to request their consent. In the process, IPKO shall process phone number(s), email address(es), name, surname and postal address, username, identifiers of the TV interface/app, and information on consents, which may then be used for requesting users to provide their consents.

Data on network devices/equipment

When installing network equipment for broadband services, the equipment is used to set and store the settings, which conform to the user’s needs. In case of repair interventions, where the settings need to be reset or the device/equipment needs to be replaced, or when support is required to properly set the relevant devices/equipment, provision of high quality and fast service is possible only if IPKO stores these settings. In the process, the data from network devices/equipment is processed (user’s network settings, i.e. including but not limited to: DHCP server, modem’s LAN IP, DHCP MAC-IP reservations, PortForwarding, DMZ settings, information about user’s devices and their mutual connections – physical MAC address, assigned IP address and device name).  IPKO uses this information to provide support and assistance to users, and during repair interventions on network devices/equipment.

Right to object

The user shall have the right to object and can, at any given time, object to the processing of data for the above- specified purposes. In this case IPKO shall – if this is possible and if the interests of IPKO do not prevail over the user’s interests, rights and freedoms – cease with the processing of data for these purposes. A user can submit their objection by sending a written request to IPKO, either by email to: info@ipko.com; by regular mail to  IPKO Telecommunications LLC., “Zija Shemsiu” Street, No.34, Prishtina,; or by submitting their written request at the points of sale of  IPKO.

Types of data

Types and/or categories of personal data processed by IPKO depend on the relevant service and are listed or described in agreements/contracts and/or in terms and conditions for the use of relevant service.  IPKO may acquire personal data either directly from the user, or indirectly through the user’s use of a specific service.  IPKO may also acquire personal data from third parties – in this case, IPKO shall acquire and process the same types and/or categories of personal data, as if such data had been acquired directly from the user.  IPKO can also receive user’s personal data from a third party, who enters or wishes to enter into a contractual relationship with IPKO (e.g. user’s employer or another user of IPKO, contractual partners who list individuals as contact persons, etc). In such case third party must provide the relevant license for transmission of personal data to IPKO and shall duly inform and notify the user thereof.

With the aim to check the correctness of data and to acquire the correct data, IPKO may also acquire data from third parties on its own. In these cases, IPKO shall acquire the same types of data, as if such data had been or should have been submitted by the user when entering the contractual relationship (e.g. new/correct address when concluding their subscription relationship, etc).

Users of personal data

Users of personal data include IPKO, IPKO suppliers,  IPKO’s contractual partners, and state bodies.

Before IPKO allows its suppliers or business partners to access personal data, IPKO shall first verify, whether they comply with IPKO requirements regarding the processing and protection of personal data. Unless explicitly stipulated otherwise by the contract for the specific contractual relationship for processing of personal data by suppliers and business partners, IPKO shall be liable to users for the processing of users’ personal data. IPKO’s suppliers and business partners may be granted access to personal data to the relevant extent and within the relevant scope, as needed for the supply/delivery of goods and/or provision of services.

IPKO may submit subscriber /user’s information to contractual partners, to whom IPKO assigned its claims against the subscriber/user.

Official bodies may acquire personal data from IPKO only in cases and pursuant to procedures, stipulated by the law.

Co-controllers of personal data

IPKO sells or provides specific services in cooperation with partners, who also enter into a contractual relationship with the client, and are – in these cases – the controllers of data with their own requirements for the processing of personal data, including the requirements for their transmission to third countries. In these cases, IPKO’s business partner shall be directly liable to users for its processing of users’ data (and IPKO shall not bear any liability for such processing by its contractual partner).

Transfer to third countries

As a rule, IPKO does not transfer users’ personal data to third countries. In cases, when IPKO’s suppliers and/or contractual partners  come from third countries and the provision of their services to  IPKO or users can involve processing of personal data,  IPKO shall enable their access to personal data in compliance with requirements stipulated by the Law on Protection of Personal Data– especially by applying relevant security measures pursuant to the Law on Protection of Personal Data (which can include the conclusion of a relevant data processing agreement, as well as other protection measures available pursuant to  the Law on Protection of Personal Data).

During the provision of specific services users’ personal data can be transferred to third countries due to the nature and use of a specific service (e.g. calls, communication with users from third countries, mobile roaming in third countries, use of online services from third countries, etc).

Retention period

IPKO shall store and process personal data during the term of contractual relationships, until the resolution of fulfilment of contractual obligations, settlement or until the statute of limitations of all claims, or for the time, for which the user submitted their consent (applicable in case that the retention period is longer than the above- mentioned periods). Shorter retention periods can be defined for specific types of data during provision of specific services base on applicable Laws (e.g. traffic data).

 

Pursuant to tax and financial regulations, legislation and standards which regulate accounting, bookkeeping and retention of documents,  IPKO needs to keep all invoices and underlying documentation for all business relationships for a period of at least six(6) years  after the end of the year, during which the relevant business event occurred, or for the term, stipulated by the rules on the retention of documents (whichever is longer), while the data that are used for investment purposes must be kept for the period of duration of the investment.

As exception to this rule, the period of retention of documentation on immovable property must be valid for twenty (20) years. The same rules apply with regard to the electronic storage of these documents, books, records and registers.

Consequently, IPKO shall keep invoices and related billing information, as well as information and documents about users, for a maximum period of  six years from the end of the year, to which the relevant invoice refers to, and/or from the termination of the contractual relationship; or for the period, stipulated by the rules on the retention of documents (whichever is longer).  IPKO shall use the above-listed data and information to fulfil its statutory obligations, and for the potential enforcement, facilitation or defence of legal claims that originate directly from the relationship between the individual and IPKO, or from the relationships between e IPKO and third parties.

If IPKO anonymizes personal data in such a way that they can no longer be used to identify a specific person, such data can be stored and processed without any restrictions on the retention period.

In case of receipt of a request for the deletion or restriction of processing,  IPKO shall fulfil such request, by limiting the processing of data solely to purposes, stipulated by the law and to potential enforcement, facilitation or defense of legal claims.

Electronic communications

Pursuant to the  Law on Electronic Communications the data regarding the monitoring and surveillance of the use of data services, as well as data regarding emergency calls are stored  in case of requests from competent bodies for access to personal data, in case of submission of traffic and location data  the data are stored for a maximum period of 12 months.

Except in cases, when data is processed on the basis of individuals’ consent, within  24 months after the termination and expiration of all contractual relationships and/or after the payment of all outstanding debt of subscribers/users of electronic communication services,  IPKO shall restrict the processing of data about subscribers/users of electronic communication services to the aims, stipulated by regulations and to potential enforcement, facilitation or defense of legal claims.

Processing of business entities’ data

General

Data of business entities (e.g. business subscribers/users, business partners and potential business partners), i.e. data of persons, who are not consumers, can be processed by IPKO to the maximum possible extent and for all purposes (including direct marketing), permitted by applicable law.

In case that a business entity does not opt for the marketing of IPKO’s services or against it,  IPKO can use the business entity’s public information and any contact email addresses or phone numbers acquired from the business entity, as well as information on the use of services for the sending of personalized messages, including direct marketing through SMS and MMS messages, by mail and e-mail or through direct calls.

At any given time, the business entity can make a written request to IPKO for a permanent or temporary suspension of the use of information for direct marketing. Within fifteen (15) days of such request, IPKO shall duly prevent the use of data for direct marketing.

Information about business entities can also include personal data, submitted or published by them (e.g. contact information). In this case, when addressing business entities, IPKO can also process such personal data.

Sources

IPKO can acquire data from business entities, individuals or public announcements/notices of business entities, as well as from entries/publications in public databases.

Legitimate interest

IPKO has a legitimate interest to inform business entities (including for direct marketing of potentially interesting services of IPKO) on IPKO’s services and events. Moreover, the business entities themselves have an interest to receive notifications about services, which could improve their business. When business entities submit personal data to  IPKO as their contact data, or when such data is publicly disclosed, and they do not expressly object to the use of this data for contacting or information purposes,  IPKO can use this data for information purposes, including direct marketing.

Retention period

IPKO shall store business entities’ data in accordance with the rules stipulated herein and by any agreements/contracts, and conditions of use. Contact information of potential business partners shall be kept until revocation or for the term of contact campaign’s implementation, if the data is acquired from publicly accessible sources.

Rights of individuals

Users can demand:

–   Printout or access to data, by which they can become informed on their personal data, which     IPKO processes about the user;

–   The correction of data, when users believe that their personal data, processed by IPKO is incorrect;

–   Deletion or restriction of personal data processing, if they want that IPKO to cease or restrict the processing of a part of or all their personal data;

Moreover, users can:

–   Object to the processing of personal data based on a legitimate interest or processing of personal data for the purpose of direct marketing;

–   exercise their right to transfer of personal data, which they submitted to IPKO.

In the submission for the exercise of their rights, users must properly identify themselves and clearly define their request.

IPKO users can submit data corrections to IPKO in writing, or by signing a new document for the contractual relationship, which includes the corrected data.

Specific users’ rights may be limited in specific cases pursuant to regulations (e.g. prohibition of information about any investigations, etc).

IPKO shall inform the individual on the information about measures, adopted based on received requests, as a rule within a period of one month, however, not later than within three months.

Right to complaint

In case that a user believes that IPKO violated their rights during the processing of personal data, they can lodge a complaint with IPKO. Users should submit their complaints by mail to: IPKO, Zija Shemsiu Street”, No.34, Ulpiana Neighborhood, Prishtina; by email to   dpo@ipko.com or in writing at the points of sale of IPKO.

Users can also lodge a complaint with the supervisory authority for personal data protection. The supervisory authority for data protection in the Republic of Kosovo is the Information Commissioner.

Failure to submit data and consequences

When entering into contractual relationships with users, IPKO shall only demand the information, which can be demanded in accordance with regulations, or the information required for the conclusion and implementation of the agreement/contract. The required information is listed in the agreement/contract or the terms and conditions of use of a specific service.

In case that the user fails to submit data to IPKO, or IPKO cannot acquire such data, IPKO can reject conclusion of the agreement/contract, or it can withdraw from the agreement/contract. Users can also submit other additional data to IPKO.

Automated decision-making and profiling

To ensure continuous provision of electronic communication and other services, and the security of such provision (including security measures for the protection of individuals’ personal data), and when processing personal data pursuant to this Privacy Policy,  IPKO also processes data through automated decision-making and/or profiling. 

Final provisions

In addition to this Privacy Policy, processing of data within each contractual relationship is also regulated by the agreement, as well as the conditions and terms that govern a specific contractual relationship.

This Privacy Policy has been drafted in compliance with the Law on Protection of Personal Data, which is in full compliance with the (EU) Regulation 2016/679 of the European Parliament and the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

In case that the relevant contract, or the terms and conditions which govern the business relationship, violate this policy, the data shall be used to the extent, permitted by the Law or the applicable Personal Data Protection Act.

This Privacy Policy shall be published and available on IPKO’s website and at its  points of sale e.