Menu
McCANN PREDUZEĆE ZA MARKETING I TRŽIŠNE KOMUNIKACIJE DOO, BEOGRAD, Company registration number: 07779119, with its registered seat at Svetog Save 14, Belgrade-Vracar (hereinafter referred to as the “Controller” or the “Company”), hereby informs visitors of the website www.mccann.rs, whose personal data is being processed (hereinafter referred to as the “Visitors”), in accordance with the Law on Personal Data Protection (“Official Gazette of the Republic of Serbia”, No. 87/2018, hereinafter referred to as the “Law”), about all relevant aspects of personal data processing carried out in compliance with the applicable regulations.
The Controller retains all copyright rights related to the use of photographs, texts, and other published materials, in accordance with the applicable legal regulations of the Republic of Serbia. Photographs, texts, and other materials may not be published, sold, made available publicly or privately, or otherwise used without our prior consent. Failure to comply with these conditions entails liability and the obligation to compensate the Controller for any material damage resulting from violations of applicable law.
1.1 This Privacy Policy governs the collection and processing of data within the Controller’s website www.mccann.rs.
1.2 The definitions and terms used in this Privacy Policy correspond to those contained in the Law. The Controller is committed to complying with the legislation of the Republic of Serbia governing personal data protection, as well as to respecting the protection of fundamental human rights and freedoms, particularly the right to privacy of individuals whose personal data is processed by the Company.
1.3 Clicking the “Accept Cookies” button, or any other similarly labeled button with an equivalent function, in the pop-up window displayed to new users upon their first visit to the website www.mccann.rs, shall be considered an active and voluntary action aimed at establishing a lawful legal basis for the collection and processing of data in the manner and for the purposes described in this Privacy Policy, without any reservations. The Controller shall be able to demonstrate, through an electronic record (log) or by other means, that the data subject has performed the aforementioned active and voluntary action, thereby confirming that they have been informed of and agree with this Privacy Policy. The said electronic record (log) shall be deemed a legally valid and sufficient proof of consent, in accordance with Article 15, paragraph 1 of the Law.
1.4 This Privacy Policy may be amended at any time, with any changes being displayed on the homepage of www.mccann.rs. In such cases, data subjects will be asked to provide renewed consent for the processing of personal data, in accordance with the amendments made to this Privacy Policy.
1.5 The rules governing the collection of personal data through Cookies shall be specified in a separate Cookie Policy. All provisions related to giving consent to this Privacy Policy via the designated pop-up window, including the retention of proof in the form of an electronic record (log), as well as the procedure for modifying and notifying data subjects of any changes, shall apply equally to the use of Cookies.
1.6 For any additional questions regarding the rules and provisions of this Privacy Policy, you may contact us by sending an inquiry to the following address:dpo@amagroup.net.
2.1 Please keep in mind that, at all times, when collecting, processing and storing your Personal Data, Company act as follows:
a) Personal data will be processed lawfully, fairly and transparently in relation to the Visitors to whom the data is sent (“lawfulness, fairness and transparency”);
b) Personal data will be collected for the purposes specifically determined by this Privacy Policy, which are explicit, justified and lawful and still cannot be processed in a way that is inconsistent with those purposes (“limitation in relation to the purpose of processing”);
c) Personal data will be adequate, essential and limited to what is necessary in relation to the purpose of processing (“data minimization”);
d) Personal data will be accurate and, if necessary, updated. In this regard, Company will take all reasonable steps to ensure that inaccurate personal data is promptly deleted or corrected (“accuracy”), and we ask that you always notify us of changes to your Personal Data;
e) Personal data will be stored in a form that allows identification of the Visitors only for the period necessary to achieve the purpose of the processing (“storage limitation”);
f) Personal data will be processed in a way that ensures adequate protection of personal data, including protection against unauthorized or illegal processing, as well as against accidental loss, destruction or damage by applying appropriate technical, organizational and personnel measures (“integrity and confidentiality”).
3.1 The Controller may collect various categories of personal data, which are used for different purposes and based on different legal grounds. Typically, this includes a set of data that enables the identification of the data subject, the establishment of communication with the data subject, or data necessary for providing a specific service upon the request of the data subject, or for fulfilling the Controller’s legal obligations. This includes, but is not limited to:
a) Data collected through cookies that the user has enabled or consented to, as described in the separate Cookie Policy;
b) Data collected electronically on visitor identification (IP address, etc.);
c) Data that the Visitor may voluntarily provide to the Controller by sending an email to the address indicated in the “Contact” section, for the purpose of establishing business communication with the Controller;
3.2 Personal data is collected only to the extent necessary for the achievement of a specific purpose.
3.3 The Controller’s website contains a links to the Controller’s pages on social networks (Facebook, Instagram, X, Linkedin). All data collected by the said platform during your visit, as well as any data you voluntarily provide on that platform, shall be subject not only to this Privacy Policy but also to the rules established by the platform itself (such as its Terms of Service/Terms of Use, Privacy Policy, Cookie Policy, etc.). The Controller shall not be held liable for any form of unlawful use of personal data committed by the company that owns or controls the said platform. The privacy policy of the here mentioned platforms can be accessed via the following links:
4.1. The legal basis for the processing of personal data is the freely given and informed consent of the data subject, i.e. heir consent for the purposes specified in this Privacy Policy, in accordance with Article 12 paragraph 1 of the Law.
4.2. Your personal data obtained based on your consent will be processed and stored as long as your consent exists, that is, until your consent is revoked. You can revoke your consent to the collection, processing and use of your data at any time by sending an electronic request to the email address: dpo@amagroup.net.
4.3. Revocation of consent does not affect the permissibility of processing Personal Data based on your consent before the revocation.
5.1 The Controller uses data for various purposes, which are always directly related to the legal basis for processing. The Controller offers different types of services to other entities, and in order to establish a business relationship, collects and processes certain personal data. This particularly applies to data submitted via the website www.mccann.rs by visitors seeking to establish business contact with the Controller and to receive a non-binding service offer. Data may also be processed for the purpose of contacting individuals in order to negotiate contract terms and fulfill other potential obligations arising from a contractual relationship. If a business relationship is subsequently established, the Controller will provide the business partner with a notice on personal data processing. For any additional processing purposes that may arise, the data subject will be informed of all necessary details prior to the commencement of such processing activities, and the processing will be based on an appropriate legal basis, in accordance with the law. The purpose of processing in relation to cookies is defined in the separate Cookie Policy.
6.1 Data may be disclosed to employees of the Controller, professional advisors, service providers, IT technicians, government authorities, and individuals who are contractually engaged with the Controller (Data Processors) and entrusted with specific data processing activities (all in accordance with legally prescribed conditions related to information security, confidentiality obligations, and contractual regulation of rights and responsibilities). Your personal data may also be shared with companies within the AMA Group to which Company belong. All parties are required to handle personal data in accordance with all provisions of the Law regarding the security of personal data processing.
6.2 The Controller regularly does not transfer personal data outside the borders of the Republic of Serbia. However, data may be transferred to another country or international organization without prior approval if it has been determined that such country or organization ensures an adequate level of personal data protection. In this regard, the Decision on the list of countries, parts of their territories, or one or more sectors of specific activities in those countries and international organizations where an adequate level of personal data protection is considered to be ensured (“Official Gazette of RS”, No. 55/2019) defines where such protection is deemed adequate.
7.1 The data subject whose personal data is processed by the Controller may request the following:
a) to request information on whether the Controller processes his/her Personal Data and to request access to that data
At the request of the Visitors, Company will provide information about the personal data of the Visitors processed by Company or our processors, in accordance with our instructions, about the purpose of processing Personal Data, the legal basis and duration of processing, the name and address of the processor and its activities related to processing, circumstances and impact on the violation of personal data, as well as measures taken with the aim of eliminating them, and, in the case of data transfer, information about the legal basis of such transfer and the receiver.
After submitting your request, but no later than within 15 days from the date of receipt of the request, Company will provide you with a written statement in an understandable language. A written statement will be provided free of charge, unless the request is manifestly unfounded or excessive, and especially if it is repeated frequently. In that case, Company may charge the necessary administrative costs of providing a written statement or processing the request, or Company may refuse to process the request.
Company are obliged to provide the Visitor to whom the Personal Data refer, upon his request, a copy of the Personal Data that Company process. Company may request reimbursement of necessary costs for making additional copies requested by the data subject. If the request for a copy is submitted electronically, the information is submitted in a commonly used electronic form, unless the Visitor to whom the data relates has requested a different submission.
b) to request correction, addition or deletion of his/her Personal Data and the right to object to data processing
The Visitor has the right to have his/her inaccurate personal data corrected without undue delay. Depending on the purpose of the processing, the Visitor has the right to complete his/her incomplete personal data, which includes providing an additional statement.
The Visitor has the right to request that his/her Personal Data be deleted by the Controller.
Company are obliged to delete Personal Data without undue delay if: 1) Personal Data are no longer necessary to achieve the purpose for which they were collected or otherwise processed, 2) The Visitor has revoked the consent on the basis of which the processing was carried out, and there is no other legal basis for processing, 3) The Visitor has filed an objection to the processing, 4) Personal Data has been illegally processed, 5) Personal Data must be deleted in order to fulfill legal obligations; 6) Personal data were collected in connection with the use of information society services in the sense of the Law.
c) to submit a complaint to the Commissioner for Information of Public Importance and Personal Data Protection
d) the right to portability of Personal Data
The Visitor to whom the Personal Data refers has the right to receive the Personal Data previously provided to us from us in a structured, commonly used and electronically readable form and has the right to transfer this Personal Data to another controller without interference from our side, if the following conditions are met together:
• processing is based on consent or on the basis of a contract;
• processing is done automatically.
e) to limit the processing of Personal Data by the Controller, if one of the following cases is met:
• Visitor to whom the data refers contests the accuracy of the Personal Data, within the period that allows us to check the accuracy of the Personal Data;
• the processing is illegal, and the Visitor to whom the data refers opposes the deletion of Personal Data and instead of deletion requests restriction of the use of Personal Data;
• Company no longer need the Personal Data to achieve the purpose of the processing, but the Visitor to whom the data refers has requested it in order to submit, exercise or defend a legal claim;
• Visitor to whom the data refers has submitted an objection to the processing in accordance with Article 37, paragraph 1 of the Law, and an assessment is underway as to whether the legal basis for processing by the Controller outweighs the interests of the Visitor.
Company are obliged to inform all recipients to whom Personal Data has been disclosed about any correction or addition or deletion of Personal Data or restriction of their processing in accordance with the Law, unless this is impossible or requires an excessive expenditure of time and resources. Company are obliged to inform the Visitor at his request, about all recipients.
If he/she considers that it is justified in relation to the particular situation in which he/she finds himself/herself, the Visitor to whom the data refer has the right to submit an objection to the processing of his/her personal data at any time, in accordance with the Law.
Visitors to whom the data refers has the right not to apply to him/her a decision made solely on the basis of automated processing, including profiling, if that decision produces legal consequences for that person or that decision significantly affects his position.
7.2 Procedure in case of violation of Personal Data
If a violation of Personal Data can cause a high risk to the rights and freedoms of the Visitors, Company are obliged to, without undue delay, inform the person to whom the data relate to the violation, in accordance with the Law.
In the event of a breach of Personal Data that may cause a risk to the rights and freedoms of the Visitors, Company are obliged to notify the Commissioner for Access to Information of Public Importance and Protection of Personal Data without undue delay, or if possible within 72 hours of becoming aware of the breach. The notification submitted to the competent authority contains all information in accordance with the Law.
8.1 Within its business organization, the Controller strives to apply the highest possible standards in the field of personal data protection, and applies all necessary organizational, technical and personnel measures.
8.2 In accordance with the above, the policy of the Controller is that, within the framework of technical measures, the creation, storage, processing and access to data, documents and information is carried out on the company’s document management systems (among others: Microsoft Sharepoint portal, File Server, Archive Server, Microsoft NAV, Pantheon, etc.). The Controller takes care that employees are obliged to create and process data, documents and information on company computers and associated storage devices, while storing confidential data and documents is prohibited on the same. Additionally, data on document management and ERP solutions are stored within predefined structures of locations, sites and document libraries that have predefined access rights. All company Computers and external storage devices are protected by “bitlocker” encryption. Users access all IT services based on a multi-layer authentication system (“MFA”) controlled by the “Microsoft Active Directory” and “Network Access Protection (NAP)” systems. In addition to the above, the Controller ensures that employees do not use certain systems arbitrarily, and internal procedures prohibit the use of private, public and cloud computer resources and storage systems for the processes of creating, processing, saving and accessing data, documents and information. Finally, the Controller periodically conducts employee education regarding the security of using system applications.
8.3 All data processors and/or other recipients of personal data are also required to implement all prescribed protection measures, in accordance with the signed agreement with the Controller and the standards and obligations set forth by law.
9.1 The Controller strives to retain data only for the period necessary to fulfill a specific, defined purpose of processing, after which the data is either deleted or rendered unrecognizable (through anonymization measures). The exact retention period, or the criteria by which it can be determined, depends on the purpose for which the personal data is being processed.
9.2 When personal data is processed by the Controller based on consent, the data collected for the purpose of establishing business contact is retained in the Controller’s databases until the consent is withdrawn.
9.3 Personal data of the Company’s clients is processed for as long as the processing is necessary to provide services to the Company’s client.
9.4 Data collected through web browsers and cookies is retained for the duration specified by the cookies accepted by the data subject, as described in the Controller’s Cookie Policy.
9.5 Additional information regarding retention periods and methods of data storage can be found in separate notices.
10.1 Personal data collected through the website www.mccann.rs is not transferred outside the Republic of Serbia, except in cases involving the use of third-party cookies, for which the Controller cannot be held responsible. The servers used for data transfer are located within EEA countries where an adequate level of personal data protection is ensured. In exceptional cases where data transfer occurs via servers outside the EEA, such transfer will be carried out with the application of appropriate protection measures, in accordance with the law.
10.2 In cases where personal data needs to be transferred to another country, i.e., outside the territory of the Republic of Serbia, the transfer will be carried out in accordance with all rules prescribed by the applicable law, including the use of standard contractual clauses issued by the Commissioner for Information of Public Importance and Personal Data Protection, or by applying another appropriate transfer mechanism (for example, a decision confirming that an adequate level of personal data protection is ensured in a specific country).
10.3 Providing personal data by the subject of data is neither a legal nor a contractual obligation when using the functionalities offered by the website. Failure to provide the requested data may result only in the inability to establish the requested contact necessary for further communication via this channel, or the inability to use services available through the website www.mccann.rs.
10.4 When processing data collected through the website, the Controller does not use any automated decision-making or profiling of the data subject.
10.5 Your Personal Data will be treated as confidential information and Company will take appropriate necessary measures to protect it in accordance with the Law. Access to them will be granted only to persons who, considering the description of the work they perform, should be familiar with your Personal Data and only to the extent necessary for the performance of their work.
10.6 If Company decide to change our Privacy Policy, the changes will be posted and published on the website www.mccann.rs. This Privacy Policy is available on the website www.mccann.rs.
Belgrade, 4/2/2026
