Privacy Notice for Electronic Identification – Yettel eID

We value your privacy and take the protection and security of personal data very seriously. The security and proper use of personal data is of utmost importance both to users of the electronic identification service (hereinafter: Yettel eID or the Service) and to Yettel. That is why it is very important to us that you understand how and why we process your personal data when using Yettel eID. 

Yettel eID, as an electronic identification service, was created out of the need to enable users to complete the legally required registration of prepaid SIM cards in a simple, reliable, and legally valid manner, in accordance with the Law on Electronic Communications. 

This Notice does not regulate rights and obligations, but aims to inform you about which personal data we process, how we process it, and for what purposes we use it. We also want to explain your rights regarding your personal data and how you can exercise those rights.

This Notice applies only to data we process in connection with the Service. It does not apply to other situations in which Yettel processes personal data, which are addressed in the relevant notices published on www.yettel.rs. 

This Privacy Notice takes effect on 01.09.2024, and is associated with the General Terms and Conditions for the provision of the electronic identification service and the “Yettel eID” electronic identification scheme, the Service Policy for the provision of the electronic identification service and scheme “Yettel eID,” and the Practice Rules for providing the electronic identification service.

The Notice may be amended or supplemented due to changes in applicable legislation, at the initiative of Yettel, or by order of the competent authority. Users are encouraged to regularly check the latest version of the Notice on the Yettel website.

2.1. Notice

Refers to this Privacy Notice regarding the use of the “Yettel eID” service, including any subsequent amendments and supplements.

2.2. Yettel 

Yettel d.o.o. Belgrade, with its registered head office at Omladinskih brigada 90, Belgrade, Corporate ID. 20147229. In this Notice, the pronouns “we,” “us,” or “our” also refer to “Yettel.” 

2.3. Personal Data

Personal data means any information relating to a natural person whose identity is determined or determinable, directly or indirectly, in particular by reference to an identifier.

2.4. Service

The electronic identification service governed by the Law on Electronic Document, Electronic Identification and Trust Services in Electronic Business.

2.5. Customer

A natural person to whom, via the Yettel application or Yettel web portal, a credential for using the electronic identification scheme (Yettel eID) has been issued in the form of a one-time password (OTP), enabling the registration of prepaid SIM cards issued by the operator Yettel d.o.o. Belgrade.

2.6. Device

Refers to the end-user device used to access Yettel eID.

2.7. Credential of the electronic identification scheme (the “Yettel eID” credential)

An intangible electronic identification credential with a low level of assurance, based on the one-time password (OTP) mechanism, issued by Yettel d.o.o. Belgrade in its capacity as the Service Provider.

While providing the electronic identification service, specifically during the issuance and activation of the Yettel eID credential, Yettel collects personal data in the following ways: 

4.1. Directly from the User, during the process of issuing the Yettel eID electronic identification credential;

4.2. Automatically, during the transfer of data from the Yettel eID electronic identification scheme (collected by Yettel in its capacity as the Service Provider) to the database of registered prepaid or postpaid mobile service users of Yettel.

Yettel processes Users’ personal data for the purpose of electronic identification through a basic-level electronic identification scheme, Yettel eID, which is registered in the relevant registry maintained by the Ministry of Information and Telecommunications.

The initial step in the issuance process for the “Yettel eID” electronic identification credential involves the user’s contact information (email address or mobile phone number), which is later used as an identifier within the issued scheme. This data is subject to prior validation and confirmation. 

The subsequent steps in the “Yettel eID” credential issuance procedure involve collecting data through photographs of the identification document. The user selects which identification document (personal ID card or travel document) to photograph and identifies the country of issuance The user then photographs the front and back sides of the ID card or the first page of the travel document within the process inside the Yettel application or web portal. At that point, processing and analysis of the submitted identification document images begin to extract data and verify the document’s validity and the accuracy of the information. 

The applicant user also submits a photograph of their face through the Yettel system, which is then compared and verified against the photo extracted from the identification document. 

Yettel compares the submitted photograph of the user's face with the photo on the identification document.

The photograph is used solely for verification by comparing it with the document and is not stored by Yettel afterward.

Following the completion of the electronic identification procedure and issuance of the Yettel eID identification scheme, Yettel will use the collected data to register a prepaid SIM card.

It is important to note that Yettel does not engage in automated decision-making based on profiling that may produce legal effects for the users or similarly affect them.

In order to comply with obligations established by relevant legislation, we are required to process Users’ personal data. Examples include obligations set out in tax legislation, compliance with requests or orders issued by public authorities, and similar situations.

6.1. To Personal Data Processors

Personal data processors are natural or legal persons who process personal data on behalf of Yettel, as designated by Yettel through a mutually signed agreement. They are not permitted to process the personal data provided to them for any purposes other than to perform the tasks assigned by Yettel under the agreement. Processors are required to comply with all of Yettel’s written instructions.

The personal data processor for the Yettel eID service is the company BLINK.ING d.o.o. Beograd, Corporate ID: 21332755, with which Yettel has concluded a Personal Data Processing Agreement in accordance with the Law on Personal Data Protection (“RS Official Gazette,” No. 87/2018).

6.2. To Competent Authorities 

Yettel provides Users’ personal data to competent state authorities and regulatory bodies for the purpose of fulfilling legal obligations, that is, when such obligations are established under applicable regulations.

Given that Yettel provides electronic communications services and networks, its operations may be subject to inspections by various competent authorities, such as the Ministry of Information and Telecommunications, the Regulatory Agency for Electronic Communications and Postal Services (RATEL), the Market Inspectorate of the Ministry of Internal and Foreign Trade, and the Commissioner for Information of Public Importance and Personal Data Protection.  During the inspection, these authorities have the possession to request Yettel to submit documents and information in its possession. Required documents and information may contain personal data of our customers.

Personal data collected and otherwise processed for the purpose of issuing and activating the Yettel eID is stored in the Republic of Serbia and is not subject to transfer to other countries. 

Yettel retains Users’ personal data for only as long as is reasonably necessary to achieve the purposes stated in this Notice, or for as long as required in order to fulfill its obligations under applicable law.

In accordance with the Law on closer conditions that the electronic identification schemes must fulfill for certain levels of reliability, the Service Provider is required to retain data related to the issuance of the electronic identification credential, including data related to the verification of the User’s identity, for at least ten years from the date of issuance. 

Yettel’s priority is to build and maintain trust between us and our Users. Therefore, the protection of our systems and personal data is very important to us. In accordance with the requirements of the applicable legislation and based on best practices, Yettel undertakes the necessary technical, personnel and organizational measures to ensure the security of customer personal data.

To ensure the protection of Users’ personal data, Yettel uses advanced technologies combined with effective management of security controls.

All implemented controls are in line with international standards and implementation frameworks (ISO 27001, ISO 27701, COBIT), as well as with the local Law on Personal Data Protection.

Yettel has appointed a data protection officer and has dedicated departments responsible for information security and fraud prevention. These entities assist in protecting and securing personal data and ensuring compliance.

10.1. General information on the rights of data subjects.

Yettel will respond to a natural person’s request to exercise any right described in this section only if the person submitting the request can be identified.

Only individuals whom we can identify are able to exercise the rights outlined in this section.

Yettel informs individuals of actions taken in response to a request within one month of receiving the request covered in this section. In certain cases, this period may be extended by up to two additional months.

Yettel will provide the data subject with information on actions taken based on the request to exercise rights under this section without undue delay and no later than one month from the date of receipt of the request. If necessary, this period can be extended by another two months, considering the complexity and number of requests. Yettel will inform the User of such extension and the reasons for the delay within 30 days of receiving the request.

If they refuse to act on the request, Yettel shall inform the individuals of their rights.

If Yettel does not take action on an individual's request, they will promptly inform the customer, within 30 days of receiving the request, about the inability to comply with the request and inform the customer of their right to file a complaint with the Commissioner for Personal Data Protection and seek protection through legal procedures.

In certain cases, Yettel may request additional information to verify the identity of the natural person.

If we have a justified doubt regarding the identity of the individual submitting the request, Yettel may request additional information necessary to verify that person’s identity.

Yettel’s processing of requests to exercise rights under this Article is free of charge, unless the requests are manifestly unfounded or excessive. 

Yettel's actions in response to a request to exercise the rights outlined in this Article are free of charge. When an individual's request is evidently unjustified or excessive (e.g., due to frequent repetition), Yettel reserves the right to: (a) refuse to act on the request, or (b) charge the necessary administrative costs for providing the requested information.

10.2. The User has the right to access their personal data.

The User has the right to request from Yettel information on whether their personal data is being processed, and if it is, to request access to such data.

10.3. The User has the right to request the correction of data if it is inaccurate or outdated.

10.4. In certain cases, the User has the right to request the erasure of personal data.

Customers shall be entitled to request that Yettel delete personal data relating to them in the following cases:

• The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;

• The User has objected to the processing of personal data processed based on Yettel’s legitimate interests, and there are no overriding legal grounds for processing that outweigh the User’s interests, rights, and freedoms, or the data processing is not necessary for the establishment, exercise, or defense of legal claims; 

• The User has objected to the processing of personal data carried out for the purpose of direct marketing, and there are no other legal grounds for processing such data;

• if the personal data concerning the respective User has been processed unlawfully;

• the personal data must be erased by Yettel in order to comply with legal obligations arising under the laws of the Republic of Serbia.

10.5. In certain cases, the User has the right to data portability. 

The data subject is entitled to receive from us their personal data previously provided to Yettel in a structured, commonly used, and machine-readable format, and is entitled to transfer that data to another controller without interference from Yettel if the following conditions are met in their totality:

• Yettel processes such data for the purpose of concluding or performing a contract with the User, or based on the consent given by the User;

• The processing is done automatically.

The customer is entitled to have his personal data directly transferred to another Data Controller by Yettel, if this is technically feasible.

10.6. In certain cases, the User has the right to object to the processing of their personal data. 

Users have the right to object at any time and on any grounds to the processing of personal data relating to them, where Yettel processes such data for the purpose of pursuing its legitimate interests.

10.7. Users have the right to lodge complaints with the Commissioner for Information of Public Importance and Personal Data Protection. 

Users have the right to lodge complaints with the Commissioner for Information of Public Importance and Personal Data Protection if they believe that Yettel is violating the Law on Personal Data Protection.

Yettel d.o.o. Belgrade (registration number 20147229), with its registered office in Belgrade (Omladinskih brigada 90), is the controller of personal data processed and referred to in this Privacy Notice.

If you have any questions and requests regarding the processing of personal data, please contact our Personal Data Protection Officer at dpo@yettel.rs.

This Privacy Notice regarding the use of the “Yettel eID” service enters into force on 01.09.2024.