Privacy Policy

This Privacy Policy contains information about how we process your personal data in the context of the website https://symphony.is/ (the “Website”).

Updated March 12th, 2021
Privacy Policy

This Privacy Policy contains information about how we process your personal data in the context of the website https://symphony.is/ (the “Website”).

1. Introduction

Symphony Group d.o.o. („Symphony, “we,” “us” or “our”) is a company established under law of Bosnia and Herzegovina with the headquarter in Sarajevo, Kolodvorska 11A. Also, it has its affiliated companies (daughter companies) in other jurisdictions (Serbia, North Macedonia, Netherlands, USA) Symphony Group d.o.o. treats the security of its personal data very seriously. 

This Policy, beside other, covers these topics:

  • information about your rights and our obligations,
  • clarity about our dealings with you and transparency about how we collect and use your personal data,
  • commitments on how we protect your personal data,
  • commitments on how we will facilitate your rights and respond to your questions.

Privacy Policy applies when we act as the data controller with respect to the personal data of our visitors.

1.1. Relevant legislation

  • Serbia - the Law on Personal Data Protection adopted in November 2018, entered into effect on August 22, 2019, (harmonized with the GDPR)
  • North Macedonia - Law on Personal Data Protection adopted on February 16, 2020, which will enter into force in August 2021, (in line with the GDPR)
  • Bosnia and Herzegovina - Law on Personal Data Protection ("Official Gazette of BiH" No. 49/06 and 76/11) (not in line with the GDPR, harmonization of regulations in BiH is expected in the coming period)
  • Netherlands -General Data Protection Regulation Implementation Act
  • USA - CCPA and other relevant regulations.

2. How do we use and collect personal data?

2.1. The Data we collect

We use and process your personal data only if necessary to manage and operate our business services, to fulfil our regulatory obligations, to provide a functional website, content, and services. We think carefully about our use of personal data, and below, you can find the details of what we do to protect your privacy.

a) Client relationship administration

Purpose- The purpose is to manage the client relationship, including the prevention of conflicts of interests, establish the client and new cases, provide advice, invoice as well as administer, manage and develop our business and services, operate and maintain our systems.

Data Subject- The client, including employees of the client

Category of Personal Data- Personal data such as name, title, address, telephone number and e-mail address, in some cases employee number, invoice information.

Retention Period- The personal data is deleted after 11 years, calculated from the end of the calendar year in which the client relationship is terminated, unless specific circumstances require a shorter or longer storage period in accordance with relevant legislation.

Legal ground- Legal ground for collecting and processing these personal data is Article 6. point 1(b) and c) 



b) Meetups, networks and similar events at Symphony Group

Purpose- The purpose is to arrange, hold and evaluate courses, networks and similar events at Symphony Group. 

Data Subject- The Participant.

Category of Personal Data- Personal data such as name, title, e-mail address, telephone number and organisation.

Retention Period- The personal data will be deleted after two years, calculated from the time of the network or event, unless specific circumstances require a shorter or a longer storage period in accordance with relevant legislation.

Legal ground- Legal ground for collecting and processing these personal data is Article 6. point 1 (a) and (b)



c) Visiting our Website

Purpose: The use of our Services is possible without providing your personal data to us. The main reasons why we collect and use data about our users are:

- to improve your experience on the Website

- to provide the services you signed up for, such as subscriptions,

-  to create marketing analysis and send you communications when we have your permission or when permitted by law,

-  to enable us to show advertising on our sites.

Data Subject: The visitor of symphony.is website.

Category of Personal Data: Our system automatically registers every access to our Website and temporarily stores this information in a “log file.” Among the data saved in this context are in particular:



- IP-address of the accessing computer

- Name and URL of the accessed file,

- Date and time of the access,

- Access status/HTTP status code,

- Amount of data transferred for each transmission,

- Browser identification data.

Retention Period: Use of different cookies is described in our Cookie policy.

Legal ground: Legal ground for collecting and processing these personal data is Article 6. point 1 (a) and (f)



d) When you contact us through contact form

Purpose: we will process your inquiries to provide you with information about the services we offer. This might include replying to your question or sending you invites to our events only if a person gives consent for this.

Data Subjects: Individuals who send inquiry to Symphony Group via contact form, email or other. 

Category of Personal Data: Information about you, such as your name, address, age, gender, email address, and inquiry. 

Retention Period: The personal data is deleted after two years, calculated from the time of the enquiry.

Legal ground: Legal ground for collecting and processing these personal data is Article 6. point 1 (a) and (f).



e) When you send job application

Purpose: we process these personal data to start the hiring process with you.

Data Subjects: Individuals who send job applications through form on a website.

Category of Personal Data: Information about you which you provide to us in CV such as name, address, age, gender, email address.

Retention Period: The personal data is deleted after two years, calculated from the time of submitting an application.

Legal ground: Legal ground for collecting and processing these personal data is Article 6. point 1 (a) and (b).



f) For Marketing activities

Purpose: we might use your information to send you marketing emails about our services or events that are similar or related to those you have previously received (or attended, in the case of events) if you opted in for this. 

Category of Personal Data: Information about you which you provide to us through contact form

Legal ground: Legal ground for collecting and processing these personal data is Article 6 point 1 (a), (b) and (f).



g) Supplier administration

Purpose: The purpose is to manage supplier or business partner relationships.

Category of Personal Data: Personal data, including name, title, address, telephone number and e-mail address. As regard employees employed with the supplier or the business partner we process name, title, e-mail address and telephone number.Personal data, including name, title, address, telephone number and e-mail address. As regards employees employed with the supplier or the business partner we process name, title, e-mail address and telephone number.

Retention period: The personal data is deleted after 7 years, calculated from the time of the supplier or the business partner relationship is terminated, unless specific circumstances require a shorter or a longer storage period.

Legal ground: Legal ground for collecting and processing these personal data is Article 6 point 1 (a), (b) and (f).



Non-personal information we collect: When you use our website, we may use technologies like Google Analytics, Hotjar, Mailchimp or other third party tools to collect information about your visit to our website. In an essence, these tools provide us with the information on how you interact with our Website or Newsletter campaigns.

a) Client relationship administration

Purpose- The purpose is to manage the client relationship, including the prevention of conflicts of interests, establish the client and new cases, provide advice, invoice as well as administer, manage and develop our business and services, operate and maintain our systems.

Data Subject- The client, including employees of the client

Category of Personal Data- Personal data such as name, title, address, telephone number and e-mail address, in some cases employee number, invoice information.

Retention Period- The personal data is deleted after 11 years, calculated from the end of the calendar year in which the client relationship is terminated, unless specific circumstances require a shorter or longer storage period in accordance with relevant legislation.

Legal ground- Legal ground for collecting and processing these personal data is Article 6. point 1(b) and c) 



b) Meetups, networks and similar events at Symphony Group

Purpose- The purpose is to arrange, hold and evaluate courses, networks and similar events at Symphony Group. 

Data Subject- The Participant.

Category of Personal Data- Personal data such as name, title, e-mail address, telephone number and organisation.

Retention Period- The personal data will be deleted after two years, calculated from the time of the network or event, unless specific circumstances require a shorter or a longer storage period in accordance with relevant legislation.

Legal ground- Legal ground for collecting and processing these personal data is Article 6. point 1 (a) and (b)



c) Visiting our Website

Purpose: The use of our Services is possible without providing your personal data to us. The main reasons why we collect and use data about our users are:



- to improve your experience on the Website

- to provide the services you signed up for, such as subscriptions,

- to create marketing analysis and send you communications when we have your permission or when permitted by law,

- to enable us to show advertising on our sites.

Data Subject: The visitor of symphony.is website.

Category of Personal Data: Our system automatically registers every access to our Website and temporarily stores this information in a “log file.” Among the data saved in this context are in particular:

- IP-address of the accessing computer

- Name and URL of the accessed file,

- Date and time of the access,

- Access status/HTTP status code,

- Amount of data transferred for each transmission,

- Browser identification data.

Retention Period: Use of different cookies is described in our Cookie policy.

Legal ground: Legal ground for collecting and processing these personal data is Article 6. point 1 (a) and (f)



d) When you contact us through contact form

Purpose: we will process your inquiries to provide you with information about the services we offer. This might include replying to your question or sending you invites to our events only if a person gives consent for this.

Data Subjects: Individuals who send inquiry to Symphony Group via contact form, email or other. 

Category of Personal Data: Information about you, such as your name, address, age, gender, email address, and inquiry. 

Retention Period: The personal data is deleted after two years, calculated from the time of the enquiry.

Legal ground: Legal ground for collecting and processing these personal data is Article 6. point 1 (a) and (f).



e) When you send job application

Purpose: we process these personal data to start the hiring process with you.

Data Subjects: Individuals who send job applications through form on a website.

Category of Personal Data: Information about you which you provide to us in CV such as name, address, age, gender, email address.

Retention Period: The personal data is deleted after two years, calculated from the time of submitting an application.

Legal ground: Legal ground for collecting and processing these personal data is Article 6. point 1 (a) and (b).



f) For Marketing activities

Purpose: we might use your information to send you marketing emails about our services or events that are similar or related to those you have previously received (or attended, in the case of events) if you opted in for this. 

Category of Personal Data: Information about you which you provide to us through contact form

Legal ground: Legal ground for collecting and processing these personal data is Article 6 point 1 (a), (b) and (f).



g) Supplier administration

Purpose: The purpose is to manage supplier or business partner relationships.

Category of Personal Data: Personal data, including name, title, address, telephone number and e-mail address. As regard employees employed with the supplier or the business partner we process name, title, e-mail address and telephone number.Personal data, including name, title, address, telephone number and e-mail address. As regards employees employed with the supplier or the business partner we process name, title, e-mail address and telephone number.

Retention period: The personal data is deleted after 7 years, calculated from the time of the supplier or the business partner relationship is terminated, unless specific circumstances require a shorter or a longer storage period.

Legal ground: Legal ground for collecting and processing these personal data is Article 6 point 1 (a), (b) and (f).



Non-personal information we collect: When you use our website, we may use technologies like Google Analytics, Hotjar, Mailchimp or other third party tools to collect information about your visit to our website. In an essence, these tools provide us with the information on how you interact with our Website or Newsletter campaigns.

3. Your rights 

We think it is important that you are able to control your personal information. According to relevant regulation, you have a following rights:

a) Right to Access

You have a right to obtain, from Symphony, confirmation as to whether or not personal data concerning you are being processed as well as access to the respective data. Including the issuance copy

b) Right to Rectification

You have a right to obtain from Symphony, without undue delay, the rectification of inaccurate personal data including the right to complete incomplete data.



     c) Right to Erasure

You have a right to obtain from Symphony the erasure of your personal data without undue delay, if there is an issue with the underlying legality of the data processing. 



    d) Right to be forgotten

You have the right to obtain from the Symphony the erasure of personal data without undue delay and Symphony shall have the obligation to erase personal data without undue delay where applicable in accordance to the Article 17 GDPR.



    e) Right to restriction of processing

You have the right to obtain from Symphony restriction of processing where one of the following applies:

- Accuracy of data is objected to by data subject.

- Unlawful processing and data subject objects erasure of data and requests restriction instead.

- Data no longer necessary for the purpose but required by data subject to the establishment, exercise or defense of legal claims.

- Objection to further processing, pending verification of legitimate grounds to override those of data subject.

     f) Right to data portability

You have the right to receive the personal data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Symphony to which the personal data have been provided.

     g) Right to object

You have the right to object to the processing you personal data at any time on the following address: privacy@symphony.is

    h) Right against automated decision

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects.

4. Breach Notification

We maintain current technical measures to ensure data security protection, mostly to protect your personal data against risks during transmission and against third-party access. These measures will be updated according to the latest technical developments. 

It is our policy and value to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data. In line with the GDPR, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant Data Protection Authority (DPA) will be informed within 72 hours. This will be managed in accordance with our Information Security Incident Management Procedure which sets out the overall process of handling information security incidents and Personal Data Breach Notification Procedure which sets out the process of notification of relevant authorities and data subjects in the event of privacy breach.

5. Analytics/Cookies

Our website uses cookies. Cookies are small text files stored in your Internet browser for technical session control. They allow us to analyze anonymous user behavior, which helps optimize our Website design. Cookie data cannot be associated with a specific individual. The Services use cookies to the following extent: Transient / Session cookies, Persistent / Setting cookies, and Analysis cookies. 

Transient cookies are automatically deleted when you close your browser. This includes, in particular, the session cookies. This store a so-called session ID, which identifies user sessions in the browser. 

Session cookies are deleted when you log out or close your browser. Persistent cookies help the Services remember your information and settings when you visit them in the future. They are automatically deleted after a specified period, which may differ depending on the cookie. We also use cookies on our Services, which enable an analysis of the user’s surfing behavior. 

Our legitimate interest is based on the purposes mentioned above to optimize Service use and improve your user experience.

5.1. Analytics tools- Google Analytic

We use Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies,” which are text files placed on your computer, to help analyze how you use the Services. The information generated by the cookie about your use of the Services will generally be transmitted to and stored by Google on servers in the United States. 

In case IP-anonymization is activated on the Services, your IP address will be truncated within the area of member states of the European Union or other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the whole IP address be first transferred to a Google server in the USA and truncated there. Google will use this information on behalf of the website’s operator to evaluate your use of the Website, compiling reports on Website activity, and providing other services for the website operator relating to website activity and internet usage. 

The IP address that your browser transfers within Google Analytics’s scope will not be associated with any other data held by Google. Users have the possibility to reject cookies when he/she come to the site. You may refuse the use of cookies by selecting the appropriate settings on your browser; however, please note that you may not be able to use all Services’ functions if you do this. You can also opt-out from the storage by Google of the data created by the cookie and is related to the use of the Services (including your IP address) and the processing of such data by Google by downloading and installing the Google Analytics opt-out browser add-on available under here.

The legitimate interests to use such data are that we use and analyze the respective data to improve our Services, such as understanding your services’ interests and requirements and personalizing your user experience. 

6. Changes to our Privacy Policy 

This privacy policy may be subject to change from time to time, in line with legislation or industry developments. We will not explicitly inform our clients or website users of these changes. Instead, we recommend that you check this page occasionally for any policy changes. The privacy policy was last updated on 4 March 2021.

7. Contact

Symphony Group d.o.o., Kolodvorska 11a, 71 000 Sarajevo, Bosnia and Herzegovina

email: privacy@symphony.is