Publitio Data Processing Agreement

Last updated: Feb 20, 2020

This Data Processing Agreement represents an appendix of Terms of Service concluded between Publitio doo (“Publitio”) and the user of website (‘Service’) and forms an integral part of ToS.

By using the Service, the user accepts to be legally bound by both ToS and this DPA, and represents a contractual party in these agreements.


  • DPA – means this Data Processing agreement prepared in accordance with the Data Protection Laws, stipulated herein, forming an integral part of ToS;

  • Data Protection Laws – means Serbian Data Protection Act (Official Gazette of Republic of Serbia no. 87/2018), as well as Regulation (EU) 2016/679 (General Data Protection Regulation) (‘GDPR’), to the extent it is applicable to Publitio;

  • Parties – Publitio and the User;

  • Personal Data – personal data contained within User’s Content;

  • ToS – means Terms of Service – a legally binding agreement concluded between Publitio and the User;

  • User – a company or a natural person using Publitio’s service via website, who has entered into ToS and this DPA with Publitio, and represents a contractual party in these agreements;

  • All other expressions used in this DPA in capital letters have the same meaning as stipulated in ToS;

  • Definitions and legal terms used in this DPA have the same meaning given in Data Protection Laws.

The Parties agree as follows:


1) The User has entered into a ToS with Publitio, which represents a binding legal agreement between Publitio and the User, based on which the User uploads Content using Publitio’s Service and in connection to which certain personal data contained within the Content is being processed by Publitio, on behalf of the User;

2) Data Protection Laws stipulate that in cases in which processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of Data Protection Laws and ensure the protection of the rights of the data subject;

3) Data Protection Laws stipulate that the processing by a processor shall be governed by a contract or other legal act, that is binding on the processor with regard to the controller;

4) Bearing in mind the above stated, Publitio and the User enter into this DPA, as follows.



1.1. This DPA applies where and only to the extent that Publitio processes Personal Data on behalf of the User, in the course of providing the Service and such Personal Data is subject to either Serbian Data Protection Act, or GDPR. The Parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.

Parties’ roles

1.2. The Parties acknowledge that, with respect to Personal Data contained within the User’s Content, Publitio has the position of data processor, while the User has the position of data controller, in accordance with applicable Data Protection Laws.

1.3. User agrees that: 1) it shall comply with its obligations as a controller under Data Protection Laws in respect of its processing of Personal Data and any processing instructions it issues to Publitio; and 2) it has provided notice and obtained all consents and rights necessary under Data Protection Laws for Publitio to process Personal Data and provide the Services pursuant to the Agreement and this DPA.

1.4. Publitio has no control over the type of Personal Data that User and third persons authorized by User upload to the Service, therefore Publitio has no control over the categories of data subjects that User’s Personal Data relates to.

Subject matter of processing

1.5. Publitio shall, as the processor, process Personal Data based on ToS, on behalf of the User, and solely for the purpose of providing Service to the User, in accordance with ToS. all in accordance with User’s written instructions.

1.6. This DPA is applicable to all activities in which Publitio’s employees process Personal Data on User’s behalf.

Nature and purpose of processing

1.7. As provider of the Service, Publitio handles Content provided by the User, which may contain Personal Data. Content may be subject to the following process activities: 1) storage and other processing necessary to provide, maintain and improve the Services provided to the User; 2) providing customer and technical support to User; 3) disclosures as required by law or otherwise set forth in the ToS and this DPA; or 4) other activities as per subsequent reasonable written instructions given by the User, where such instructions are consistent with ToS. User undertakes to provide to Publitio lawful instructions only. Publitio will be under no obligation to follow instruction which infringes any provision of Data Protection Laws.

1.8. Publitio will not 1) sell Personal Data, or 2) retain, use or disclose Personal Data for any purpose other than for the specific purpose of performing the Service, except required by law.

Duration of data processing

1.9. Processing of Personal data shall be carried out for an unspecified period of time during which the User remains using the Service, or, if a User is inactive for the period of more than 12 months, Publitio shall delete all of its registration data as well as its Content, in accordance with the ToS, and stop with the processing.

Technical and organizational measures

1.10. Publitio has undertaken the all the relevant technical and organizational measures to ensure the level of security appropriate to the risks involved in the respective data processing. The data protection measures may be adjusted according to the continued technical and organizational advancements. Publitio shall implement the changes required for the purposes of maintaining information security in a diligent and timely manner.


1.11. Publitio will maintain strict confidentiality when processing Personal Data. Any individual who could have access to the Personal Data processed on behalf of the User will be obliged in writing to maintain confidentiality, unless they are already legally required to do so via another legal obligation.


1.12. To the extent that User is unable to independently access the relevant Personal Data within the Services, Publitio shall, taking into account the nature of the processing, provide reasonable cooperation to assist User by appropriate technical and organizational measures, in so far as is possible, to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under this DPA. In the event that any such request is made directly to Publitio, Publitio shall not respond to such communication directly without User's prior authorization, unless legally compelled to do so. If Publitio is required to respond to such a request, Publitio shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so. Except for negligible costs, the User will reimburse Publitio with costs and expenses incurred by Publitio in connection with the provision of assistance to the User in accordance with this DPA.

1.13. Publitio shall also provide reasonable cooperation to User regarding the notification of data protection authority or data subjects in connection to data breach, in accordance with Data Protection Laws, taking into account the nature of processing and information available to Publitio.

Deletion or return of data

1.14. Upon the deactivation of the Service, Publitio shall, at User’s choice, delete or return Personal data, to the User, and will delete existing copies, unless applicable law requires storage of the respective Personal Data.

1.15. Publitio may process data based on extracts of Personal Data on an aggregated and non-identifiable forms, for Publitio's legitimate business purposes, including for testing, development, controls, and operations of the Service, and may share and retain such data at its own discretion,


1.16. User grants general authorization to Publitio to engage another sub-processor to process Personal Data on User’s behalf, and the User has right to get information about their identity at any time. If Publitio wishes to add a sub-processor or a replace current sub-processor with another one, he will inform the User in advance via email, and the User may object in writing to the appointment of a sub-processor on reasonable grounds relating to data protection, by notifying Publitio within 30 days as of the receipt of Publitio’s notice on such event. In such event, the Parties shall discuss such concerns in good faith with a view to achieving commercially reasonable resolution. If this is not possible, either party may terminate the applicable Services that cannot be provided by Publitio without the use of the objected sub-processor in question.

1.17. Where Publitio engages another sub-processor for carrying out specific processing activities on behalf of the User, Publitio shall enter into a written agreement with such sub-processor in order to secure protection of Personal Data required by Data Protection Laws, and remain responsible for any acts or omissions of the sub-processor that cause Publitio to breach its obligations under this DPA. Current sub-processors Publitio is using for the processing of Personal data are available to Users upon request:

  • Via email:

Data Transfer

1.18. Publitio shall, as the Service provider, transfer Personal Data it processes on behalf of the User only to countries with adequate level of data protection in accordance with Data Protection Laws, including to USA companies licensed under the Privacy Shield Framework.

1.19. If Privacy Shield is invalidated, Publitio will take such measures as required under the Data Protection Laws to continue facilitating the lawful processing of User’s Personal Data.