This statement describes the protection of rights of individuals regarding the processing of their personal data. The purpose of this is law is to guarantee the inviolability of personality and privacy by ensuring protection of individuals in case of unauthorized processing of their personal data, in the process of free movement of data.


1. This statement defines:

1.1. The management, maintenance and protection of personal data that includes private information of customers of 321escorts and is contained in the Personal Data Register (“Register”).

1.2. The obligations of 321escorts staff processing personal data (“Data Controller”) and their responsibility when fulfilling these tasks.

1.3. The required technical and organizational procedures by the Data Controller for the protection of personal data from unlawful processing (accidental or unlawful destruction, loss or change, unlawful disclosure or access, non-regulated alteration or distribution, as well as all other unlawful forms of processing personal data).


2. The following types of personal data are kept in the Register:

2.1. Physical identity, names, passport details, address, phone number and personal identification numbers.


3. The Register collects and stores personal data from the customers of the website:

3.1. For contacting customers by phone and to send correspondence regarding completion of orders that have been received on the website (online orders).

3.2. For bookkeeping and direct marketing.


4. The Register is kept in electronic form.

4.1. The Register is kept in electronic form and the personal data is stored in secured computer servers.

4.2 Access to the Register servers is controlled by secured passwords known only to the Data Controller staff authorized to process personal data. Data processing software is used when working with this data.

4.3 The protection of the Register from unauthorized access; corruption, loss or destruction of the data is ensured by maintaining up-to-date antivirus software and regularly scheduled backups.


5.1. Personal data is collected by placing orders in the online store of the company by a person who is a customer in compliance with the General Terms and Conditions.

5.2. In all cases, the individuals, whose data are subject to personal data processing, shall submit, via online forms, the necessary personal data to the Data Controller appointed for processing personal data.

5.3. The need for collection of the personal data and the purposes for its use will be communicated to the individual placing the order by the Data Controller.

5.4. To rectify the personal data collected, the individual must submit an official request to the Data Controller.


6.1. The right to access one’s personal data contained in the Register shall be exercised by submitting a written application to the Data Controller.

6.2. The application may also be submitted in electronic form.

6.3. The application for access shall be filed personally by the individual or by explicitly authorized person with a power of attorney certified by a notary public.

6.4. The 321escorts Data Controller reviews all requests for access. The time limit for reviewing an application is 14 days from the day of submission or 30 days if more time is needed to collect the person's personal data due to unexpected difficulties in the Data Controller's ability to make the data accessible.

6.5. The decision shall be delivered personally after signature or by mail with advice of delivery.

6.6. Where the data does not exist or cannot be provided on a specific legal basis, the applicant shall be notified of refusal to access and the reasons for refusal. The refusal to grant access may be disputed by the person in front of the respective authority and in accordance with the legal deadline.

6.7. Only authorized Data Controller staff have access to the personal data with a file access password.

6.8. In addition, access to the personal data must be provided by the Data Controller staff to the officials directly involved in the clearance and verification of the legality of the documents of the requesting individual: manager, chief accountant or anyone performing technical accounting processing operations on the documents. Data Controller staff are required to provide access to them on request.


7.1. The information in the Register can only be accessed the authorized Data Controller staff. Third parties do not have the right to access any data. Register unless required by the legal authorities (courts, prosecutors or investigative bodies). The law permits these authorities access to the personal data of the individuals.

7.2. No consent is required if the processing of the personal data is only carried out by or under the control of a competent state authority for personal data relating to the commission of legal offenses, administrative offenses or unauthorized access. Such persons shall be granted access to the personal data and, where necessary, shall be provided with appropriate working conditions in the premises of the company.

7.3. The access by state authorities to an individual’s personal data requires duly legitimated relevant documents, such as written orders of the respective body, that state the names of the individuals and the reasons for access.

7.4. In case of changes in the Data Controller company's status (transformation, liquidation, etc.), requiring the transfer of the Register by the company to another data controller, the transmission of the Register shall be done after permission of the State Commission for Personal Data Protection.

7.5. The decision to grant or deny access to personal data for the person concerned shall be communicated by the Data Controller to the third parties within 30 days of the submission of the request.


8.1. When introducing a new personal data processing software, a specific committee shall be set up to test and verify the capabilities of the new product to meet the requirements of the Personal Data Protection Act and to make sure maximum protection against unauthorized access, loss, damage or destruction.

8.2. The non-fulfillment of the obligations incumbent by the respective officials under these Regulations and the Personal Data Protection Act, are subject to disciplinary sanctions under the Labor Code. When the non-fulfillment of the respective obligation has been established and established by a competent authority, as provided by the Personal Data Protection Act, an administrative penalty or fine may be imposed. If, because of the actions of the data subject, personal injury has resulted in damage to a third party, the latter may be held liable under the general civil law or criminal procedure if it is a more serious offense for which criminal liability is provided.

8.3. Archiving of personal data on a technical medium is done periodically every 30 days by the Data Controller to keep the Register information up to date.


For the purpose of this Statement:

9.1. The Data Controller is

9.2. Data Controller processors are the staff trained and authorized for personal data management and protection.

9.3. This Statement shall come into force on 18 December 2020.