Skip to main content

Legal

Privacy Policy

Last updated: 15 June 2026 Version v.1 Controller: SHYLD GROUP LLC Banja Luka

This Privacy Policy explains how SHYLD GROUP LLC Banja Luka ("SHYLD", "we", "us") collects, uses, stores and protects personal data when you visit the SHYLD website, contact us, register for events or programmes, download resources, access participant materials, communicate with us, or otherwise use our services through the website.

We process personal data in accordance with the Law on Personal Data Protection of Bosnia and Herzegovina, GDPR standards where applicable, and recognised privacy and data protection management principles, including ISO/IEC 27701 principles where relevant to our internal methodology.

1. Controller and contact details

The controller of personal data is:

SHYLD GROUP LLC Banja Luka

Address: Milana Tepića 11, Banja Luka, Bosnia and Herzegovina

Website: www.shyld.ba

E-mail: [email protected]

Privacy contact: +387 65 645 095

You may contact us at any time regarding the processing of your personal data or the exercise of your data protection rights.

2. Scope of this Policy

This Policy applies to personal data processed through the SHYLD website and related online interactions, including:

  • website visits and browsing of website content;
  • contact forms, inquiries and professional communication;
  • event, webinar, training and programme registration;
  • participation in SHYLD programmes and access to participant materials;
  • requests for documents, resources, proposals, consultations or support;
  • newsletter or professional updates, where available and subscribed to;
  • use of the SHYLD Privacy Compliance Hub or similar digital resources, where applicable;
  • technical website operation, security, maintenance and fraud prevention.

3. Categories of personal data we may process

Depending on how you use the website and our services, we may process the following categories of personal data:

  • identification data: name, surname, title or role;
  • contact data: e-mail address, phone number, organisation, address and communication details;
  • professional data: employer, job title, sector, professional interests, DPO/compliance role or relevant expertise;
  • registration data: selected event or programme, registration status, participation information, preferences and related correspondence;
  • billing and payment-related data: invoice data, payment confirmation, transaction reference and accounting information;
  • communication data: inquiries, requests, messages, submitted questions, consultation notes and support correspondence;
  • training and certification-related data: attendance records, assessment results, certificate or digital badge information and participant feedback;
  • website and technical data: IP address, device and browser information, server logs, time of access, pages visited, security records and necessary cookie data;
  • content voluntarily provided by you: information you include in forms, e-mails, consultations, programme exercises or support requests.

We do not intentionally collect more personal data than necessary for the relevant purpose.

4. Purposes of processing

We process personal data for the following purposes:

  • to operate, maintain and secure the website;
  • to respond to inquiries, requests and professional communication;
  • to register participants for events, webinars, programmes and consultations;
  • to organise and deliver training, implementation programmes and related support;
  • to provide access to materials, templates, methodologies, tools, resources and participant areas;
  • to conduct assessments and issue confirmations of participation, digital badges or certificates, where applicable;
  • to manage invoicing, payments, accounting and tax obligations;
  • to provide post-training support, individual consultations and alumni communication, where applicable;
  • to improve website content, programme structure and user experience;
  • to document compliance, protect legal interests and manage disputes or complaints;
  • to send professional updates, event invitations or marketing communications where legally permitted or based on consent;
  • to comply with legal and regulatory obligations.

5. Legal bases for processing

We process personal data on one or more of the following legal bases:

Legal basis When it applies
Contract or pre-contractual steps When you request information, register for a programme, participate in training, access materials, receive support or use paid services.
Legal obligation When we process invoices, accounting, tax, statutory or regulatory documentation.
Legitimate interest For website security, service improvement, professional communication, programme administration, documentation of participation, protection of legal interests and prevention of misuse.
Consent For optional marketing, newsletter subscription, non-essential website technologies, recommendations/testimonials, photographs or other optional processing, where applicable.

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

6. Website forms, inquiries and communication

When you contact us through the website, by e-mail or through a registration form, we process the information necessary to respond to your inquiry, manage the request and keep a record of communication. If the communication leads to a contractual or pre-contractual relationship, the data may also be processed for service delivery, invoicing and documentation purposes.

7. Events, programmes, training and certification

For events, webinars, training and implementation programmes, we may process registration data, attendance records, assessment results, issued certificates, digital badge information, participant feedback and post-programme support records.

Where the programme includes document templates, LIA, DPIA, ROPA or TIA methodology, practical exercises, certification preparation, post-programme support or an individual consultation, we process the data necessary to deliver these activities and document participation.

If the programme is undergoing international certification or obtains external validation, relevant participant data may be processed for certificate issuance, verification or administration, in accordance with the applicable certification rules and privacy safeguards.

8. Newsletter and marketing communication

If you subscribe to a newsletter or request professional updates, we may use your contact data to send information about SHYLD programmes, events, resources, professional news or similar content. You may unsubscribe or object to such communication at any time.

We do not use your data for unlawful direct marketing.

9. Cookies and similar technologies

The website may use cookies and similar technologies. According to the current implementation information provided to us, the website does not use third-party cookies. Cookie use is described in detail in the separate SHYLD Cookie Policy.

If analytics, marketing pixels or other third-party technologies are introduced in the future, this Policy and the Cookie Policy should be updated before such technologies are activated.

10. Who may receive personal data

We may share personal data only where necessary and in accordance with applicable regulations, including with the following recipients:

  • IT, hosting, website maintenance and security service providers;
  • e-mail communication, registration, event organisation or participant management service providers;
  • payment, accounting, bookkeeping and invoicing service providers;
  • certification, digital badge, learning or resource platforms, where applicable;
  • lecturers, consultants, legal advisers, accountants or other professional advisers engaged for service delivery or administration;
  • competent authorities, courts, supervisory bodies or other recipients where required by law.

We do not sell personal data. Where we engage processors, we require appropriate contractual, technical and organisational safeguards.

11. International data transfers

Some service providers may process personal data outside Bosnia and Herzegovina or outside the European Economic Area. Where international transfers occur, we apply appropriate safeguards, such as contractual guarantees, transfer impact assessments, adequacy mechanisms or other measures required under applicable data protection law.

12. Your rights as a data subject

In accordance with applicable data protection regulations, you have the right to request information on whether SHYLD processes your personal data, as well as the right to access such data.

You may also request correction of inaccurate or incomplete personal data, deletion of personal data, restriction of processing, data portability where applicable, and object to processing where the processing is based on legitimate interest. Where processing is based on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

You also have the right not to be subject to a decision based solely on automated processing, including profiling, where such decision produces legal effects concerning you or similarly significantly affects you, unless such processing is permitted by applicable regulations.

Requests related to the exercise of data subject rights may be submitted to SHYLD by e-mail at: [email protected] .

SHYLD will respond to your request within the legally prescribed period, unless an extension is permitted under applicable regulations due to the complexity or number of requests received.

13. Complaints and reporting of personal data breaches

If you believe that your personal data has been processed unlawfully, that your data protection rights have been violated, or that a personal data breach has occurred, you may contact SHYLD directly by e-mail at [email protected] .

SHYLD will review each complaint, request or report and take appropriate measures in accordance with applicable data protection regulations.

You also have the right to submit a complaint or report a potential violation to the competent supervisory authority:

Agency for Personal Data Protection in Bosnia and Herzegovina

Website: www.azlp.ba

E-mail: [email protected]

Submitting a complaint to SHYLD does not limit your right to contact the competent supervisory authority directly.

14. Retention periods

We retain personal data only for as long as necessary for the purposes for which it was collected, unless a longer retention period is required or permitted by law.

Data category Indicative retention period
Website technical logs For a limited period necessary for security, troubleshooting and maintenance.
Inquiry and communication data For the period necessary to respond and keep a reasonably necessary record of communication (maximum up to 3 months, except in cases of consent to marketing where the user's e-mail address is kept for up to 2 years).
Registration and programme data For the duration of the programme and up to 6 months after the programme.
Certificates, digital badges and attendance records For the period necessary to verify completion of the programme and protect legitimate interests (maximum up to 2 years).
Invoices and accounting data In accordance with applicable accounting, tax and legal retention periods.
Marketing data Maximum 2 years or until unsubscribe, withdrawal of consent or objection, unless further retention is justified.

After the applicable retention period expires, personal data will be deleted, anonymised or securely archived where required by law.

15. Security measures

We apply appropriate technical and organisational measures to protect personal data against unauthorised access, accidental or unlawful destruction, loss, alteration, disclosure or misuse. Measures may include access controls, confidentiality obligations, secure communication, backup, technical protection, security monitoring, role-based access, internal procedures and awareness-raising for employees and associates.

16. Processing of minors' data

The website and SHYLD professional services are intended for adult users, professionals and organisations. We do not knowingly collect children's personal data through the website. If we become aware that such data has been collected without an appropriate legal basis, we will take steps to delete it.

17. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in the website, services, legal requirements or processing activities. The updated version will be published on the website with the date of the latest update.

18. Contact

For privacy-related questions or requests, please contact:

SHYLD GROUP LLC Banja Luka

E-mail: [email protected]

Address: Milana Tepića 11, Banja Luka, Bosnia and Herzegovina

Privacy contact: +387 65 645 095

Website: www.shyld.ba