Four Dots


Being a digital marketing agency working directly with clients, depending on the situation, Four Dots can assume the responsibilities of a data controller, or those of a data processor. Depending on whether we are the ones actively collecting and using your personal data, or we are simply processing data coming from elsewhere, we might have a varying degree of responsibility when it comes to how your data is handled.

It is up to us to distinguish between these labels and fulfil the obligations that come with them. If, however, you want to know how we are treated in regards to your data, you should know that we are considered data controllers only in instances where we directly gather personal data and we decide how to use it. Most of the time, this refers to personal data provided by our direct clients. On the other hand, when it comes to data that we are receiving through third party data integrations, we can only assume the responsibilities of a data processor. This relationship will define the extent of our obligations to you and determine if we are the ones you need to contact with your inquiries.

Since the scope of responsibilities held by a data controller is much wider, we will list the rules regulating this kind of relationship, and where needed point out the ones which do not apply if we are in the position of a data processor.

Owner and Data Controller

Digital marketing agency:

Four Dots DOO, Mileticeva 28, 21000 Novi Sad, Serbia

Owner contact email: [email protected]

Personal data we collect

As a processor, most of the personal data Four Dots deals with is incidental and comes through third parties. However, as a data controller, which usually means that you are our client or site visitor, we may collect some of the following: cookies, usage data, first and last name, phone number, email address, and finally, your company name.

A lawful basis for processing

In order for us to work with your data, we need to have a lawful basis to do so. There are six ways for us to qualify as someone authorized to process your data, and only one needs to be valid for us to be within our rights. Depending on the basis for processing, certain data subject rights do not apply, and we have different types and levels of authorization.

However, we must state on which grounds will we be using your data; i.e. explain the purpose behind our processing and the reasons why the processing is necessary for us to provide you with the promised service. There are six ways to establish a legal basis for handling personal data, and they are:

  1. Consent – most common, and usually sufficient basis for data processing. It can never be implied, meaning, we have to explicitly state what data we intend to collect, why we need it, how collecting it impacts you, etc; and you have to give us your unambiguous permission to do so. Consent needs to be granular – meaning that we cannot ask for sweeping permissions, like: “Can we process all your personal data,” but that we need to ask for each specific type of information and list all the implications of you giving us the permission to use it. We are also obliged to inform you (here, and whenever we are actually asking for specific consent) that you can always withdraw the consent you’ve previously given, should you choose to do so. If the consent you give to us extends to anyone else (third party service providers, for instance) we have to inform you of this fact; and we need to keep your consent documented for later revision, should it be needed. When data subjects give consent for us to use the data, the right to object no longer applies to them, but they do keep the right to withdraw consent.
  2. Contract – If we need to process your personal data in order to fulfill our contractual obligation to you, and the processing is necessary for us to meet that obligation, we are considered to have a lawful basis for data processing. This even applies if you request something from us before the official contract is signed, like to provide you with a quote for our services. Right to object doesn’t apply in cases where a contract is the lawful basis for processing.
  3. Legal obligation – if it is necessary for us to process your personal data in order to comply with a UK or EU law, either on behest of the relevant regulatory body or without it. If there is a way for us to fulfill our obligation to the law, without processing your data, we cannot use Legal obligation as a justification to process your data. When it is determined by the appropriate bodies that this is necessary, data subjects cannot invoke the rights to erasure, portability or the right to object.
  4. Vital interests – We are allowed to process your data if it is determined that doing so is necessary to protect someone’s life. If there is an easier and less intrusive way to achieve the same result, we are not allowed to use your data. Where applicable, consent will be asked for, but in cases where the data subject is not considered capable of giving consent, and processing data might be a matter of life and death, consent is not obligatory under this provision. Right to portability and right to object do not apply in these instances.
  5. Public task – Refers to tasks of public interest and exercising public authority, as set out in law. As such, it is not relevant for us, and unlikely to be used as a lawful basis. In instances when it is used legitimately, data subjects have the right to erasure and the right to portability withheld.
  6. Legitimate interest – includes everything from commercial to individual interests of third parties or data controller or processor and needs to be mentioned in their privacy policy. It only applies to practices which data subjects are likely to expect or have been informed about; which have a minimal impact on their privacy; have been deemed necessary and have been carefully documented, so they can be made available for revision. All data subject rights apply, except for the right to portability.   

Data mapping and monitoring

Personal data we handle in the roles of controller and processor is protected and monitored. Actions taken with the data are logged, as are the user accounts taking those actions. In case of data breaches, objections, data erasure requests, lawful basis disputes, etc. we need to be able to provide an accurate and consistent record of data interactions.

Third parties

Four Dots works with a number of third parties, in the majority of cases, as a data processor. This includes customer support software, user behavior tracking tools, and others. While we don’t assume the same scope of responsibilities for data they control, we are required to have written contracts regulating our collaboration, and to ensure they are GDPR compliant. What follows is a list of third parties we work with which might act as controller or processor of your data, along with their GDPR compliance or Personal Privacy pages:

Google Analytics

Google AdWords

Facebook Social



Lead Forensics



Our services are only available to persons over 16 years of age, so we are never in the position of the controller of personal data of a child.

If you believe we might have any information from or about a child under 16 years old, please contact us at [email protected]