Privacy policy

Initial provisions

Pursuant to the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Official Journal of the European Union L 119, 4.5.2016., hereinafter referred to as: General Data Protection Regulation), which has been fully applied in the Republic of Croatia and all other Members of the European Union since May 25th 2018, as well as pursuant to the Act on Implementation of the General Data Protection Regulation (Official Gazette “Narodne novine” no. 42/18, hereinafter referred to as: GDPR Act), and also pursuant to the legal frame of personal data protection in the Republic of Croatia and the European Union, having in mind the best practices in the related matter, the company CANTILLY d.o.o. za usluge, with registered seat in the Republic of Croatia, Zagreb, Bani I. odvojak 4, enlisted in the Court Registry of the Commercial Court in Zagreb under the Company Registration Number (MBS): 081319668, Personal Identification Number (OIB): 98072093217 (hereinafter referred to as: Company), as the controller of personal data from users of its services, has prepared this Privacy Policy for the users. The Privacy Policy is a unilateral legal document based on the principles relating to processing of personal data that prescribes which personal data of users is being collected, the way such personal data is being processed and the purposes of using such personal data. The Privacy Policy also informs the users of services with their rights regarding the collecting and processing of personal data, all for the purpose of securing their privacy in a broad way.

The Privacy Policy is based on the following principles relating to processing of personal data:

  • lawfulness, transparency and best practices;
  • purpose limitation and data minimisation;
  • accuracy and completeness of personal data;
  • storage limitation;
  • integrity and confidentiality;
  • accountability;
  • trust and fairness;
  • purpose of processing;
  • anonymisation;

The Privacy Policy is applied to processing of personal data of natural persons, whose personal data is subject to processing for the purpose of providing services by the Company, with the goal to inform the users of services in a clear and transparent way with the proceedings of processing their personal data, as well as with their rights regarding such processing. The users are entitled to contact the Company, at any time, with a request for rectification or completion and/or review of personal data concerning the users, as well as with a request regarding the purposes for which the users would like their personal data to be or not to be processed.

Responsibility for processing of personal data:

CANTILLY d.o.o. za usluge, with registered seat in the Republic of Croatia, Zagreb, Bani I. odvojak 4, enlisted in the Court Registry of the Commercial Court in Zagreb under the Company Registration Number (MBS): 98072093217, Personal Identification Number (OIB): 98072093217

Contact information of the data protection officer:
e-mail: radelic@radelic.hr

Purposes of collecting and further processing of personal data

The Company collects personal data so that it could provide, maintain, secure and enhance its services regarding the purchase of certain products, so that it could understand the ways users use provided services and the Company’s web-site, as well as to execute the Company’s contractual obligations.

Within the scope of conducting the regulated business activities of the Company, personal data is being processed for the following purposes:

  • Executing contractual obligations
  • Executing legal obligations
  • Market research, direct marketing
  • Internal purposes
  • Possible employment within the Company
  • Video Surveillance for the purpose of protecting and security of persons and assets of the Company
  • Handling possible claims towards the Company regarding the processing of personal data pursuant to relevant regulations

Executing contractual obligations

The Company collects and further processes personal data of users for the purpose of executing contracts, delivery of requested products, consulting and helping with usage of products, solving claims of users and other activities which are related to entering into and executing contracts pursuant to the governing law.

The necessity of entering into a contract presents the legal ground for processing of personal data of users for the aforementioned purposes. In case the user does not provide the vital data, the Company will not be able to provide the service (enter into a contract and/or conduct the specific activities related to execution of a contract entered into with the user).

Executing legal obligations

To act pursuant to its legal obligations, the Company collects and further processes personal data of users for the purpose of complying with other relevant regulations in the Republic of Croatia.

Consent provided by the user for one or more specifically determined purposes

On the grounds of a consent by the user the Company collects and further processes personal data for the purpose of informing the user about new products and/or direct marketing.

The Company processes personal data of users regarding prior purchases on the grounds of a priorly given consent so that the users would be informed about new products and services provided by the Company (receiving marketing letters/newsletters and other notices about products and services as well as certain benefits, for which it is presumed that the users might be interested in).

In cases where the processing is based on a consent as the legal ground for such activity, providing a consent as the legal ground for such processing must be based on voluntary/clear expression of the user’s will regarding such processing of his personal data for a specifically intended purpose, with which purpose the user has been priorly informed.

Managing consents implies the possibility of the user to authorise the Company, by an active and clearly affirmative action, for collection and processing of specific personal data for one or more purposes (consent of the data subject), as well as to withdraw, in the same way, any prior consent for collection and processing of specific personal data for one or more purposes.

Legitimate Interests of the Company

On the grounds of the Legitimate Interest, the Company processes personal data of users for the purpose of maintaining its own internal records regarding market research and other needs concerning the business activities of the Company. E.g., the aforementioned includes usage of personal data for the purpose of creating offers which fulfil the needs and wishes of users, exploration and analysis of the market.

On the grounds of the Legitimate Interest, the Company may directly contact users which personal data it already possesses, all for the purpose of sending marketing notifications about similar products and services which the Company provides, using all available channels for marketing purposes, except in cases where the interests or fundamental rights and freedoms of the user are stronger than the Legitimate Interests of the Company.

Ways of collection and sorts of collected data

Certain services provided by the Company request collection of personal data of users. Such data is being collected in one of the following ways:

  1. Directly from the users, in a way that the users provide the data to the Company, as the controller, with their personal consent in the necessary scope which is important for providing certain services. Certain services which the Company provides to the users require collection of user’s personal data, in which case special care is provided regarding the scope and the type of such data, respectively.

The scope of the processed personal data by the Company mainly depends on the aforementioned purposes of processing and the legal grounds provided in this Privacy Policy. For such reasons the quantity or the set of personal data may vary, depending on such criteria.

E.g., basic identification data (name and surname, address, personal identification number, contact data – phone and/or mobile phone number, e-mail address etc.) is considered contractual data in a broader sense of the definition. In cases where a payment is conducted by a bank transaction, other data is also being collected (bank account number).

  1. From other sources, mainly from our business partners or publicly available sources (e.g. information available from telephone directory and other publicly available services);
  2. Automatically by visiting our web-site and applications, with data associated to online identifiers (IP address and cookie identifiers).

About Cookies

Cookies are small data files which are being stored on a computer or a mobile device while visiting a certain web-site. Cookies are being used for the purpose of providing better user experience to each user, storage of user preferences, with a goal to make web-sites work more efficiently, as well as for tracking and analysis of usage and page views of the Company’s web-site. We can distinguish the following sorts of cookies used by the Company:

a) Persistent Cookies, which help memorize data and settings for future visits of the Company’s web-site – this ensures faster access to the content on the web-site and better user experience;
b) Session Cookies, which enable tracking of movement through the Company’s web-site – this ensures that search and entry of information, which has been done by the user while visiting the web-site, is not done while visiting the web-site the next time, which ensures disturbance-free movement without unnecessary further authentication;
c) First Party Cookies, which come from the Company’s web-site visited by the user – this ensures storage of data for any additional visit to the Company’s web-site;
d) Third Party Cookies, which come with advertisements of othr web-sites and are located on the Company’s web-site – this ensures tracking and analysis of usage and page-views as well as for marketing purposes. As such cookies do not come from the Company’s web-site, it is recommended that users inform themselves about their rights regarding protection of their data with each of the entrepreneurs who own such web-sites.
e) Necessary cookies, which are vital for the function of the Company’s web-site and for providing the services of the web-site (e.g. they enable navigation on the web-site and the login into safe areas).

Cookies are also used for tracking Internet usage and for establishing user profiles, and subsequently for showing adapted Internet advertisements based of the preferences of users.

By turning off and/or blocking cookies (all except the necessary cookies) the user shall still be able view the Company’s web-site. However, there is a possibility that certain features and/or functionalities of the web-site shall not be available to such user, or that the time necessary to access certain functions of the web-site shall be longer than usual.

The aforementioned online identifiers may leave traces which, combined with other identifiers and information from internet providers, can be used in identifying the user.

The amount, or the scope of personal data collected by the Company depends on the service the Company is providing to its users, as well as on the legal grounds of such collection. The Company is constantly taking great care on collecting only the necessary scope of personal data which is important for achieving the legal prupose of collecting such data.

Data regarding potential users

The Company is also entitled to collect data on potential users of its services. Such data include basic information (name and surname, e-mail address) as well as interests of potential users who address the Company with the purpose of being informed and/or to be offered certain products and services.

The legal grounds for such collection of data is the consent of the user.

Time-frame of keeping and processing of personal data

With regard to the purpose and the legal grounds of collecting personal data of users, the Company is in certain cases obligated to keep personal data in a time-period (time-frame) which is being prescribed for certain purposes by governing law or by the cease of the purpose to which such data has been collected. After the prescribed legal time-period for keeping certain personal data by the Company had passed, or in case that the purpose of such keeping has ceased, the data shall be erased.

In cases where the Legitimate Interests of the Company are the grounds for collecting and processing of data, personal data shall be kept within the following time-periods:

a) data on existing users: during the contract execution and 6 months after its termination;
b) data on potential users: 3 months;

Data processed on the grounds of Legitimate Interests of the Company and/or the consent of the user may also be erased before the end of the time-periods stated in this Policy in case the user requests such erasure or in case the user objects to such processing.

Rights of users

Right of access to personal data

The users are entitled to requesting access to their personal data, which is being processed by the Company.

On the grounds of a written request by the users, which request may also be in a form of an e-mail, the Company, as the controller, is obligated to provide the users with access to their personal data which the Company is processing, inform the users of the purpose of processing of personal data, the sort of personal data which is being processed, of persons or categories of persons to which personal data has been made available, of the estimated time-period of processing or of the criteria used to determine such a time-period.

Right to rectification of inaccurate data

The users are entitled to requesting rectification of their personal data. The Company shall, as the controller, provide rectification of inaccurate personal data in each single case where it has been established that the collected personal data of a user are not correct or in case where there has been a change of user data.

Right to erasure of personal data

The Company shall conduct the erasure of user personal data in the following cases:
a) when user personal data is no longer necessary for executing the purpose of processing, or in case of termination of the purpose of processing;
b) when the user revokes his consent as the legal grounds for processing of personal data and there are no other legal grounds for processing of such data;
c) when the user objects to processing (see more under the Right to object);
d) when the data is being processed unlawfully;
e) when the personal data has to be erased in order to fulfil the legal obligations from the European Union law or the law of the Member State which applies to the controller;
f) when personal data has been collected with regard to an offer of information society services concerning child’s consent.

Right to restriction of processing

The users are entitled to requesting restriction of processing of their personal data.

The Company shall secure the restriction of processing of personal data in cases where the user is contesting the accuracy of data, where the processing is being conducted unlawfully and the user is opposing the erasure of data as well as requesting the restriction of their use instead, when the controller no longer needs personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims, and also in case when the data subject has objected to processing conducted on Legitimate Interests of the Company, including the forming of a profile of the user.

Right to data portability

The Company shall conduct the portability of personal data to another controller on the basis of a request by the user in case the user has given his consent to such transfer and the processing is being conducted automatically, as well as if such a transfer is technically possible.

Right to object

The users are entitled to filing an objection to the Company as the controller regarding a processing of their personal data.

The users have the right to object to processing of their personal data if such data is being processed for the purpose of Legitimate Interests of the controller. In such a case the Company, as the controller, shall cease to process personal data, except if it demonstrates compelling legitimate interests for the processing which override the interests, rights and freedoms of the user or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the users shall have the right to object at any time to processing of personal data them for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Conditions for transferring personal data to third persons

The Company transfers personal data of users to third persons (including competent authorities) only in the following cases:
a) on the grounds of a consent by the user;
b) for the purpose of executing its legal obligations;
c) when such processing is necessary for securing key interest of the user.

Personal data is being transferred only in case there is a contractual or legal obligation.

In cases of transferring of personal data to receivers from third countries outside of the EU, the Company shall enable such transfers pursuant to the conditions provided in the General Data Protection Regulation, or in cases where it has been determined that such transfer complies with the required data protection measures (e.g., by using the EU Standard Contractual Clauses for Processors in Third Countries).

Who to contact

In case of any questions regarding the data protection by the Company, the users can contact the Company via the e-mail address stated in this Privacy Policy or in a written form to the following address:

CANTILLY d.o.o.
Attn: Data protection officer
Bani I. odvojak 4
10000 Zagreb

Alterations and amendments of this Policy

The Company reserves the right to alter or amend this Privacy Policy at any time, so that it might provide up to date and accurate information, and to inform the users of such alterations pursuant to the transparency principles.

In Zagreb, March 2023.

CANTILLY d.o.o.

Group 1460
Group 1006

Tuesday to Saturday
12:00 – 22:00 h

Sunday
11:00 – 17:00 h

We are closed on Mondays

Ulica Stanka Vraza 1
HR-10430 Samobor, Croatia
info@cantilly.hr

Group 1459