The company COS-CHEM d.o.o., Zagreb, Podgaj 2, PIN: 29962196320 (hereinafter: COS-CHEM) shall take all reasonable measures in order to protect your personal data and has aligned its business operations with the General Data Protection Regulation – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: Directive or GDPR) and with the Act on General Data Protection Regulation Implementation (Official Gazette “Narodne novine” no. 42/2018).
- explains the reasons for and the manner of processing and protecting personal data that the customer/user provides by submitting a registration form or in some other way
- notifies (informs) the customer/user about the data retention period, rules related to the processing of personal data and all other operations and values applied when processing consumers’ personal data.
All employees and business partners of the company COS-CHEM shall be responsible for complying with the principles of personal data processing.
According to the Regulation, personal data means any information relating to an identified or identifiable natural person.
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal Data Processing
According to the Regulation, processing is defined as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
COS-CHEM will keeps personal data secret, will not distribute, publish or give it to third parties for use or make it available to any third party in any other way without your prior consent or contrary to GDPR rules.
Controller and Data Protection Officer
The controller is the company COS-CHEM.
The controller has appointed a data protection officer who you as a customer/user may contact with regard to all issues related to the processing of your personal data and to the exercise of your rights.
You can contact the controller and/or data protection officer at the following e-mail address: email@example.com.
The purposes for which we process personal data
The following may constitute a legal basis for collecting personal data:
- the consent you provided for one or more specific purposes
- the processing is necessary for the performance of a contract or in order to take steps at your request prior to entering into a contract
- the processing is necessary for compliance with legal obligations
- the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.
If the processing is based on your consent, you shall have the right to withdraw the consent at any time. The withdrawal of the consent must be notified to the controller at the contact e-mail address firstname.lastname@example.org, and the withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
Data Collected Using our Websites or Mobile Apps
In addition to the above, we may also collect logs and your geolocation data.
Cookies are small files that are automatically downloaded via your browser and stored on your device (computer, laptop, tablet, smartphone, etc.) when you visit our website. Cookies will not cause damage to your device, they do not contain viruses, Trojan horses or other malware. Cookies store information about your device. This information does not constitute personal data.
Most browsers accept cookies automatically. You can configure your browser so that it does not store cookies on your device or to always notify you about cookies before they are stored on your device. Completely deactivating cookies may prevent the proper functioning of our website.
The length of time during which cookies are stored depends on the type of cookies.
- session cookies that last until the end of the session and are automatically deleted after closing your browser (functional cookies that save the status of the session, i.e. remember the status of the shopping cart for the duration of the visit to the website) and persistent cookies that are stored on your device and remain there for a certain amount of time even after you close your browser (cookies used for the purpose of simplifying the use of our website, .e.g. so that, when you visit our website again, it can recognise that you have visited it before or that you have previously logged into your user account, and then automatically reactivate the settings chosen earlier, so that you do not need to enter them again).
For the purposes of legitimate interests, within the meaning of Article 6(1)(f) of the Regulation, in order to optimise our websites, we use Google Analytics, a website analysis service provided by Google LLC from the USA (hereinafter: Google). Google places cookies to enable us to monitor the use of our website. The cookies are used to collect data on your use of our website, which data is transferred to Google’s servers and stored there, including data on:
- browser type and version
- operating system type and version
- URL of the website or the app used to connect to our website
- IP address of your device used to connect to our websites or mobile apps via the internet
- connection time.
The above data is used to evaluate the use of the website, create reports on activities on the website and provide services related to the use of the website and internet for the purpose of market research and website management.
Cookies are persistent. There is no link to your personal data. Your IP address is never linked to other Google data because the IP addresses are anonymized (so-called IP-Masking).
The above data can be transferred to third parties under contract or law.
You can disable the storing of cookies on your device in the settings of your browser, but please note that this might affect the proper functioning of our website. In addition, you can disable the recording of data collected by cookies related to your use, including your IP address, as well as its further processing by Google, by downloading the Google Analytics Opt-out Browser Add-on. This will store an opt-out cookie on your device that will prevent the future recording of your data when you visit the corresponding website using the same browser. In other words, the opt-out cookie is only valid for the same browser on the same device and only for our website. If you delete this cookie in your browser, you will need to opt out of Google Analytics again. You can find more information about data protection within Google Analytics here.
Targeting and Retargeting
We use targeting measures, i.e. directing our marketing and promotional activities to target groups of customers, and retargeting measures, i.e. displaying our marketing and promotional adds on the websites of third parties.
Targeting is done using advertising cookies that contain information about the our products that you have already expressed interest in. They allow for you to be shown adds that are potentially of interest to you, and they are used to limit the number of instances that a certain add is displayed to you, which helps us to measure the effectiveness of our marketing and promotional activities.
The legal basis for targeting or re-targeting is our legitimate interest within the meaning of Article 6(1)(f) of the Regulation, i.e. adapting our marketing and promotional activities to the target group of our customers. We do not want to offer you content that is of no interest to you. Targeting and retargeting is performed in a pseudonymized manner, i.e. in a manner that does not allow us to identify you, meaning that this data is not linked to your identifying personal data.
You can turn off targeting and retargeting cookies in the settings of your browser.
Our website can also contain cookies of third parties – our business partners, used to show you their marketing and promotional material. Those cookies track your choices when visiting our website and, based on that, you see certain advertising from our partners.
The legal basis for using third-party cookies is our legitimate interest within the meaning of Article 6(1)(f) of the Regulation to have our marketing and promotional activities adapted to the target group of our customers and to offer them products and/or services of our business partners that might interest them, which partners also offer our products on their websites or with whom we share an interest in another business cooperation.
Such third-party advertising cookies do not allow you to be identified because they are not linked to your identifying personal data. You can also turn off this type of cookies in the settings of your browser. Otherwise, such cookies are automatically deleted after 38 months.
Your Comments and the Gravatar Service
When you leave comments on our website or social media, we collect the data that you entered in the comments form, as well as your nickname, e-mail address and/or IP address.
If you leave comments on our website, you can agree to have your name/nickname, e-mail address and IP address saved using cookies. The option is available for practical reasons, so that you do not have to fill in your information again to leave a new comment. Those cookies will be valid for a year.
If you visit our login page, we will place a session cookie in order to determine whether your browser accepts cookies. The cookie does not contain personal data and it will be deleted when you close your browser. When you log in, we will also place a few cookies in order to store your login information and your screen display choices. Login cookies are valid for two days and display settings cookies are valid for a year. If you select Remember me, your login will last for two weeks. If you log out of your user account, the login cookies will be removed.
If you edit or publish a comment, an additional cookie will be stored in your browser. The cookie does not contain personal data and refers only to the post ID of the comment that you just edited or published. The cookie will expire after a day.
If you leave a comment, the comment and the associated metadata of the comment are retained indefinitely. That way, we can automatically recognise and approve all subsequent comments instead of holding them in the moderation queue.
When it comes to users who registered on our website (as applicable), personal data provided in the user profile may be published with the comment.
Social Media Plugins
For the purpose of legitimate interests, within the meaning of Article 6(1)(f) of the Regulation, in order to further promote our products, we place social media plugins for Facebook and Instagram on your website. The provider of the respective social network shall be responsible for personal data protection. Social media plugins are activated by double-clicking.
Our website uses a social media plugin for Instagram offered by the company Instagram Inc. from the USA. The Instagram Feed plugin is a WordPress plugin that allows the photographs published on your Instagram profile to be displayed on websites. When you activate such a plugin (first click), your browser links directly to Instagram servers. The content of the plugin is sent directly to your browser and integrated in our website. Using such integration, Instagram collects data that your browser accessed one of our web pages. That data (including your IP address) is sent via your browser directly to Instagram servers, which may also be located in the USA, and is stored there.
When you visit our website or use our mobile app, certain data regarding the manner of your use is automatically sent, via the browser you use on your device, to our website or app server and is temporarily stored in the so-called log files.
This includes the following data that is sent, stored and deleted automatically, without our intervention:
- the IP address of your device used to connect to our websites or mobile apps via the internet
- connection date and time
- the name and URL of the file you are accessing
- the URL of the website or the app used to connect to us
- information about the browser you use, possibly also information about the type of operating system on your device.
An IP address indicates the location of your device (e.g. computer, tablet, mobile phone, etc.) online, and a URL is a link to specific content online.
You cannot be identified from the aforementioned information. Therefore, this information does not constitute personal data, other than in exceptional cases when an IP address can be considered personal data.
Processing this type of data, especially your device’s IP address, is necessary for the purposes of the legitimate interests of COS-CHEM or third parties within the meaning of Article 6(1)(f) of the Regulation.
We collect and process the above data for the following purposes:
- to enable you to connect more quickly with our website’s pages or our app
- to improve your user experience
- to assess the security and stability of our systems
- for other administrative purposes.
Our legitimate interests consist of providing you with a better user experience when you visit our website or use our mobile apps.
If you have enabled or given your consent to our app, in your browser or operating system or other relevant settings on your device, to collect data on your geolocation, we will collect that data in order to offer you a customised service related to your current location. We do not process geolocation data for any other purpose than the one stated above.
Conclusion and Performance of Distance Contract for the Purchase and Sale of Products in the Online Store
When entering into a purchase and sale contract, we need data such as first and last name, address (country/region, city/town and postal code, street and house number), phone number and e-mail address in order to fulfil the obligation to deliver products and services.
This website is used for remote retail sales of our products in the online store. In connection with that, we process your personal data necessary for the conclusion and performance of the contract, in particular:
- first and last name
- billing and delivery address (country/region, city/town and postal code, street and house number)
- contact e-mail address
- billing and payment information
- possibly date of birth, phone number or mobile phone number for contact
- other information that you provide when filling out forms on the website or in communication with us on the phone or by e-mail, as well as other data that you choose to voluntarily share with us.
The legal basis for this processing of your personal data is provided in Article 6(1)(b) of the Regulation, because the processing is necessary for the performance of the contract to which you are a party or in order to take actions at your request before entering into such a contract with you.
We will process and store your personal data for the aforementioned purposes until the performance of the relevant contract and for 5 (say: five) years thereafter, for evidentiary purposes in the event of any disputes, or for longer if so prescribed by law or another regulation adopted on the basis of law (e.g. for tax purposes).
For example, under the regulations currently in force in the Republic of Croatia, we are obliged to keep, for accounting and tax purposes, all data about orders / purchase orders for a period of 11 years, which begins to run at the end of the last day of the business year in which the invoice for the customer’s order was issued.
Payment for Ordered Products
Marketing and Promotion of our Products, including Profiling
When you buy something from us and leave us your contact information in connection wit the purchase and sale of our products, we manage you as our customer. We shall handle your personal data conscientiously and with the due care and diligence of a prudent businessman, including implementing technical, organisational, security and protective measures, while restricting access to the data only to our authorised employees or employees processors who we contracted to provide us with certain services regarding the processing of your data (e.g. our marketing agencies, postal service providers, etc.).
We will process your personal data for marketing purposes, for which we will ask for your explicit consent when you submit a registration form on our website. We will use your personal data to notify you about our marketing activities such as discounts, promotional offers or prize competitions, about our offer, e.g. new products available in the online store, as well as to communicate with your if you contact us with questions, suggestions or remarks regarding our products. In addition, we can use your personal data for the purposes of internal analysis and reporting on the behaviour of our customers in order to improve our offer and carry out marketing and promotional activities for the purpose of optimising our business. In such cases, we can use automated means of processing personal data for the purpose of so-called profiling.
Providing personal data for the aforementioned purposes is voluntary, but we need this data to achieve those purposes, i.e. to inform you about our marketing and promotional activities or to answer your questions, remarks or requests.
Therefore, if you do not provide us with all or some of the data, you will not be able to participate in certain benefits programmes, i.e. you will not receive the marketing content in the manner for which you have not given your consent.
Sending our advertising (promotional) materials means sending notices primarily via e-mail and exceptionally via SMS messages or social media messages.
We will give you a clear and unambiguous option to lodge a free and simple objection to such use of your e-mail address and/or phone number, when we collect the data, but also each time you receive an e-mail from us. Therefore, you can inform us at any time that you no longer wish to receive our advertising (promotional) materials, and we will immediately cease such communication and delete your personal data from our systems in accordance with the rules on retaining and deleting personal data detailed below.
We will not process your personal data for any other purpose without specific prior notification thereof and, if necessary, without your separate consent.
Profiling and Your Rights
Profiling is a form of automated processing of personal data for the purpose of analysing your consumer habits in correlation with our offer, marketing, promotional activities and, generally, our business. However, no decision is made based on the profiling of our customers and their consumer habits that would be based solely on the results of automated processing, nor a decision that would produce legal effects for you.
You have the right to object, at any time, to the processing of your personal data for the purpose of direct marketing, which includes profiling. After we receive your objection, we will stop processing your personal data for such purposes. You can send an objection to the following e-mail address: email@example.com, requesting that we unsubscribe you from our list of customers for direct marketing or for profiling. You can also unsubscribe from direct e-mail marketing by using the unsubscribe link available in every e-mail that we send you.
We offer the possibility of subscribing to our newsletter on our website. In order to make sure that no error occurred in the process of entering the e-mail address, we may ask you to verify the e-mail address. After you enter your e-mail address in the provided registration field, we will send you a registration link to the address. We will record your e-mail address on our newsletter e-mail list only after you click that link to confirm the registration. You can withdraw your registration and consent for receiving our newsletter at any time by using the unsubscribe link available in every e-mail sent to you or by sending the corresponding request to the following e-mail address: firstname.lastname@example.org.
Personal Data Retention Period
We will keep your personal data for the time needed to achieve the respective aforementioned purposes or until you withdraw the consent that you have given us for specific purposes.
After you opt out, we will keep your personal data for a maximum of 6 (say: six) months from the date of receipt of your opt-out, for records purposes in case of any subsequent inquires, requests or disputes, unless a separate (shorter or longer) period of retention of your personal data has been prescribed for certain purposes based on applicable legal regulations, either to protect our or your legitimate interests, or third-party interests.
If we receive your opt-out, withdrawal of consent, request for the restriction of processing of your personal data, or any similar objection, we will immediately stop any marketing communication to you and deactivate your personal data, and its retention for a specific period will be the only way your data is processed before it is permanently deleted or destroyed in another manner.
We have ensured that your personal data is processed and used in a secure manner and in compliance with the applicable legal regulations and standards of practice. The security of your data is extremely important to us. We shall implement appropriate technical, physical and organisational measures to protect data from security risks such as accidental, unauthorised, unlawful or other unwanted access to data, its destruction, loss or disclosure, and we shall ensure the level of security that corresponds to the risks of data processing.
Your personal data, including in particular data required for payment processing, is transmitted using the usual security standard SSL (Secure Socket Layer). SSL is a secure and proven standard used in online banking.
Who Has Access to Your Data and to Whom It Is Disclosed
We may disclose your personal data, i.e. provide access to your personal data, to competent authorities in compliance with legal regulations, to some of our business partners, e.g. marketing agencies that we hire to organise certain promotional activities or to IT service providers that maintain our information and communication networks and systems, to business banks and bank card service providers in connection with the execution of the purchase and sale. We have concluded contracts with such partners to ensure that appropriate technical and organisational measures for the protection of your personal data are implemented, that the data is processed exclusively in compliance with our instructions and that it is kept confidential, and that the use of your personal data for any purposes other than those specified in the corresponding contract is prohibited.
Our website is hosted in the Republic of Croatia. We do not transfer your data outside the borders of the European Economic Area, whose Member States provide an adequate level of personal data protection. If you access our website from another region, by using our website you explicitly consent to having your personal data transferred to the Republic of Croatia and processed there in compliance with Croatian regulations governing the protection of your personal data.
By way of exception, data collected using various social media cookies and cookies of other third parties from the United States of America (USA) may be transferred to their servers, which may be located in the USA. In this case, the transfer of personal data shall be carried out either within the European-American privacy protection system Privacy Shield or based on contracts with the recipients of your personal data in such countries, which contracts have been harmonised with the standard contractual clauses for personal data transfers approved by the European Commission, in order to guarantee the level of protection of your personal data that is in compliance with the requirements of European personal data protection law.
Your Rights Regarding Our Processing of Your Personal Data
Your rights regarding our processing of your personal data are as follows:
1. the right of access to your personal data, i.e. the right to receive confirmation whether personal data concerning you is being processed, and if it is, you have the right to access your personal data, meaning that you can request more detailed information in particular about the purpose of its processing, the type/categories of personal data being processed, including the right to examine your personal data, about the recipients or categories of recipients and about the expected period of retention of personal data (access to personal data may be restricted in cases prescribes by EU law or national legislation, or when such restriction serves to respect the essence of the fundamental rights and freedoms of others) – in order to exercise your right, contact the data controller in writing;
2. the right to rectification or supplementation of inaccurate personal data concerning you, without delay, by providing a supplementary statement – to do this, send your request to the data controller in writing;
3. the right to erasure of personal data (“right to be forgotten”) concerning you, especially in cases where:
- the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed
- you withdraw, in whole or in part, the consent for processing your personal data for the aforementioned purposes, and where there is no other legal basis for the processing
- you object to the processing of your personal data, and there are no overriding legitimate grounds for the processing
- the personal data has been unlawfully processed
- the personal data has to be erased for compliance with a legal obligation under applicable legal regulations;
4. the right to restriction of processing of personal data in the following cases:
- if you contest the accuracy of the personal data, for a period enabling us to verify the accuracy of the personal data
- the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead
- we no longer need the personal data for the purposes of the processing, but you require it for the establishment, exercise or defence of your rights and claims
- you have objected to the processing of personal data necessary for the purposes of our legitimate interests or third-party interests, pending the verification whether the legitimate interests override the reasons presented in the objection;
5. the right to object to the processing of your personal data based on legitimate interests or for direct marketing, which shall include the prohibition of profiling to the extent related to such direct marketing;
6. the right to lodge a complaint regarding the processing of your personal data with the Croatian Personal Data Protection Agency, Selska cesta 136, HR – 10000 Zagreb (www.azop.hr; email@example.com; phone: 00385 (0)1 4609-000; fax: 00385 (0)1 4609-099).
Contact for Objections, Resolving Disagreements and Answering Questions
If you wish to send a complaint or objection and if you wish to resolve any misunderstanding, ambiguity or doubt regarding your personal data processed by COS-CHEM, please do so by using the following contact information:
COS-CHEM will respond to your request without undue delay, and no later than within 30 days, by either complying with your request or providing a valid reason why it cannot comply with the request.