Legal inventory


Privacy - general


Privacy Policy | ORBICO d.o.o.

1. General

1.1. This Privacy Policy is issued by Orbico d.o.o., with registered seat in Zagreb, Koturaška Cesta 69, PIN: 85611744662 (hereinafter „Orbico“ or „We“) provides you with information about the processing of your personal data when Orbico is acting as a data controller.
1.2. For some of our products or services, the protection of personal data of the users is regulated by separate privacy policies, which regulate the processing of personal data in more detail. This Privacy Policy applies to and regulates other situations in which personal data is processed, and where Orbico acts as a data controller or the person determining the purpose and manner of the processing of your personal data.
1.3. In case of any questions or requests regarding the handling or protection of your personal data, please contact us at privacy.orbicocro@orbico.com or by post at the address of the company's registered seat Data Protection Officer, Orbico d.o.o., Zagreb, Koturaška Cesta 69 
1.4. This version of the Privacy Policy applies from the date indicated above. The previous version from 25 May 2018, is amended with this version. The amendments include in particular more clear regulation of situations in which Orbico processes personal data of data subjects.
1.5. Special notice due to the Covid-19 pandemic: For the duration of the pandemic, we may ask you to confirm that you have no symptoms of the disease as well as ask that we measure your temperature. We do not record or further process such data, but we prohibit potentially infected persons from entering our premises or participating in our events, all for the protection of our employees, other visitors, and participants.

2. Orbico website and social networks visitors

2.1. If you are a visitor of website www.orbico.com or a website on a local (national) domain operated by Orbico, Orbico only stores your cookies, i.e. cookies you selected upon opening the website. You can read more about the cookies, the purpose for which they are used and the possible choices on our website.
2.2. You can contact us via contact form available on Orbico website. In that case, we collect the data you provided to us in the form. These are the following data: name and surname, e-mail address and the IP address from which you accessed our website.
2.3. If you are a Facebook user and have visited our Orbico Facebook page, Facebook Ireland Ltd (4 Grand Canal Square, Grand Canal Harbor, Dublin 2 Ireland) and Orbico are joint controllers. You can read more about the processing of your personal data via Facebook at https://hr-hr.facebook.com/privacy/explanation
2.4. If you are a user of other social networks and you have contacted us through them (Instagram, Linkedin, etc.), we process your personal data listed there only to get back to you. We are solely responsible for all our posts and messages via Orbico social networks (Facebook, Instagram, Linkedin, etc.) and the owners of these social networks do not necessarily share our views and vision.

3. Visitors

3.1. If you have visited one of our business premises (office premises, logistics centers, etc.), we process the personal data you provided us with at the entrance to the premises as well as a video recording of your entry / exit from the premises. These are the following data: name and surname, ID number, purpose of your arrival, time of arrival, contact person in Orbico and your video recording. Please note that not all our business premises are under video surveillance. Before entering our business premises, you will be appropriately warned that our business premises are under video surveillance.
3.2. If you have visited one of our retail locations, we are processing a video recording of your entry / exit. At some retail locations we may offer to sign up to receive our newsletters. In this case, for more information see point 6 of this Privacy Policy - Orbico Newsletter recipients.

4. Participants in the events we organized

4.1. If you participated in an event organized by us, we process the personal data you provided to us when applying for the event as well as upon arrival at the event.
4.2. Our events can be recorded (video recording and photographs). In such case, we will separately inform you in the invitation as well as at the entrance to the premises where the event takes place. The purpose of the recording is to promote the event and Orbico and the recordings are published.
4.3. If you are a panelist, speaker or host, we can publish your name and surname, your profession, position and experience when announcing you as well when reporting about the event (along with recordings from the event).

5. Participants in our prize games

5.1. If you have participated in one of our promotional or prize games, we process the personal data you have provided us with when registering and during participation in the prize game. The results of our promotional and prize games, i.e. the names and surnames of the winners, together with the information on the prize, are published publicly.
5.2. If you have won one of the main prizes and are invited to the award ceremony, such an event can be recorded (video recording and photographs). Video recordings and photographs are published publicly to promote the event and Orbico. Your recording is published only if you have given us separate consent.

6. Orbico Newsletter recepients

6.1. If you have subscribed to Orbico Newsletter, we process the personal data you provided us with on the application form (usually only your e-mail address). In addition, you can also receive Orbico Newsletter if you have made purchases of our products through our web shops (in case we believe you might be interested in our offer).
6.2. If you no longer wish to receive Orbico Newsletter, you can always simply unsubscribe from the list of recipients using the instructions provided in each Orbico Newsletter.

7. Submitting proposals, questions or complaints

7.1. If you have submitted a proposal, question or complaint in person, by e-mail or through our web form, we process your personal data you provided us with in order to respond to your proposal, question or complaint.
7.2. In case of a complaint about a product or service you purchased at Orbico retail stores (product defect claim, withdrawal request, etc.), we may contact you (usually by phone) to verify all relevant circumstances of your complaint and collect information about your health (such as your skin’s reaction to a particular product) so we are able to file a complete report to the manufacturer. In such cases, we are guided primarily by manufacturer’s instructions who uses the collected information to provide you with adequate feedback and advice, as well as to identify possible product defects.

8. Our business contacts (suppliers, customers, media and promoters)

8.1. If you are identified as a supplier or as a contact person of a supplier we work with, we process your personal data provided by you or your employer, which is necessary for the following: ordering goods / services, delivery and collection, payment or in case of complaint. These are the following data: name and surname, supplier`s name, supplier`s address, your position, e-mail address, and phone number.
8.2. If you are identified as a customer or contact person of a customer we work with, we process your personal data provided by you or your employer, which is necessary for the following: sale of goods / services, delivery and collection or payment of goods / services. These are the following data: name and surname, customer`s name, customer`s address, your position, e-mail address and phone number. Exceptionally, in case of sale of IQOS products, we additionally collect customer’s date of birth and gender for the needs of Philip Morris International as a manufacturer of IQOS products. You can find out more about how Philip Morris International handles your personal data (as separate data controller or as a joint controller with Orbico) at https://pmiprivacy.com/en/consumer
8.3. In order to minimize the amount of personal data we process, we always separately inform our suppliers and customers to use only business addresses, business e-mails and business phone numbers as contact information of their contact persons. In this case, your personal data may not be processed at all.
8.4. If you work for media with which we regularly cooperate and you are our contact person in that media, or if we work directly with you for the purpose of publishing business information, we process your personal data to contact you for various business publications. These are the following data: name and surname, media / platform / profile name, your position, e-mail address and phone number.

9. Legal basis for processing your personal data

9.1. We process your personal data only when we have a valid legal basis. The legal basis depends on the purpose for which we process your personal data:
9.1.1. if you have contacted us (by post, telephone, e-mail, via social network, via a web form), we process your personal data to reply to you. In that case, the legal basis for the processing is our legitimate interest in responding to your message;
9.1.2. if you have requested to receive Orbico newsletter, we process your personal data to send you Orbico newsletter. In that case, the legal basis for the processing is our legitimate interest as a provider of that service;
9.1.3. if you have visited any of our business or retail premises, we process your personal data for the purpose of protecting our employees and property. In that case, the legal basis for the processing is our legitimate interest as an employer and property owner;
9.1.4. if you participated in one of our events, we process your personal data for the purposes of (a) organizing that event - in which case, the legal basis for processing is our legitimate interest as the organizer of the event you applied for; (b organizing our future events - in which case, the legal basis for the processing is our legitimate interest as the organizer of the event in which you have previously expressed an interest; (c) promoting that event and Orbico - in which case, the legal basis for the processing is our legitimate interest as the organizer of the event in which you participated;
9.1.5. if you are a panelist, speaker or host of our event, we process your personal data for the purpose of (a) organizing the event and (b) promoting the event and Orbico - in both cases, the legal basis for processing is our legitimate interest as the organizer of the event;
9.1.6. if you have visited Orbico social networks and contacted us, we process your personal data to reply to you. In that case, the legal basis for processing is our legitimate interest in responding to your message. We do not store your information privately. Exceptionally in case of Facebook, Facebook processes your personal data in the manner described at https://hr-hr.facebook.com/privacy/explanation, while we affect the same processing only by identifying groups of users to whom we want to send certain information (for example by age, gender or similar). We receive user data from Facebook exclusively on a statistical, for us anonymized, basis;
9.1.7. if you have participated in one of our promotional or prize games, we process your personal data for the purpose of (a) organizing a promotional / prize game and awarding a prize - in which case, the legal basis for the processing is our legitimate interest as the organizer of the game; (b) promoting of the event and Orbico - in which case, the legal basis for the processing is our legitimate interest as the organizer of the game and your separate consent if we wish to publish recordings of you from the participation in the game or receipt of the prize;
9.1.8. if you have filed a complaint (product defect, withdrawal request, etc.) about the purchased goods or services, we process your personal data for the purposes of (a) verifying the nature of your request - in which case, the legal basis for processing is our legitimate interest as the seller of the goods or services for which you filed a complaint; (b) forwarding your request to the manufacturer of the product / service - in which case, the legal basis for the processing is our legitimate interest as the seller of the goods or services to contact the manufacturer for its contracted warranties; (c) acting on your request - in which case, the legal basis for processing is our legal obligation to you as a consumer;
9.1.9. if you have submitted an open job application or applied for our job advertisement, we process your personal data for the purpose of (a) conducting the selection process and recruitment - in which case, the legal basis for processing is our legitimate interest as an employer based on your job application; (b) conducting future selection procedures - in which case, the legal basis for processing is your separate consent or our legitimate interest if you have submitted an open job application; (c) verification of your previous work experience or verification of your education or training - in which case, the legal basis for processing is your separate consent to contact the relevant persons;
9.1.10. if you are identified as a supplier, customer, other business partner or as a contact person of one of them, we process your personal data for the purposes of (a) purchase and sale of goods and services (ordering goods / services, delivery, collection, payment, complaints, sending or preparation offers) - in that case, the legal basis for the processing of your personal data is our sales contract or legitimate interest in case you are an employee of our supplier or customer, based on business cooperation with your employer; (b) fulfillment of another contract we have entered into - in which case, the legal basis for processing is our contract or a legitimate interest in the event that you are an employee of our business partner, based on business cooperation with your employer; (c) checking the satisfaction with our business cooperation - in which case, the legal basis for processing is our legitimate interest as your business partner;
9.1.11. if you work for the media or act as a separate reporter, we process your personal data for various business publications. In that case, the legal basis for the processing is our legitimate interest based on our business cooperation;
9.1.12. if you have submitted a data subject request, we process your personal data for the purpose of responding to your request. In that case, the legal basis for the processing is our legal obligation to enable you to exercise your rights regarding your personal data;
9.1.13. if you fall into any of the previous categories, (a) in the case of a security incident or suspicion of such incident, we process your personal data for the purpose of investigating the incident, taking appropriate action and being able to report the incident - in which case the legal basis for processing is our legitimate interest in protecting your data and our legal duty to notify you in the event of a data breach; (b) in the event of an audit of our business or our handling of personal data, we process your personal data for the purposes of such an audit - in which case, the legal basis for the processing is our legitimate interest in proving the lawfulness of our conduct; (c) in the event of a dispute or other proceeding before a competent authority, we process your personal data for the purpose of conducting such proceedings - in which case, the legal basis for the processing is our legitimate interest as a party to such proceedings; (d) we process your personal data for internal analysis and reporting purposes - in which case, the legal basis for the processing is our legitimate interest as a business entity;

9.2. In any case, Orbico does not carry out automated decision-making based on your personal data, nor does Orbico create profiles of data subjects for this purpose.

9.3. Orbico does not process specific categories of your personal data - those that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs or union membership, and the processing of genetic data, biometric data for unique identification, health data or data about sexual life or sexual orientation of the individual. Exceptions are health-related information in case of your complaint about a purchased product such as your skin reaction to the product.

10. Third party access to your personal data

10.1. Third parties may gain access to your personal data in the situations listed below. When these third parties act as a data processor, they process your personal data in accordance with our instructions. When these third parties act as a separate data controller, we have no influence on their conduct. We regularly check our business partners to make sure that your rights are properly respected.
10.1.1. Service providers: Third party service providers who provide us with services and products necessary for our regular business may have access to your personal data if this is necessary to provide us with the contracted service (e.g. security service, delivery, maintenance and development of various IT systems and applications, web design and maintenance, advertising). Then they act in accordance with our instructions as our data processors except when their conduct is determined by law or the rules of the profession in which case they have the position of a separate data controller;
10.1.2. Related parties: Our affiliates, who are part of the Orbico Group, may have access to your personal data if required to report or provide services for the Orbico Group. Then they act in accordance with our instructions as our data processors;
10.1.3. Professional advisors: Third party service providers who provide us with consulting services may have access to your personal data if it is necessary to provide us with the contracted service (e.g. tax and legal advice, financial and business consulting, accounting, auditing). Then they act in accordance with our instructions as our data processors except when their conduct is determined by law or the rules of the profession in which case they have the position of a separate data controller;
10.1.4. Competent authorities: Different authorities may gain access to your personal data for the purpose of supervising our business or for the protection of our rights (e.g. customs administration, tax administration, personal data protection agency, police, state attorney's office, court). In that case, they process your personal data in accordance with their legal powers and they have the position of a separate data controller.

11. Transfer of personal data to third countries

11.1. Your personal data is retained in the European Union. Your personal data is only exceptionally transferred to third countries (third countries do not include other European Union countries). In this case, we transfer your personal data based on an adequacy decision of the European Commission or only after the data importer from a third country undertakes to comply with the applicable standard contractual clauses approved by the European Commission.
11.2. For the purposes of conducting marketing campaigns or sending notifications, we may use the services of The Rocket Science Group LLC d / b / a MailChimp based in the United States (you can read more about how they process your personal information in their Privacy Policy available ovdje). We only send them your e-mail address information.
11.3. Also, members of the Orbico Group operating in third countries may have access to your personal data (depending on the specific case).

12. Storage period of your personal data

12.1. We retain your personal data for the period we need to fulfill the purpose for which we collected them, and the additional reasonable period required to delete them. The retention period depends on the purpose of the processing, the sensitivity of that data, our legal obligations (for example due to statute of limitations) and our legal basis. So:
12.1.1. In the case of processing based on your consent, we retain your personal data for the period for which consent was given or until the withdrawal of the consent (we delete them within 90 days from the date of withdrawal);
12.1.2. In the case of processing based on our contract, we retain your personal data for the period of the contract and an additional limitation period of five years (we delete them within one year from the expiration of the limitation period);
12.1.3. In the case of processing based on our legal obligation, we retain your personal data during that mandatory period (we delete them after the expiration of the mandatory period, in an additional period of one year);
12.1.4. In the case of processing based on a legitimate interest, we retain your personal data as long as our legitimate interest exists - we check the existence of a legitimate interest on an annual basis (we delete the data within one year after the expiry of legitimate interest).

13. Your rights

13.1. Your rights with regard to personal data are prescribed by the General Data Protection Regulation (“Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)”).
13.2. You can exercise your rights regarding your personal data by contacting us through privacy.orbicocro@orbico.com. You can use our Data Subject Request Form to exercise your rights available on our web site. Please note that you can only exercise your rights regarding your personal data.
13.2.1. Access to personal data
You have the right to ask us to confirm whether we process your personal data, as well as access to your personal data that we process.
13.2.2. Rectification of personal data:
You have the right to ask us to correct your inaccurate personal data, as well as the right to supplement your personal data.
13.2.3. The right to withdraw consent
You have the right to withdraw your consent for further processing of personal data at any time. The withdrawal of consent does not affect processing performed on the basis of consent prior to its withdrawal.
13.2.4. Deletion of personal data (the right to be forgotten)
If you withdraw your consent to the processing of your personal data or when the legal basis for the processing of your personal data ceases or in other cases provided by the General Data Protection Regulation, you have the right to ask us to delete your personal data.
13.2.5. Portability of personal data
If we process your personal data based on your consent or based on our contract, you have the right to request us to transfer your personal data in an appropriate manner.
13.2.6. Objection to the processing of personal data
If we process your personal data for the purposes of direct marketing or based on our legitimate interest, you have the right to object to further processing of your personal data.
13.2.7. Limitation of processing
If you dispute the accuracy of your personal data or in other situations provided for in the General Data Protection Regulation, you have the right to ask us to limit the processing of your personal data until such a situation is resolved.
13.2.8. The right to complain to the Personal Data Protection Agency
At any time, you have the right to complain before the personal data protection authority - Agencija za zaštitu osobnih podataka (www.azop.hr), regarding the processing and protection of your personal data.
13.3. You exercise your rights without cost. However, if you frequently (for example, less than 6 months have passed since your previous request) or excessively (for example, requesting all your personal information in writing) request access to or transfer of your personal information, we have the right to ask you to bear our costs before carrying out such an action.