Privacy policy

                                                                          PRIVACY POLICY

Section A – The purpose of this policy

1. Policy statement

1.1. is privatly own domain; we are committed to protecting personal data and respecting privacy and the rights of our data subjects; the people whose personal data we collect and use. The collection, use and processing of your personal data is carried out in accordance with these Privacy Rules and with the applicable legal provisions, including Regulation (EU) 2016/679 as of 27 April 2016 (hereinafter: General Regulation) and the Croatian Act on the Implementation of the General Data Protection Regulation (Official Gazette No. 42/2018). We value the personal information entrusted to us and we respect that trust, by complying with all relevant laws, and adopting good practice.

 We process personal data to help us:

  • maintain our accounts and records;
  • promote our services;
  • maintain the security of property and premises;
  • respond effectively to enquirers and handle any complaints.


2. The importance of this policy

2.1. We are committed to protecting personal data from being misused, getting into the wrong hands as a result of poor security or being shared carelessly, or being inaccurate, as we are aware that people can be upset or harmed if any of these things happen.

2.2. This policy sets out the measures we are committed to taking as an organization and, what each of us will do to ensure we comply with the relevant legislation.

2.3. In particular, we will make sure that all personal data is:

  • processed lawfully, fairly and in a transparent manner;
  • processed for specified, explicit and legitimate purposes and not in a manner that is incompatible with those purposes;
  • adequate, relevant and limited to what is necessary for the purposes for which it is being processed;
  • accurate and, where necessary, up to date;
  • not kept longer than necessary for the purposes for which it is being processed;
  • processed in a secure manner, by using appropriate technical and organizational means;
  • processed in keeping with the rights of data subjects regarding their personal data.


3. How this policy applies to you & what you need to know

Anyone who breaches the Privacy Policy may be subject to disciplinary action, and where that individual has breached the policy intentionally, recklessly, or for personal benefit they may also be liable to prosecution or to regulatory action.

3.1. We make sure that any procedures that involve personal data, that is responsible for in tourist rental, follow the rules set out in this Privacy Policy.

3.2. As a data subject of we will handle your personal information in line with this policy.

3.3. As an appointed data processor/contractor: Companies who are appointed by us as a data processor are required to comply with this policy. Any breach of the policy will be taken seriously and could lead to us taking action against the company, or terminating our cooperation. Data processors have direct obligations under the GDPR, primarily to only process data on instructions from the controller (us) and to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk involved.

3.4. We arev well informed about our legal obligations under data protection law, monitoring compliance with data protection law, dealing with data security breaches and with the development of this policy. Any questions about this policy or any concerns that the policy has not been followed should be referred to us at


4. Training and guidance

4.1. We will provide general training at least annually for all staff to raise awareness of their obligations and our responsibilities, as well as to outline the law.

4.2. We may also issue procedures, guidance or instructions from time to time.


Section B – Our Privacy Policy protection responsibilities

5. Personal information we process

5.1. In the course of our work, we may collect and process information (personal data) about many different people (data subjects). This includes data we receive straight from the person it is about, for example, where they complete forms or contact us.

5.2. We process personal data in both electronic and paper form and all this data is protected under data protection law. The personal data we process can include information such as names and contact details.

5.3. Other data may also be considered ‘sensitive’ such as purchase details, meaning we will be informed when you make a purchase but will not be subject to the same legal protection as the types of data listed above.


6. Making sure processing is fair and lawful

6.1. Processing of personal data will only be fair and lawful when the purpose for the processing meets a legal basis, as listed below, and when the processing is transparent. This means we will provide people with an explanation of how and why we process their personal data at the point we collect data from them, as well as when we collect data about them from other sources.

6.2. Processing of personal data is only lawful if at least one of these legal conditions, as listed in Article 6. of the GDPR, is met:

  • the processing is necessary for a contract with the data subject;
  • the processing is necessary for us to comply with a legal obligation;
  • the processing is necessary for legitimate interests pursued by proprietary of Minceta Galleria Ltd. unless these are overridden by the interests, rights and freedoms of the data subject;
  • if none of the other legal conditions apply, the processing will only be lawful if the data subject has given their clear consent.


7. Consent to process data

7.1. Where none of the other legal conditions apply to the processing and we are required to get consent from the data subject, we will clearly set out what we are asking consent for, including why we are collecting the data and how we plan to use it. Consent will be specific to each process we are requesting consent for and we will only ask for consent when the data subject has a real choice whether or not to provide us with their data.

7.2. Consent can be withdrawn at any time and if withdrawn, the processing will stop. Data subjects will be informed of their right to withdraw consent and it will be as easy to withdraw consent as it is to give consent.


8. Data will be adequate, relevant and not excessive

8.1. We will only collect and use personal data that is needed for the specific purposes described above (which will normally be explained to the data subjects in privacy notices). We will not collect more than needed to achieve those purposes.


9. Accurate data

9.1. We will make sure that personal data held is accurate and, where appropriate, kept up to date. The accuracy of personal data will be checked at the point of collection and at appropriate points later on.


10. Keeping data and destroying it

10.1. We will not keep personal data longer than is necessary for the purposes that it was collected for. We will comply with official guidance issued to our sector about retention periods for specific records.


11. Security of personal data

11.1. We will use appropriate measures to keep personal data secure at all points of the processing. Keeping data secure includes protecting it from unauthorized or unlawful processing, or from accidental loss, destruction or damage.

11.2 We will implement security measures that provide a level of security which is appropriate to the risks involved in the processing.

Measures will include technical and organizational security measures. In assessing what measures are the most appropriate we will take into account the following, and anything else that is relevant:

  • the quality of the security measure;
  • the costs of implementation;
  • the nature, scope, context and purpose of processing;
  • the risk (of varying likelihood and severity) to the rights and freedoms of data subjects;
  • the risk which could result from a data breach.

11.3. Measures may include:

  • technical systems security;
  • measures to restrict or minimize access to data;
  • measures to ensure our systems and data remain available, or can be easily restored in the case of an incident;
  • physical security of information and of our premises;
  • organizational measures, including policies, procedures, training and audits;
  • regular testing and evaluating of the effectiveness of security measures.


Section C – Working with people we process data about (data subjects)

12. Data subjects’ rights

12.1. We will process personal data in line with data subjects’ rights, including their right to:

  • request access to any of their personal data held by us (Subject Access Request);
  • ask to have inaccurate personal data changed;
  • restrict processing, in certain circumstances;
  • object to processing, in certain circumstances, including preventing the use of their data for direct marketing;
  • data portability, which means to receive their data, or some of their data, in a format that can be easily used by another person (including the data subject themselves) or organization;
  • not be subject to automated decisions, in certain circumstances; and
  • withdraw consent when we are relying on consent to process their data.

12.2. If a colleague receives any request from a data subject that relates or could relate to their data protection rights, this will be forwarded to our Data Protection Officer immediately.

12.3. We will act on all valid requests as soon as possible, and at the latest within one calendar month, unless we have reason to, and can lawfully extend the timescale. This can be extended by up to two months in some circumstances.

12.4. All data subjects’ rights are provided free of charge.

12.5. Any information provided to data subjects will be concise and transparent, using clear and plain language.


13. Direct marketing

13.1. We will comply with the rules set out in the GDPR, the Privacy and Electronic Communications Regulations (PECR) and any laws that may amend or replace the regulations around direct marketing. This includes, but is not limited to, when we make contact with data subjects by post, email, text message, social media messaging, telephone (both live and recorded calls) and fax. Direct marketing means the communication (by any means) of any advertising or marketing material that is directed, or addressed, to individuals. “Marketing” does not need to be selling anything, or be advertising a commercial product. It includes contact made by organizations to individuals for the purposes of promoting the organization’s aims.

13.2. Any direct marketing material that we send will identify proprietary of Minceta Galleria Ltd. as the sender and will describe how people can object to receiving similar communications in the future. If a data subject exercises their right to object to direct marketing, we will stop the direct marketing as soon as possible.

Animated icons by
Icons made by srip from