Cookie policy

Cookies

1.What are cookies and what are the types of cookies?

Cookies are small files that an internet browser stores on a computer, mobile device, or any other device that a user uses to visit a website. These files are created at the request of the website and are used for various purposes. For example, cookies can collect information about the language a visitor has selected for displaying pages on multilingual sites, track the sequence of pages visited so users can return to previous pages in the same order, or maintain a list of items that a user has added to their shopping cart in an online store. They can also store more personal information, such as the user’s IP address, username and password, email address, geolocation, the type of device being used (computer or mobile), and the specific pages visited on a website.

Cookies can be categorised based on their duration, the source of the cookie, and their function.Cookies can be classified based on their duration into the following types:

✓ Persistent Cookies– These cookies remain on the computer or device after the browser is closed. They are utilized by websites to store data such as login credentials, language preferences, and cookie settings. This allows users to avoid re-entering this information on subsequent visits. Persistent cookies can remain on the device for days, months, or even years.

✓ Session Cookies are temporary cookies that are deleted from your computer or device once you close your web browser. Websites utilise these cookies to store short-term information, such as the last few pages you visited on the site or the items in your shopping cart when shopping online.

According to the source, cookies can be classified into two types:

✓ First-party cookies – These are cookies that are stored by the original website that the user visits, such as an online store where they make purchases.

✓ Third-party cookies – These cookies are stored by other websites or services that are part of the primary site the user visits. They are typically used by other websites to track the user’s habits on the primary site or by services to enhance functionality. For example, if a website uses a web chat service to interact with users, that service may store the user’s identification number to ensure messages are directed to the correct person.

There are several types of cookies based on their function, with the most common being:

✓ Technical/Necessary Cookies: These cookies are essential for the basic functionality of a website. They enable the site to perform fundamental tasks, such as maintaining a session identifier during a user’s current visit or storing the contents of shopping carts filled when purchasing products online.
✓ Functional Cookies: These cookies enhance website functionality and personalisation. For example, they remember the preferred language for displaying the content on the website.
✓ Statistical Cookies: These cookies gather information about how users navigate the website and the specific pages they visit. The data is typically collected in aggregate form, meaning individual users are not identified.
✓ Marketing Cookies: These cookies track user behaviour and habits on the website to deliver personalised advertisements.

Terminal equipment refers to any electronic device that can connect to the Internet, such as desktop computers, laptops, mobile phones, and tablet computers. These devices can store cookies or use other methods and technologies to store user data. It’s important to note that, in addition to cookies, personal data can be collected on terminal equipment in various ways. Some common methods include local storage objects (also known as flash cookies), ghost cookies, pixel trackers, software development kits (SDKs), fingerprinting technologies, and social content sharing cookies. At the European Union level, both cookies and these other methods of collecting personal data are governed by the provisions of Directive 2002/58/EC and its amendments, including Directive 2009/136/EC, commonly referred to as the Cookie Law. In Croatia, the relevant provisions have been incorporated into the Electronic Communications Act. If you are using websites or applications installed on users’ terminal equipment for providing or advertising services, it’s essential to consult with their manufacturers regarding whether cookies or other technologies for collecting user data are employed. If they are in use, you must ensure that your website and/or applications comply with the aforementioned legal requirements. Although this guide will primarily discuss cookies for simplicity, the recommendations also apply to other methods of collecting and processing personal data on users’ terminal equipment.

2. Legal Provisions Regarding the Collection and Processing of Personal Data Through Cookies

The use of cookies within the European Union is governed by Directive 2002/58/EC of the European Parliament and the Council, dated July 12, 2002. This directive concerns the processing of personal data and the protection of privacy in the electronic communications sector. It was later revised by Directive 2009/136/EC, which amends the Universal Service Directive (Directive 2002/22/EC) and addresses users’ rights related to electronic communications networks and services. Additionally, Regulation (EC) No. 2006/2004 outlines cooperation between national authorities responsible for enforcing consumer protection laws. These directives have been incorporated into Croatian law through the Electronic Communications Act (Official Gazette 73/08, 90/11, 133/12, 80/13, 71/14, 72/17). Specifically, Article 100, paragraph 4 states that the use of electronic communications networks for storing data or accessing data already stored on the terminal equipment of subscribers or service users is permissible only if consent has been provided. This consent must be based on clear and comprehensive information regarding data processing, particularly the purposes for which the data will be used.
In simpler terms, the installation of cookies and the retrieval of information stored on a user’s device can only occur with their consent and after they have received clear information about what data will be collected and why. However, cookies that are strictly necessary for the transmission of communications between a user’s device and the website they are visiting, or those needed to provide services that the user has explicitly requested, are exempt from the consent requirement.

The General Data Protection Regulation (GDPR) outlines the following key points:

1. Definition of personal data.
2. Who is legally allowed to process (collect and use) personal data.
3. The lawful methods for processing personal data.
4. The rights of individuals whose personal data is being processed (known as data subjects).
5. The obligations of those who process personal data for their business purposes (called controllers).
6. The obligations of those who process personal data on behalf of another party (known as processors).
7. The authority responsible for overseeing the implementation of the GDPR.

The General Data Protection Regulation (GDPR) defines personal data as any information related to an identified or identifiable natural person, referred to as a “data subject.” An identifiable natural person is someone who can be recognised, directly or indirectly, especially through identifiers such as a name, identification number, location data, online identifiers, or one or more factors that relate to their physical, physiological, genetic, mental, economic, cultural, or social identity. Thus, any data that can be used to identify an individual, either on its own or when combined with other data, qualifies as personal data.

The General Data Protection Regulation (GDPR) defines a special category of personal data. This includes information that reveals an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. It also covers genetic data, biometric data used to uniquely identify a person, health-related data, and information about an individual’s sex life or sexual orientation.

Data may only be processed under the following conditions, in addition to having a legal basis as stated in Article 6(1) of the General Data Protection Regulation:
✓ The data subject has given explicit consent for the processing of their personal data for one or more specific purposes.
✓ The processing is necessary for fulfilling obligations and exercising specific rights of the business entity or the data subject in the areas of employment law, social security, and social protection law.
✓ The processing is necessary to protect the vital interests of the data subject or another individual when the data subject is physically or legally unable to provide consent.
✓ The processing occurs within the framework of legitimate activities by a foundation, association, or other non-profit organization with a political, philosophical, religious, or trade union aim, provided that it relates only to members or former members of the organization or individuals who regularly interact with it for its purposes, and that personal data is not disclosed to anyone outside the organization without the consent of the data subject.
✓ The processing relates to personal data that have been manifestly disclosed by the data subject.
✓ The processing is necessary for the establishment, exercise, or defence of legal claims, or when courts are acting in a judicial capacity.
✓ The processing is necessary for a significant public interest that is proportionate to the aims pursued, respects the essence of the right to data protection, and includes appropriate measures to safeguard the fundamental rights and interests of the data subject.
✓ The processing is necessary for preventive medicine or occupational medicine, including the assessment of employees’ working capacity, medical diagnosis, providing health or social care, treatment, or managing health or social care systems and services.
✓ The processing is necessary for public interest in public health, such as protecting against serious cross-border health threats or ensuring the quality and safety of healthcare and medical products, with appropriate measures to safeguard the rights and freedoms of data subjects, including adherence to professional secrecy.
✓ The processing is necessary for archiving purposes in the public interest, scientific or historical research, or statistical purposes that are proportionate to the aims pursued, respect the essence of the right to data protection, and provide suitable measures to safeguard the fundamental rights and interests of the data subject. subject.

The General Data Protection Regulation (GDPR) outlines consent as one of the lawful bases for processing personal data. When the collection or processing of personal data relies on consent, it must comply with all the conditions specified in Article 7 of the GDPR. This includes the requirement that the data controller must demonstrate that the data subject has voluntarily given consent. The individual must be adequately informed prior to giving consent, and the request for consent should be clearly distinguishable from other questions. It must be presented in an intelligible and easily accessible format using plain language. Additionally, the purpose of processing the personal data must be clearly stated. Users must also have the ability to withdraw their consent at any time, and this process should be just as simple as the initial consent was given.

The General Data Protection Regulation (GDPR) outlines several requirements for data controllers who collect personal data directly from individuals (data subjects). They must provide the following information at the time of data collection, following the principles of lawfulness, fairness, and transparency

1. The identity and contact details of the data controller.
2. The contact information of the data protection officer.
3. The purpose of collecting or processing personal data and the legal basis for doing so.
4. Information on who has the right to access the collected personal data.
5. Whether personal data is transferred to third countries (nations outside the European Union and the European Economic Area) or to international organizations.
6. The retention period for the personal data.
7. The rights of data subjects to request access to their personal data, as well as the right to correct, erase, or restrict processing of their data.
8. The right to withdraw consent if it is the legal basis for processing the data.
9. Whether the collected data will be used for automated decision-making.