Privacy Policy

Privacy Policy

Croatian Sports Museum Privacy Notice

[Last updated: 10.6.2025]

Introduction

Croatian Sports Museum, with its registered office in Zagreb, Praška ulica 2/II, PIN: 61689362030 (hereinafter: HŠPOM), is committed to the protection of your personal data. This Privacy Notice provides information on how we collect, use, share, and protect your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: General Data Protection Regulation or GDPR), as well as the Act on the Implementation of the General Data Protection Regulation (Official Gazette 42/18).

In addition to this Privacy Notice, HŠPOM has adopted a Cookie Policy (HTTP Cookies), prepared in accordance with this Privacy Notice.

Definitions

Personal data – any information relating to an identified or identifiable natural person (the “data subject”);

Data subject (“User”) – an identified or identifiable natural person, who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier;

Processing of personal data – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means;

Controller – for the purposes of this Privacy Notice, the Controller is the Croatian Sports Museum as a legal entity that determines, alone or jointly with others, the purposes and means of the processing of personal data and is responsible for such processing;

Processor – a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller;

Consent – any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them;

Supervisory authority – an independent public authority established by the Republic of Croatia to monitor the application of the General Data Protection Regulation, namely the Croatian Personal Data Protection Agency (AZOP).

Controller’s contact details:

Name: Croatian Sports Museum

Address: Praška ulica 2/II, Zagreb

E-mail: dokumentacija@sportski-muzej.hr

 

Processing of your personal data

By entering your personal data in the designated fields on the website and/or in the application, you confirm that you have voluntarily made your personal data available and that you consent to their use by HŠPOM for the purpose for which the data were provided, which we will specifically inform you about. When entering personal data in the designated fields on the website and/or in the application, we will refer you to this Privacy Notice so that you may familiarise yourself with your rights regarding the protection of your personal data.

In accordance with the above, we hereby inform you that HŠPOM is the controller of personal data and that the data in question are used exclusively for the purpose for which they were voluntarily provided to HŠPOM.

HŠPOM does not sell, rent, or lend users’ personal data from the website and/or application to third parties and protects your personal data from unauthorised access. If you have consented to the use of cookies, HŠPOM may forward your personal data to trusted business partners for specific purposes such as various statistical analyses, advertising, the provision of user support, or similar needs. In such cases, HŠPOM will prohibit its business partner from using your personal data for any purpose other than the one agreed upon and will oblige the partner to maintain the confidentiality of personal data.

 

What personal data do we collect?

We may collect the following categories of personal data:

• Contact data: name and surname, email address
• Purchase data: date and time of purchase, number of tickets purchased, type of ticket
• Payment data: payment card details (card number, expiry date, CVV)
• Subscription data: information about your subscription to the HŠPOM newsletter or other services, if applicable
• Communication data: content of your communication with HŠPOM (email, phone calls), if applicable
• Device data: type of device (mobile phone, tablet), operating system, IP address

Your payment data are stored on secure servers and used solely for payment processing purposes. When entering your payment information, we use SSL encryption to protect your data.

For the purpose of protecting personal data, HŠPOM applies pseudonymisation in all cases where possible, particularly when disclosing information publicly in accordance with the Act on the Right of Access to Information.

Why do we collect your personal data?

We collect your personal data in order to:

• Process your enquiries: respond to your queries, requests and complaints
• Enable access to our services: sell tickets for museum visits, guided tours, educational workshops, etc.
• Inform you about our activities: send you notifications about our activities, event invitations, etc.
• Improve our services: analyse your habits to personalise our offering and enhance your experience
• Fulfil legal obligations: process and retain documents (invoices and similar) in accordance with applicable legislation
• Ensure security: protect our systems and prevent fraud.

 

How do we safeguard your personal data?

Personal data is stored in electronic form and kept on a server, protected by user credentials (username and password) known only to employees authorised to process data, in accordance with the decision of the controller.

HŠPOM has implemented appropriate organisational and technical measures to ensure data security and to prevent loss, misuse, unauthorised access, alteration, destruction or disclosure of personal data. HŠPOM also takes all reasonable steps to ensure that its partners and service providers apply the same level of protection. However, given the nature of computer systems and the circumstances surrounding data transmission, HŠPOM cannot guarantee complete security due to the inherent risks of internet data transfer. There is a possibility that third parties may unlawfully intercept such data transmissions.

If the user believes that their personal data entrusted to HŠPOM has been compromised—including in cases of third-party access to their user account—they are obligated to contact HŠPOM without delay.

 

Personal data retention period

HŠPOM will retain personal data in its systems for as long as necessary to provide services via the website and/or application in accordance with contractual obligations, generally no longer than one year, except for data that must be retained for a longer period pursuant to specific legal provisions. Upon expiry of the retention period, personal data will be permanently deleted or anonymised for analytical purposes.

Who do we share your personal data with?

We do not share your personal data with third parties, except in the following cases:

• Service providers: We may share your data with our trusted partners who provide services to us (e.g. IT support, accounting, payment processing). In such cases, the transfer of personal data is strictly limited to the data necessary for service delivery. Service providers are required to follow HŠPOM’s instructions and are not authorised to use the personal data obtained from HŠPOM for their own purposes.
• Legal obligation: We may be required to disclose your data if mandated by law or a decision of a competent authority.

Your rights

You have the right to submit a request or raise an objection concerning your personal data by contacting HŠPOM’s Data Protection Officer at the email address: dokumentacija@sportski-muzej.hr or directly at HŠPOM’s registered address. HŠPOM will respond to all requests within the statutory time limit.

You may also lodge a complaint with the competent supervisory authority for personal data protection— the Croatian Personal Data Protection Agency (AZOP).

You have the right to:

1. a) Request access to your personal data. This right allows users to obtain a copy of their personal data collected by HŠPOM in order to verify the lawfulness of the processing. A request for access to personal data may be submitted to HŠPOM’s Data Protection Officer.

HŠPOM does not charge a fee for granting access to personal data or for exercising any of the rights provided under this section. However, HŠPOM reserves the right to charge a reasonable fee if a request is manifestly unfounded, repetitive, or otherwise excessive. In such cases, HŠPOM also reserves the right to refuse to act on the request.

HŠPOM will comply with requests for access to personal data within a reasonable period.

1. b) Request the rectification of personal data. If the personal data collected by HŠPOM contains incorrect or inaccurate information, such data may be corrected. HŠPOM may request confirmation or verification of the updated data.
2. c) Request the erasure of personal data. Every user has the right to request the erasure or removal of their personal data if there is no longer a valid reason for their continued processing or use. Users also have the right to request erasure or removal of their personal data when exercising their right to object to processing as outlined in this section, or in cases where HŠPOM processes personal data contrary to applicable regulations, or where erasure is required by law. If there is a valid and lawful reason to refuse the request for erasure, HŠPOM will inform the user of that fact.

Requests for the erasure of personal data may be submitted to HŠPOM’s Data Protection Officer. HŠPOM will respond to all such requests within a reasonable period.

In certain cases, HŠPOM may be required by law and/or based on its legitimate interests to retain personal data.

1. d) Object to the processing of personal data. Where HŠPOM relies on its legitimate interest—or the legitimate interest of a third party—as the legal basis for processing, users may object to such processing if they believe that, in their particular situation, it infringes their rights and freedoms. Users also have the right to object to the processing of personal data for direct marketing purposes. In such cases, HŠPOM will act on the request without delay and cease processing the personal data for that purpose.

– The data subject has the right to object, at any time and on grounds relating to their particular situation, to the processing of personal data concerning them. In such cases, the organisation must cease processing the data unless it can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defence of legal claims.

1. e) Request the restriction of personal data processing. Users may request restriction of personal data processing in the following cases:

• If the user contests the accuracy of the data
• If the processing is contrary to regulations but the user does not wish for the data to be erased or removed
• If the user requires the data to be retained even after the processing purpose has ceased, for the establishment, exercise, or defence of legal claims
• If an objection to the processing has been submitted and HŠPOM is in the process of determining whether there are overriding legitimate grounds for processing.

1. f) Request the transfer of personal data to a third party. Upon such request, HŠPOM will provide the user—or a third party designated by the user—with the personal data in a structured, commonly used, and machine-readable format. This right may only be exercised for data collected by automated means based on the user’s consent or for the purpose of fulfilling contractual obligations.
2. g) Withdraw consent at any time, in cases where HŠPOM collects and processes personal data based on the user’s consent. Withdrawal of consent shall not affect the lawfulness of data processing carried out prior to the withdrawal. If the withdrawal of consent prevents HŠPOM from providing certain services or content, HŠPOM will inform the user of this at the time of withdrawal.

How to exercise your rights

If you have any questions regarding the use or protection of your personal data, if you wish to exercise any of the rights set out in this Notice, or if you wish to file a complaint regarding the processing of your personal data, you may contact us by email at: dokumentacija@sportski-muzej.hr or by post at: Hrvatski športski muzej, Praška ulica 2/II, Zagreb.

If you believe that your personal data has been infringed by HŠPOM, you also have the right to lodge a complaint with the competent supervisory authority for data protection. Contact details of the supervisory authority are the following: Croatian Personal Data Protection Agency (AZOP), Selska cesta 136, 10 000 Zagreb, e-mail: azop@azop.hr, telephone No.: +385 1 4609 000, fax: +385 1 4609 000, website: www.azop.hr.

Other

This Privacy Policy will be updated from time to time. The most recent version will be published on our website and/or in our application.

 

Cookie Policy

In light of the importance of personal data and our transparency obligations, we provide below information about cookies, how we use them on our website and/or in our application, and what options are available to you if you choose to disable them despite the benefits they offer.

What are cookies?

Cookies are small text files that are typically downloaded to your computer, tablet, or mobile device (hereinafter: device) from websites and/or applications you visit. Cookies make browsing easier by storing your preferences for a website and/or application (for example, language selection) and reapplying them the next time you visit. In this way, the information on the website and/or application is tailored to your needs and typical usage.

What types of cookies do we use?

HŠPOM uses the following categories of cookies: